CN114697082B - Production and application method of encryption and decryption device in server-free environment - Google Patents
Production and application method of encryption and decryption device in server-free environment Download PDFInfo
- Publication number
- CN114697082B CN114697082B CN202210232006.6A CN202210232006A CN114697082B CN 114697082 B CN114697082 B CN 114697082B CN 202210232006 A CN202210232006 A CN 202210232006A CN 114697082 B CN114697082 B CN 114697082B
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- terminal
- message
- security chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004519 manufacturing process Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 title claims description 30
- 238000004891 communication Methods 0.000 claims abstract description 26
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims description 5
- 238000012790 confirmation Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 239000003999 initiator Substances 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Abstract
The invention provides a method for producing an encryption and decryption device in a server-free environment, which comprises the steps of placing a security chip of the encryption and decryption device in a security intranet environment; step one, the firmware of the security chip is burnt, a program is written into a COS memory, and the life cycle of the security chip is jumped; step two, producing a protection key and a transmission key to take effect; step three, deriving a confusion parameter which can not be derived; detecting whether the safety chip is in a hardware initialization state or not by using a production tool, assembling a product batch mark ciphertext message by using an initialization key, assembling a final production message, issuing the safety chip, and writing a product batch mark; and step five, completing the production of the security chip. The invention has the beneficial effects that: the server is not needed to realize the services such as terminal ciphertext communication, local data protection and the like, the influence of the server on user services and keys is avoided, the encryption level of the application is improved, and the safety of the user services and the data is ensured.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a production and application method of an encryption and decryption device in a server-free environment.
Background
With the continuous development of information science and intelligent terminal technology, intelligent terminals gradually become necessities for life and work of people, various application software is installed on the intelligent terminals of people, various methods for acquiring personal data and information of users are layered, various hackers and terminal viruses are more and more, and people pay more attention to encryption services of data. With the gradual maturity of encryption technology, a large number of software encryption systems and hardware encryption devices appear, and data encryption services are commonly applied, so that application data and personal data of a terminal are protected, data leakage is effectively prevented, and data security is improved.
In the prior art, when Android mobile phone system and hardware password equipment are based, related scenes such as local encryption service, network transmission encryption service and identity authentication service and production stages are all involved, a business server and a KMS key management server are needed to participate, personal business service can be completed, the security of business or keys can be influenced by the server, the security of application data can not be completely guaranteed, and potential safety hazards still exist.
Disclosure of Invention
According to the defects of the prior art, the invention designs a new scene of using the pure end-to-end or local encryption service without server participation, wherein the whole encryption process does not have any server participation, the hardware password equipment does not have any server participation during production, authorization and factory return, and different batches of KEYs can not be communicated, thereby ensuring the safety of the application, avoiding the influence of the server on the service and KEY safety, improving the application safety level, and also meeting the safety level requirements of individuals and user terminals and ensuring the safety of the user service in the environments of non-trusted servers and third-party servers. The method is realized by the following technical scheme.
A method for producing encryption and decryption device without server environment includes the following steps:
step one, the firmware of the security chip is burnt, a program is written into a COS memory, and the life cycle of the security chip is jumped;
secondly, producing protection keys and transmission keys, wherein the two groups of keys are used for protecting a safe production safety chip of a local production tool ciphertext in an intranet environment;
step three, the security chip randomly generates a group of 16-byte random numbers, and derives a confusion parameter which can not be derived;
step four, the production tool acquires a chip life cycle ciphertext mark, detects whether the safety chip life cycle ciphertext mark is in a hardware initialization state or not, assembles a product batch mark ciphertext message by using an initialization key after detection and confirmation are correct, calculates a ciphertext message MAC value by using a transmission key, assembles a final production message, sends the safety chip, and writes the product batch mark;
and fifthly, the security chip detects the ciphertext MAC, decrypts the production message, extracts the product batch message, writes the production information, performs self-checking on the production algorithm and the integrity, changes the life cycle to the initialization state of the personal information, and completes the production of the security chip.
An application method of an encryption and decryption device of a server-free environment comprises a first terminal and a second terminal, wherein the first terminal is provided with a security chip, the first terminal is provided with a first security chip and a first unique identifier, and the second terminal is provided with a second security chip and a second unique identifier, and the application method comprises the steps of:
the first terminal assembles the first unique identifier to form a communication connection authentication message, and sends the communication connection authentication message to the first security chip, the first security chip splices the first unique identifier and the second unique identifier according to the second unique identifier of the second terminal to form a third unique identifier, and then splices a product batch mark to be used as a session key root key generation source, and the SM3 value odd number bit, even number bit exclusive or value of the source is used as a session key;
the first security chip encrypts by using a session key root key, assembles and connects a message derivative factor ciphertext and the rest of message content, encrypts by using a derivative current session key aiming at a message key item, calculates a corresponding message by using the derivative current session key, and sends the corresponding message to the first terminal;
the first terminal sends a call invitation to the second terminal, and sends a connection authentication message, the second terminal receives the connection authentication message, the second security chip verifies the communication connection message, the connection authentication result is returned to the second terminal, and the second terminal establishes ciphertext communication with the first terminal.
Further, the application method comprises the steps of encrypting the local file, wherein the steps are as follows:
when a terminal has a local data file to be encrypted, the security chip analyzes the file format, splices the local chip SN, the product batch information and the local encryption confusion parameter according to the file information of the file header, uses the local chip SN, the product batch information and the local encryption confusion parameter as a data source of a local data encryption root key, uses the odd number bits and even number bits of the value SM3 of the data source or the value SM as the local encryption root key, generates an encryption key of the current file according to the encryption file header as a derivative factor, encrypts the main content of the data file, and returns the encrypted data file to the terminal for storage.
Further, the application method further comprises decrypting the encrypted file, and the steps are as follows:
when the terminal has a local ciphertext file to be decrypted, after the security chip obtains the file to be decrypted, the security chip analyzes the file format, splices encryption confusion parameters according to file information of a file header to serve as a data source of a local data encryption root key, generates an encryption key of a current file according to the encryption file header serving as a derivative factor, then performs MAC (media access control) verification on the content of a main body of the data file to obtain a plaintext data file, and returns the plaintext data file to the terminal for storage.
The beneficial effects of the invention are as follows: the method solves the problem that the server can influence the user service and the key security, adapts to more scenes, ensures smooth completion of the services such as terminal ciphertext communication, local data protection and the like in the non-server scene, the non-trusted server and the third-party server environment, avoids the influence of the server on the user service and the key, improves the security level of application encryption, and ensures the security of the user service and the data.
Drawings
FIG. 1 is a timing diagram of a security chip production according to an embodiment of the present invention.
FIG. 2 is a timing diagram of secure communication without server according to an embodiment of the present invention.
FIG. 3 is a timing diagram of data encryption storage according to an embodiment of the present invention.
FIG. 4 is a timing diagram of data decryption viewing according to an embodiment of the present invention.
Detailed Description
Embodiments of the invention are described in detail below with reference to the attached drawings, but the invention can be implemented in a number of different ways, which are defined and covered by the claims.
Fig. 1 is a timing diagram of the production of a security chip according to an embodiment of the present invention. The production of the security chip is carried out in a security intranet environment, and comprises the following production steps.
Step one, the firmware of the security chip is burned, a program is written into a COS memory, and the life cycle of the security chip is jumped.
And secondly, the production protection key is effective, the transmission key is effective, the production protection key is a 16-byte SM4 key and is used for decrypting the production tool ciphertext production message, the transmission key is a 16-byte SM4 key and is used for generating a ciphertext production message MAC value, and the two groups of keys are used for protecting a local production tool ciphertext safety production safety chip in an intranet environment.
And thirdly, randomly generating a group of 16-byte random numbers by each chip, deriving confusion parameters, wherein the confusion parameters of each hardware are different and can not be derived from outside.
Step four, the production tool acquires a chip life cycle ciphertext mark, detects whether the safety chip life cycle ciphertext mark is in a hardware initialization state (firmware is downloaded, COS is written, and product batch mark is not written), assembles a product batch mark ciphertext message by using an initialization KEY after detection and confirmation are correct, calculates a ciphertext message MAC value by using a transmission KEY, assembles a final production message, issues a safety chip, writes the product batch mark, and the same product batch KEY can verify through end-to-end communication service to achieve the effect of domain isolation, but the KEYs of different batches cannot be communicated.
And fifthly, the security chip detects the ciphertext MAC, decrypts the production message, extracts the product batch message, writes the production information, carries out self-checking on the production algorithm and the integrity, changes the life cycle to the initialization state of the personal information, and completes the production of the security chip.
In the above steps, the hardware of the encryption and decryption device includes:
the upper computer: the host computer with a chip can be attached without limitation (mobile phone, card reader, etc.).
And PC, installing firmware burning software.
The PC system comprises: and is not limited.
Network environment: a safe intranet.
As shown in FIG. 2, the timing diagram of the serverless secure communication of the present invention comprises two terminals and a secure chip.
Firstly, a first terminal assembles unique identifiers such as a receiver mobile phone number, an IM call account ID and the like to form a communication connection authentication message, the communication connection authentication message is sent to a first security chip, the first security chip splices the unique identifiers of the mobile phone number and the IM call account according to the unique identifiers such as the receiver mobile phone number, the IM call record account and the like, then splices a product batch mark to be used as a session key root key generation source, and takes SM3 value odd number bits, even number bits or exclusive or values of the source as a session root key.
Then, generating a session key derivative factor 16 byte random number, using a session key root key generation source, generating a session key of the current session according to the derivative factor, encrypting the derivative factor 16 byte random number by using the session key root key, assembling a connection authentication message derivative factor ciphertext, then assembling the rest message content including the contents of an initiator, a receiver mobile phone number or an IM account ID, a service ID, a timestamp and the like, encrypting the message key item by using the derivative current session key, calculating a corresponding message MAC value by using the derivative current session key, assembling a connection and IM communication connection authentication message, transmitting the connection and IM communication connection authentication message to a first terminal, establishing and opening a dial-up or IM communication connection window of the first terminal, and transmitting the connection and IM communication connection authentication message to a second terminal.
The second terminal receives the message, the second security chip verifies the communication connection message, firstly the security chip B carries out MAC verification, decrypts the IDs of the initiator and the receiver and compares the IDs with the local machine to detect the correctness of the communication connection message, then decrypts the service ID, executes related service flow, splices the mobile phone number of the receiver, the unique identifier of the IM call account number according to the unique identifier of the mobile phone number of the receiver, the unique identifier of the IM call account number and the like, splices the product batch mark as a session key root key generation source, takes the SM3 value odd number bit and even number bit exclusive or value of the source as a session key root key, decrypts the 16-byte random number of the derivative factor of the session key by using the session key root key, generates the session key of the current session according to the derivative factor, and the second chip stores the current session key. And returning the connection authentication result to the second terminal.
The data to be sent by the first terminal is encrypted by the first security chip by using the session key of the current session, and the encrypted data is returned to the first terminal. Similarly, the second terminal and the first terminal smoothly complete ciphertext communication.
The first terminal and the second terminal are communicated by cipher text, one phone is encrypted, the server encryption transfer is not needed, the session root key is generated when the session is created, only two parties of the session can calculate, only hardware in the domain can communicate, and the communication safety of the terminals is ensured.
When two terminals are in ciphertext communication, if a third party server is used for transfer or in an untrusted server environment, the negotiation key information and the current session root key can be generated by the unique marks of both parties of the session and the security chip in hardware by the computer, the sending data are also ciphertext data, and in the authentication process, no account plaintext, derived factor plaintext and other data are generated. Under the un-trusted environment, the key can be ensured to be safe, the data is generated as ciphertext, and the key is discarded and cannot be recovered after the current session is ended.
In the embodiment of the invention, the message of the negotiation key comprises a request message and a response message, and the method comprises the following specific steps:
bidirectional authentication request message:
{"dataEncrypt":"FA9E2F1025B3755F231C85B1B4E4B2AF0CEC87881D8600B0AC9752069AE9E272B44B26B48C6BDEA40B6471CABE09809FE207B2F3E3FED13405EE0EFE42B04EE25CA6CFE8682A6639EC77B57196749F201E9DA469240DBB42C753BEDBF45BC86EF34065C6C11832DB5429523E23D2A3EE3BC3058C21A8566B675D688602C3CD293BC3058C21A8566B675D688602C3CD293BC3058C21A8566B675D688602C3CD293BC3058C21A8566B675D688602C3CD293BC3058C21A8566B675D688602C3CD293BC3058C21A8566B675D688602C3CD29","keyEncrypt":"04B33F18FFF6566586DFF1E8CEEE5F2500F33DB10DA6B98E6F3BFF94C44BD9C043B5D8A56180A03836553668CE3295E4B5030D9CE419BBC90CCFFDCD5550743BC71FF3058D61373624B0673E269AFA42B0726AD311B0BCA333ABE4BE62155DAC550CE00EB19FA1E6DC64071B7139C9508AED17774BC7871914B843F90867550E40","timeStamp":"1638930316250","authCode":"3045022039FD115483F40C002B6C94B658B087671ECBFEB665761752ADD9BB7D5E4881EE022100B4DACAF1038F8E2480BC175C568834511FAC8BD2FBD15B9FAE93CE4FE1253DBA"}
and (3) responding to a message:
{"dataEncrypt":"041693FC8FE08E1D9BAD38E85E898CF49EE9AFC886C8E92B1B8A29296DF886DE2464BC4C602E7A8902DA05A11C2A9FFA57CB8FED1CDB53CA9D47B2BE24E317A5FE96089CC6C064A3B9D7E185C238AB144BA37C56823F8AD471BF9572378DD2384D1040315272E0EC9ED5518CE631AE32D53BED2B551D5D44FD94A30FB4BF5CA4D53BED2B551D5D44FD94A30FB4BF5CA4D53BED2B551D5D44FD94A30FB4BF5CA4D53BED2B551D5D44FD94A30FB4BF5CA4D53BED2B551D5D44FD94A30FB4BF5CA4D53BED2B551D5D44FD94A30FB4BF5CA4","keyEncrypt":"042C1F049124F68846040423EDB737E52EAFC89B2E1D5FECBDAD00D09BE88E50C335C3B7418DC2754D0E76DD5C5412E2932028086D64826841745DEE24C96290A5EF4C4BB6E8055DF5C2E71C5DF1FD88A71E4FF84B25DCC6DA91BE3FF847AEC441753248BCB55E8C9931219EEB3EEC22F34B8B1B42CAF1FE256F52443324B3E4D8","timeStamp":"1638930316442","authCode":"3044022052D89F62769442A14B48226AB31715E5F479DB219AF901ED61C0D14B756E6E8402205B88894B7D7C5620EF2DED315B12AFD005D270024DBF7FF4A34FE349429E20A0"}
the data sending message comprises a request message and a response message, and is specifically as follows:
sending a request message:
{"dataEncrypt":"268FEE93CAE508CC0B4D3A357412D2893EE764B46B8441429F5469BAEEAEC44CD24A682C58046AD4C1075B046CD285E205B080E01F07D7465133F859A5C7FE1C39186F3CBC23996F18605168B62C3D928062CA639AD820CF99F41603128346E935E108C60818B9FB246736E0EAA43B8197C06519D1A6E021CFC1E2719DCB5AC497C06519D1A6E021CFC1E2719DCB5AC497C06519D1A6E021CFC1E2719DCB5AC497C06519D1A6E021CFC1E2719DCB5AC497C06519D1A6E021CFC1E2719DCB5AC497C06519D1A6E021CFC1E2719DCB5AC4","keyEncrypt":"041734B0BEAE23DB685E007ECFC7C4FE88862FC1C8DD221C7084B32F3184D665E39CCF426CCDF8DF380736AF444FDBDDFAECC87A30A6E48949B75AB63BE09ED3F2DEAE6CEE5FB18796E527B5C15CE8C86B76C4B563968D948A66F05703E2AF8DFDA73390FBD50B0FF3B8B2C18C0265D07A61781D68DE626370F8B82DECE69FF334","timeStamp":"1638929258371","authCode":"304402203DF1225542E99857608100B6E7961DD53AE1D7C3FAA77F30193CFBEC8AC8B07A022030557F574C169079543CA177351005F9DAE312942E3387B15EA707B6A796E25D"}
and (3) responding to a message:
{ msg=successful, code=0,
data={"dataEncrypt":"7C571904D0C7BC86CAA91483F67DCA80EA7E6A9F3E2084724A494659A6EB623C052F9158108792E3864C0550383AB1A78BA5BBD94DD398807E29D1F0A99D59C64765B8407A8CAE0B42BF4B46220E230E31CCD47201BC8C98EC1D122CFA539E446B90FC90F928184477268C4924CE068197E3C0860082293EECC4727F30348BA16C787830088D60B8A50A6B577D180BA6F7B944C683EC94EF5F4A47D2C2B08C77C1023515498B4130B207BC7E579903DF7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F7BEFC21FF126F4F73C35211B9E27700F","keyEncrypt":"049E2BB98A22E78C79241B29E36C350F496D4CB1A5A874A4A418A67CE59C1CD81A78460BA8CEEA546FC8D633BFE24472D437431796E4145E8F6730CC1326854A55D457D3B8AD9D1DB881E7F284BC28FB4E99D49EFAD8248A7026D3E5619EEB5CCCC73931E361A4BF4AB6FB1A271BC6CCC68FB8569E3FD1BBE02B997C6764BDCE83","timeStamp":1638929258603,"authCode":"3046022100CC0148AF09F2395BF658E6F5E4482D1EA2F67C539121EB953FC34935DE06BF52022100FC0523300341EC70B568C2A748B459C29D119C5}}
as shown in fig. 3, the data encryption storage timing chart of the present invention is a protection of local data without service.
When a terminal has a local data file to be encrypted, the security chip analyzes the file format, splices the local chip SN, the product batch information and the local encryption confusion parameter according to the file information of the file header, uses the local chip SN, the product batch information and the local encryption confusion parameter as a data source of a local data encryption root key, uses the odd number bits and the even number bits of the value SM3 of the data source as the local encryption root key, uses the encryption file header as a derivative factor to generate an encryption key of a current file, encrypts the content of the main body of the data file, keeps the file header unchanged, ensures that the file format is not changed, displays a content ciphertext, adds the current file encryption key to calculate an MAC value for verifying the data, returns the local ciphertext data file to the terminal, and stores the local data file in a ciphertext.
Different data types of different files are guaranteed to be 'a data-key-hardware storage confusion parameter' due to different file heads, the confusion parameter cannot be derived and unique, the hardware cannot be recovered after being lost, the local encrypted data cannot be recovered after being separated from the hardware, no server participates, key parameters cannot be derived in a backup mode, the safety of the data is guaranteed, and the safety level of the data is improved.
As shown in fig. 4, a timing diagram for data decryption viewing in accordance with the present invention.
When a terminal has a local ciphertext file to be decrypted, after the security chip obtains the file to be decrypted, analyzing a file format, splicing a local chip SN, product batch information and local encryption confusion parameters according to file information of a file header, taking the local chip SN, the product batch information and the local encryption confusion parameters as a data source of a local data encryption root key, taking an SM3 value odd number bit and an even number bit exclusive or value of the data source as a local encryption root key, generating an encryption key of a current file according to an encryption file header as a derivative factor, then carrying out MAC (media access control) verification on the content of a main body of the data file, keeping the file header unchanged, ensuring that the file format is not changed, decrypting the content ciphertext to obtain a plaintext data file, returning the local data file to the terminal, and storing the local plaintext data file by the terminal.
The technical scheme is innovation on the prior art scheme, the prior art scheme needs participation of a server in the encryption service process of the application, the invention designs a new scene of using pure end-to-end or local encryption service without any server participation, the whole encryption service process has no server participation, the influence of the server on service and key security is avoided, the security of application encryption is improved, the security of user service is ensured, and the security level requirements of individuals and user terminals are met when the server is not trusted and the environment of a third party server is ensured.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. The production method of the encryption and decryption device without the server environment is characterized in that a security chip of the encryption and decryption device is placed in a security intranet environment, and the production method comprises the following steps:
step one, the firmware of the security chip is burnt, a program is written into a COS memory, and the life cycle of the security chip is jumped;
secondly, producing protection keys and transmission keys, wherein the two groups of keys are used for producing a security chip by a local production tool in a security intranet environment;
step three, the security chip randomly generates a group of 16-byte random numbers, and derives a confusion parameter which can not be derived;
step four, the production tool acquires a chip life cycle ciphertext mark, detects whether the safety chip life cycle ciphertext mark is in a hardware initialization state or not, assembles a product batch mark ciphertext message by using an initialization key after detection and confirmation are correct, calculates a ciphertext message MAC value by using a transmission key, assembles a final production message, sends the safety chip, and writes the product batch mark;
and fifthly, detecting the ciphertext MAC by the security chip, decrypting the production message, extracting a product batch mark, writing production information, performing self-checking on a production algorithm and integrity, changing the life cycle to the initialization state of personal information, and completing the production of the security chip.
2. The method of claim 1, wherein the production protection key is a 16-byte SM4 key for decrypting production tool ciphertext production messages.
3. The method of claim 1, wherein the transmission key is a 16-byte SM4 key for generating a ciphertext production message MAC value.
4. An application method of an encryption and decryption device of a server-free environment is characterized in that a first terminal and a second terminal with a security chip are configured, the first terminal is provided with the first security chip and a first unique identifier, and the second terminal is provided with a second security chip and a second unique identifier, wherein:
the first terminal assembles the first unique identifier to form a communication connection authentication message, and sends the communication connection authentication message to the first security chip, the first security chip splices the first unique identifier and the second unique identifier according to the second unique identifier of the second terminal to form a third unique identifier, and splices a product batch mark to be used as a session key root key generation source, and SM3 value odd number bits, even number bits or value of the session key root key generation source is used as a session root key;
the first security chip encrypts by using a session key root key, assembles and connects a message derivative factor ciphertext and the rest of message content, encrypts by using a derivative current session key aiming at a message key item, calculates a corresponding message by using the derivative current session key, and sends the corresponding message to the first terminal;
the first terminal sends a call invitation to the second terminal, and sends a connection authentication message, the second terminal receives the connection authentication message, the second security chip verifies the communication connection message, the connection authentication result is returned to the second terminal, and the second terminal establishes ciphertext communication with the first terminal.
5. The application method according to claim 4, wherein the application method includes a method for verifying that the communication connection message is generated by the second secure chip, the method includes the steps of:
the second security chip performs MAC verification, decrypts IDs of an initiator and a receiver, compares the IDs with a local machine to detect correctness of a communication connection message, decrypts the service ID, and executes related service flows;
splicing the first unique identifier and the second unique identifier to form a fourth unique identifier, and splicing the product batch mark to serve as a session key root key generation source;
the session key root key is used for decrypting the session key to be used as a derivative factor of the 16-byte random number, the session key of the current session is generated according to the derivative factor, and the second security chip stores the current session key.
6. The application method according to claim 4, wherein the application method includes a method for encrypting a local file by the encryption and decryption device, the method includes the steps of:
when a terminal has a local data file to be encrypted, the security chip analyzes the file format, splices the local chip SN, the product batch information and the local encryption confusion parameter according to the file information of the file header, uses the local chip SN, the product batch information and the local encryption confusion parameter as a data source of a local data encryption root key, uses the odd number bits and even number bits of the value SM3 of the data source or the value SM as the local encryption root key, generates an encryption key of the current file according to the encryption file header as a derivative factor, encrypts the main content of the data file, and returns the encrypted data file to the terminal for storage.
7. The application method according to claim 4, wherein the application method comprises a method for decrypting an encrypted file by an encryption and decryption device, the method comprising the steps of:
when the terminal has a local ciphertext file to be decrypted, after the security chip obtains the file to be decrypted, the security chip analyzes the file format, splices encryption confusion parameters according to file information of a file header to serve as a data source of a local data encryption root key, generates an encryption key of a current file according to the encryption file header serving as a derivative factor, then performs MAC (media access control) verification on the content of a main body of the data file to obtain a plaintext data file, and returns the plaintext data file to the terminal for storage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210232006.6A CN114697082B (en) | 2022-03-09 | 2022-03-09 | Production and application method of encryption and decryption device in server-free environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210232006.6A CN114697082B (en) | 2022-03-09 | 2022-03-09 | Production and application method of encryption and decryption device in server-free environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114697082A CN114697082A (en) | 2022-07-01 |
| CN114697082B true CN114697082B (en) | 2023-11-07 |
Family
ID=82139655
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210232006.6A Active CN114697082B (en) | 2022-03-09 | 2022-03-09 | Production and application method of encryption and decryption device in server-free environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114697082B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116795741B (en) * | 2023-08-28 | 2023-11-10 | 凡澈科技(武汉)有限公司 | Method and system for preventing memory data from being deleted and tampered |
| CN116821942B (en) * | 2023-08-30 | 2023-12-22 | 北京紫光青藤微系统有限公司 | Method and system for writing data |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102111265A (en) * | 2011-01-13 | 2011-06-29 | 中国电力科学研究院 | Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal |
| TW201132040A (en) * | 2010-03-01 | 2011-09-16 | Gotrust Technology Inc | Encryption/decryption system for portable mobile phones |
| CN102752662A (en) * | 2012-02-23 | 2012-10-24 | 中央电视台 | Root key generation method, module and chip of conditional access system receiving terminal and receiving terminal |
| CN106506149A (en) * | 2016-11-07 | 2017-03-15 | 福建星海通信科技有限公司 | Key generation method and system between a kind of TBOX terminals and TSP platforms |
| CN106973056A (en) * | 2017-03-30 | 2017-07-21 | 中国电力科学研究院 | The safety chip and its encryption method of a kind of object-oriented |
| CN108959982A (en) * | 2018-07-06 | 2018-12-07 | 江苏北弓智能科技有限公司 | A kind of mobile terminal document encrypting and deciphering system and method based on hardware encryption TF card |
| CN113346997A (en) * | 2021-08-05 | 2021-09-03 | 北京紫光青藤微系统有限公司 | Method and device for communication of Internet of things equipment, Internet of things equipment and server |
| CN113726524A (en) * | 2021-09-02 | 2021-11-30 | 山东安控信息科技有限公司 | Secure communication method and communication system |
-
2022
- 2022-03-09 CN CN202210232006.6A patent/CN114697082B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TW201132040A (en) * | 2010-03-01 | 2011-09-16 | Gotrust Technology Inc | Encryption/decryption system for portable mobile phones |
| CN102111265A (en) * | 2011-01-13 | 2011-06-29 | 中国电力科学研究院 | Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal |
| CN102752662A (en) * | 2012-02-23 | 2012-10-24 | 中央电视台 | Root key generation method, module and chip of conditional access system receiving terminal and receiving terminal |
| CN106506149A (en) * | 2016-11-07 | 2017-03-15 | 福建星海通信科技有限公司 | Key generation method and system between a kind of TBOX terminals and TSP platforms |
| CN106973056A (en) * | 2017-03-30 | 2017-07-21 | 中国电力科学研究院 | The safety chip and its encryption method of a kind of object-oriented |
| CN108959982A (en) * | 2018-07-06 | 2018-12-07 | 江苏北弓智能科技有限公司 | A kind of mobile terminal document encrypting and deciphering system and method based on hardware encryption TF card |
| CN113346997A (en) * | 2021-08-05 | 2021-09-03 | 北京紫光青藤微系统有限公司 | Method and device for communication of Internet of things equipment, Internet of things equipment and server |
| CN113726524A (en) * | 2021-09-02 | 2021-11-30 | 山东安控信息科技有限公司 | Secure communication method and communication system |
Non-Patent Citations (1)
| Title |
|---|
| 智能电视操作系统TVOS1.0安全技术方案;盛志凡;广播与电视技术;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114697082A (en) | 2022-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| US6499108B1 (en) | Secure electronic mail system | |
| CN114697082B (en) | Production and application method of encryption and decryption device in server-free environment | |
| TWI288552B (en) | Method for implementing new password and computer readable medium for performing the method | |
| EP2454699B1 (en) | Method for detecting the use of a cloned user unit communicating with a server | |
| CN106104562A (en) | Safety of secret data stores and recovery system and method | |
| CN107612889B (en) | Method for preventing user information leakage | |
| CN111181723B (en) | Method and device for offline security authentication between Internet of things devices | |
| WO2015003503A1 (en) | Network device, terminal device and information security improving method | |
| KR101531662B1 (en) | Method and system for mutual authentication between client and server | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN113472793A (en) | Personal data protection system based on hardware password equipment | |
| CN104539420A (en) | General intelligent hardware safe secret key management method | |
| CN108683498A (en) | A kind of cloud terminal management-control method based on changeable key national secret algorithm | |
| JP2001177513A (en) | Authenticating method in communication system, center equipment, and recording medium with authentication program recorded thereon | |
| CN108650261A (en) | Mobile terminal system software method for burn-recording based on remote encryption interaction | |
| CN113111386A (en) | Privacy protection method for block chain transaction data | |
| CN112713995A (en) | Dynamic communication key distribution method and device for terminal of Internet of things | |
| CN113365264B (en) | Block chain wireless network data transmission method, device and system | |
| CN109981271A (en) | A kind of network multimedia security protection encryption method | |
| TWI827906B (en) | Message transmitting system, user device and hardware security module for use therein | |
| CN110493177A (en) | Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system | |
| CN111489462B (en) | Personal Bluetooth key system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |