CN114785845A - Session establishing method and device, storage medium and electronic device - Google Patents
Session establishing method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN114785845A CN114785845A CN202210386137.XA CN202210386137A CN114785845A CN 114785845 A CN114785845 A CN 114785845A CN 202210386137 A CN202210386137 A CN 202210386137A CN 114785845 A CN114785845 A CN 114785845A
- Authority
- CN
- China
- Prior art keywords
- trusted platform
- platform module
- key
- original
- authorization value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a method, a device, a storage medium and an electronic device for establishing a session, wherein the method comprises the following steps: extracting a trusted platform module key and additional information included in first key information used by target user equipment, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment; acquiring abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value; and sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that the verification is passed.
Description
Technical Field
The embodiment of the invention relates to the field of communication, in particular to a session establishing method, a session establishing device, a storage medium and an electronic device.
Background
With the rapid development of communication technology, the security of information transmission is increasingly emphasized, and then, in order to ensure the safe and reliable operation of information transmission of users, the application of keys is one of the most effective information encryption measures at present.
However, in the related art, after the key is generated, the related information of the user to which the key belongs cannot be quickly obtained, so how to quickly obtain the related information of the user to which the key belongs is an issue to be solved urgently, and how to perform integrity protection on the related information of the user to which the key belongs is also an issue that needs to be considered.
In view of the above problems in the related art, no effective solution has been proposed so far.
Disclosure of Invention
Embodiments of the present invention provide a session establishment method, a session establishment device, a storage medium, and an electronic device, so as to at least solve the problems that the related information of a user to which a secret key belongs cannot be quickly obtained and how to perform integrity protection on the related information of the user to which the secret key belongs in the related art.
According to an embodiment of the present invention, there is provided a session establishment method, including: extracting a trusted platform module key and additional information included in first key information used by target user equipment, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment; obtaining summary information of the additional information, and determining a first authorization value based on the summary information and the received original authorization value; sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module if verification is passed.
In an exemplary embodiment, obtaining the summary information of the additional information includes: and calculating the summary information of the additional information by a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the target user equipment for calculating the original summary information.
In an exemplary embodiment, determining a first authorization value based on the digest information and the received original authorization value includes: obtaining the original authorization value input by the target user device; and carrying out password operation on the summary information and the original authorization value to obtain the first authorization value.
In one exemplary embodiment, before extracting the trusted platform module key and the additional information included in the first key information used by the target user equipment, the method further includes: acquiring the original abstract information and the original authorization value of the input original additional information; determining the target authorization value based on the original summary information and the original authorization value; sending the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; and acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorization session between the target user equipment and the trusted platform module.
In an exemplary embodiment, determining the original key information based on the trusted platform module key and the original additional information comprises: and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
In an exemplary embodiment, after sending the trusted platform module key and the first authorization value to the trusted platform module, the method further comprises: the trusted platform module obtains the target authorization value included in the trusted platform module key; the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result; the trusted platform module acquires signature information carried in the trusted platform module key; the trusted platform module determines validity of the first authorization value based on the first comparison result and determines validity of the trusted platform module key based on the signature information; and the trusted platform module establishes an authorization session between the target user equipment and the trusted platform module under the condition that the first authorization value is determined to be legal and the key of the trusted platform module is determined to be legal.
In one exemplary embodiment, the additional information includes at least one of the following information: the ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
According to another embodiment of the present invention, there is provided a session establishment apparatus including: an extraction module, configured to extract a trusted platform module key and additional information included in first key information used by a target user equipment, where the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment; a first obtaining module, configured to obtain summary information of the additional information, and determine a first authorization value based on the summary information and the received original authorization value; a first sending module, configured to send the trusted platform module key and the first authorization value to the trusted platform module, so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establish an authorization session between the target user equipment and the trusted platform module if the verification passes.
According to a further embodiment of the present invention, there is also provided a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, the key information configured for the user equipment carries the additional information related to the user equipment, so that the information related to the user equipment can be conveniently known on the operating system level, and in addition, the key carried in the key information is actually created based on the additional information, so that when the user equipment uses the key information to establish the session connection with the trusted platform module, whether the currently carried additional information is complete can be verified based on the additional information carried in the key information and the key, thereby realizing the verification of the integrity of the additional information and ensuring the communication safety. Therefore, the problems that the related information of the user to which the key belongs can not be quickly known and how to carry out integrity protection on the related information of the user to which the key belongs in the related technology are solved.
Drawings
Fig. 1 is a block diagram of a hardware configuration of a mobile terminal according to a session establishment method of an embodiment of the present invention;
fig. 2 is a flowchart of a session establishment method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a process for generating a key BLOB from a trusted platform module key and additional information according to an embodiment of the present invention;
FIG. 4 is a flow diagram of a user creating a trusted platform module key according to an embodiment of the present invention;
FIG. 5 is a flow diagram of a user using a trusted platform module key according to an embodiment of the present invention;
fig. 6 is a block diagram of a configuration of a session establishment apparatus according to an embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
First, the related art related to the present invention will be explained:
a trusted platform module: the tpm (trusted Platform module) or tcm (trusted Cryptography module) is usually an independent security chip on a Platform motherboard, and provides functions of Platform integrity measurement, Platform unique identity, hardware-level key protection, and the like, and provides basic hardware support for trusted computing.
Trusted platform module key: the key (e.g., AES (Advanced Encryption Standard), RSA (Rivest Shamir Adleman), ECC (elliptic Curve cryptography) key, etc.) encrypted and protected by a trusted platform module with a signature is collectively referred to as a trusted platform module key, which is called a key for short in the embodiments of the present invention, and the trusted platform module can ensure confidentiality and integrity of the key and support authorization manners such as a password, an HMAC (Hash-based Message Authentication Code), a policy session, etc., so as to control access authority of the key, that is, only if a correct authorization value of the key is input to the trusted platform module, the trusted platform module can use the corresponding key to perform Encryption and decryption operations.
How the present invention solves the problems existing in the prior art is described below with reference to the following embodiments:
the method embodiments provided in the embodiments of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking an example of the present invention running on a mobile terminal, fig. 1 is a block diagram of a hardware structure of the mobile terminal of a session establishment method according to an embodiment of the present invention. As shown in fig. 1, the mobile terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), and a memory 104 for storing data, wherein the mobile terminal may further include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the mobile terminal. For example, the mobile terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the session establishment method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the mobile terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a method for establishing a session is provided, as shown in fig. 2, the method includes the following steps:
s202, a trusted platform module key and additional information included in first key information used by target user equipment are extracted, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, and the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment;
s204, acquiring abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value;
s206, sending the trusted platform module key and the first authorization value to the trusted platform module, so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module if the verification is passed.
The above operations may be performed by an underlying processor, for example, a processor capable of executing a predetermined code or process, an operating system, or other processing devices or processing units with similar processing capabilities.
In the above embodiment, the original digest information may be information carried in the original additional information, and may also be original digest information of the original additional information determined by calculation based on reduction or addition of the original additional information or other specific calculation operations, and in practical applications, the original additional information may include an identification ID of the target user equipment, a user name of the target user equipment, access rights of the target user equipment, a key name of a trusted platform module key, and the like, where the original information may be information input by the user on an inputtable platform interface, or information extracted by the trusted platform module from a specific module or request, for example, when the user does not input the identification ID of the target user equipment, the trusted platform module may detect that the identification ID of the target user equipment is absent after the received additional information, then, the identification ID of the corresponding target user device may be called in a specific module or an operating system component of the target user device according to the information of the user of the target user device, for example, in a storage unit of the trusted platform module or a storage unit of the target user device.
In the above embodiment, after receiving the request for verifying the key of the trusted platform module and the first authorization value, the trusted platform module may verify the key of the trusted platform module before verifying the first authorization value, or verify the first authorization value before verifying the key of the trusted platform module, or both, of course, the trusted platform module and the trusted platform module may also perform verification at the same time, but an authorization session between the target user equipment and the trusted platform module may be established only when the key of the trusted platform module and the first authorization value are verified to pass, for example, the key of the trusted platform module is verified to pass, but the authorization session between the target user equipment and the trusted platform module is not established when the key of the trusted platform module is not verified to pass.
Through the embodiment, the key information configured for the user equipment carries the additional information related to the user equipment, so that the information related to the user equipment can be conveniently known at the operating system level, and in addition, the key carried in the key information is actually created based on the additional information, so that when the user equipment uses the key information to establish session connection with the trusted platform module, whether the currently carried additional information is complete or not can be verified based on the additional information carried in the key information and the key, thereby realizing verification of the integrity of the additional information and ensuring the communication safety. Therefore, the problems that the related information of the user to which the key belongs can not be quickly known and how to carry out integrity protection on the related information of the user to which the key belongs in the related technology are solved.
In an exemplary embodiment, obtaining the summary information of the additional information includes: and calculating the summary information of the additional information by a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the target user equipment for calculating the original summary information. In this embodiment, the precondition for establishing the authorization session between the target user equipment and the trusted platform module is that the key of the trusted platform module and the first authorization value are both verified, where whether the verification of the first authorization value passes is based on a result of comparing the first authorization value with the target authorization value, and when the result of comparing the first authorization value with the target authorization value is consistent, it is indicated that the digest information of the additional information is not tampered, that is, the first authorization value is not tampered, in practical application, the same calculation method needs to be used to calculate the digest information of the additional information and the original digest information of the original additional information, so as to ensure the accuracy of calculation, and in addition, after the first authorization value and the target authorization value are respectively determined based on the digest information and the original digest information, it may be continued to compare whether the first authorization value is consistent with the target authorization value, and further verifying whether the first authorization value is legal, wherein the first authorization value may be considered to be legal under the condition that the first authorization value is determined to be consistent with the target authorization value, and the first authorization value may be considered to be illegal under the condition that the first authorization value is determined to be inconsistent with the target authorization value.
In the above embodiment, the summary information of the additional information and the original summary information of the original additional information may be calculated by an operating system component (e.g., a background daemon process, a kernel driver module, etc.) of the target user equipment.
In an exemplary embodiment, determining a first authorization value based on the digest information and the received original authorization value includes: obtaining the original authorization value input by the target user device; and carrying out password operation on the summary information and the original authorization value to obtain the first authorization value. In this embodiment, when determining the first authorization value, the first authorization value needs to be calculated by using the original authorization value and currently extracted additional information, and when obtaining the original authorization value, the original authorization value may be obtained by being input by the target user equipment, and of course, the original authorization value may also be searched from pre-stored data, and of course, other manners capable of obtaining the original authorization value are also possible, and besides, the password operation manner may also be multiple, for example, a hash operation manner or an encryption operation manner, and the like, which is not limited herein.
In one exemplary embodiment, before extracting the trusted platform module key and the additional information included in the first key information used by the target user equipment, the method further comprises: acquiring the original abstract information and the original authorization value of the input original additional information; determining the target authorization value based on the original summary information and the original authorization value; sending the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; and acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorization session between the target user equipment and the trusted platform module. In this embodiment, the original digest information and the original authorization value of the original additional information input by the target user equipment may be also the original digest information and the original authorization value of the original additional information input by other equipment except the target user equipment, and in addition, the target authorization value may be determined based on the original digest information and the original authorization value, and the target authorization value is sent to the trusted platform module to instruct the trusted platform module to create the trusted platform module key based on the target authorization value, so that it is known that the trusted platform module key is associated with the original additional information, and therefore, the extracted additional information may be verified based on the trusted platform module key in the following process, in this embodiment, the authorization mechanism of the trusted platform module is used to ensure the integrity of the original additional information, and in addition, the verification of the integrity of the original additional information is added to the key authorization process, therefore, the integrity check efficiency of the original additional information is greatly improved, namely, the integrity check efficiency of the original key information is improved.
In an exemplary embodiment, determining original key information based on the trusted platform module key and the original additional information comprises: and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information. In this embodiment, the predetermined structure may be a C-language structure, or a structure of another language, and the trusted platform key and the original additional information may be arranged in sequence, for example, an algorithm statement represented as the trusted platform key may be arranged before an algorithm statement represented as the original additional information, an algorithm statement represented as the original additional information may be arranged before an algorithm statement represented as the trusted platform key, and the like, and the trusted platform module key and the original additional information are stored in a predetermined structure, and the operating system layer may determine which user device the trusted platform module key is used by based on the original additional information.
In an exemplary embodiment, after sending the trusted platform module key and the first authorization value to the trusted platform module, the method further comprises: the trusted platform module obtains the target authorization value included in the trusted platform module key; the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result; the trusted platform module acquires signature information carried in the trusted platform module key; the trusted platform module determines validity of the first authorization value based on the first comparison result and determines validity of the trusted platform module key based on the signature information; and the trusted platform module establishes an authorized session between the target user equipment and the trusted platform module under the condition that the first authorization value is determined to be legal and the key of the trusted platform module is determined to be legal. In this embodiment, the signature information carried in the trusted platform module key may be added to the trusted platform module key when the trusted platform module creates the trusted platform module key based on the target authorization value, wherein the trusted platform module may determine whether the trusted platform module key is legitimate by verifying whether the signature information obtained from the trusted platform module key is consistent with the signature information added when the trusted platform module itself creates the trusted platform key, for example, in a case where the trusted platform module verifies that the signature information obtained from the trusted platform module key is consistent with the signature information added when the trusted platform module itself creates the trusted platform key, it may be determined that the trusted platform module key is legitimate, in a case where the trusted platform module verifies that the signature information obtained from the trusted platform module key is inconsistent with the signature information added when the trusted platform module itself creates the trusted platform key, it may be confirmed that the trusted platform module key is illegal.
In one exemplary embodiment, the additional information includes at least one of the following information: the ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key. In this embodiment, the additional information may include identification information of other user devices, identification information of a key, and the like, in addition to the identification ID of the target user device, the user name of the target user device, the access right of the target user device, and the key name of the trusted platform module key.
It is to be understood that the above-described embodiments are only a few, and not all, embodiments of the present invention.
The present invention will be described in detail with reference to the following specific examples:
first, the additional information and the key related to the embodiment of the present invention will be explained:
trusted platform module key overhead information: in an embodiment of the present invention, the metadata (meta-data) attached to the key of the trusted platform module is, for example, a name of a master of the key, a key number, an access right of the key on the operating system, and the like, where these information are collectively referred to as trusted platform module key additional information, referred to as additional information for short, the additional information is private data and is invisible to the trusted platform module, and integrity of the additional information is not protected by the trusted platform module.
Key BLOB (corresponding to the first key information and the original key information described above): it is the additional information that is stored with the trusted platform module key in some data structure (corresponding to the predetermined structure described above) to generate the key BLOB.
Fig. 3 is a schematic diagram of a process of generating a key BLOB by using a trusted platform module key and additional information according to an embodiment of the present invention, and as shown in fig. 3, a Trusted Platform Module (TPM) generates a trusted platform module key, and performs combined encapsulation on the trusted platform module key and the additional information thereof outside the trusted platform module to generate the key BLOB.
The embodiment of the present invention further provides a process for a user to create a trusted platform module key, fig. 4 is a flowchart for a user to create a trusted platform module key according to the embodiment of the present invention, and as shown in fig. 4, the process includes the following steps:
s402, inputting additional information (corresponding to the original additional information) of the trusted platform module key;
s404, inputting authorization strategy (password for inputting authorization value) and authorization value (corresponding to the original authorization value) of the trusted platform module key;
s406, calculating the abstract information of the key additional information of the trusted platform module by the target user equipment;
s408, performing a cryptographic operation (e.g., a hash operation, an encryption operation, etc.) on the digest information (corresponding to the original digest information of the original additional information) calculated in S406 and an authorization value (corresponding to the original authorization value) of the trusted platform module key to obtain a new authorization value (corresponding to the target authorization value);
s410, sending the input authorization strategy, the new authorization value and the related parameters of the created key (the standard parameters used when the key is created) to the trusted platform module, and sending a key creation request to the trusted platform module;
s412, acquiring a newly created trusted platform module key from the trusted platform module;
s414, the inputted additional information of the trusted platform module key and the trusted platform module key obtained in S412 are stored together in a certain data structure (corresponding to the predetermined structure), and a key BLOB (corresponding to the original key information) is formed.
Fig. 5 is a flowchart of a user using a trusted platform module key according to an embodiment of the present invention, and as shown in fig. 5, the flowchart includes the following steps:
s502, reading a key BLOB (corresponding to the first key information), and extracting additional information of a trusted platform module key (corresponding to the additional information) and the trusted platform module key in the key BLOB;
s504, the user inputs authorization value of the trusted platform module key (corresponding to the original authorization value, and consistent with the authorization value input when creating the key);
s506, the target user equipment calculates summary information of the additional information of the trusted platform module;
s508, performing a cryptographic operation (e.g., a hash operation, an encryption operation, etc.) on the digest information (corresponding to the digest information of the additional information) calculated in step S506 and an authorization value (corresponding to the original authorization value) to obtain a new authorization value (corresponding to the first authorization value);
s510, sending the new authorization value and the trusted platform module key extracted from the key BLOB to the trusted platform module to request the trusted platform module to establish an authorization session;
s512, waiting for authorization of the trusted platform module;
s514, if the authorization value and the trusted platform module key are both correct, the trusted platform module establishes a session and accepts a key operation request (such as encryption, decryption, migration and the like) initiated by a user;
s516, if the authorization value and the trusted platform module are both incorrect or either one of the authorization value and the trusted platform module is incorrect, the trusted platform module rejects the subsequent request.
It can be known from the foregoing embodiment that, if the content of the key additional information of the trusted platform module changes, the digest information of the trusted platform module also changes, which causes a change in the authorization value, and thus the authorization value when initiating the authorization session is inconsistent with the authorization value when creating the key, which causes the authorization not to pass, and thus the user cannot use the key, and the following objectives are achieved in the embodiment of the present invention: the integrity, confidentiality and authorized access of the user key are guaranteed through the trusted platform module. The method and the device realize that the digest information of the key additional information of the trusted platform module is used as one of the calculation factors of the key authorization value through the authorization mechanism of the trusted platform module, and the integrity verification of the key additional information of the trusted platform module is merged into the key authorization process of the trusted platform module, thereby ensuring the integrity of the key additional information of the trusted platform module.
By the session establishing method, the integrity of the key and the additional information of the trusted platform module can be protected, namely the problem that the data integrity of the key additional information of the trusted platform module is not guaranteed is solved, when the additional information of the key is tampered, the platform module can refuse to operate on the key (the operation comprises encryption, decryption, signature verification, deletion, password change, policy change, authorization value change and the like).
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method according to the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
In this embodiment, a session establishment apparatus is further provided, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and details of which have been already described are omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 6 is a block diagram of a session establishment apparatus according to an embodiment of the present invention, and as shown in fig. 6, the apparatus includes:
an extracting module 62, configured to extract a trusted platform module key and additional information included in first key information used by a target user equipment, where the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment;
a first obtaining module 64, configured to obtain summary information of the additional information, and determine a first authorization value based on the summary information and the received original authorization value;
a first sending module 66, configured to send the trusted platform module key and the first authorization value to the trusted platform module, so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establish an authorization session between the target user equipment and the trusted platform module if the verification passes.
In an exemplary embodiment, the first obtaining module 64 includes: and the calculating unit is used for calculating the summary information of the additional information by a first calculating mode, wherein the first calculating mode is consistent with the calculating mode of the target user equipment for calculating the original summary information.
In an exemplary embodiment, the first obtaining module 64 includes: an obtaining unit, configured to obtain the original authorization value input by the target user equipment; and the operation unit is used for carrying out password operation on the summary information and the original authorization value to obtain the first authorization value.
In an exemplary embodiment, the apparatus further includes: a second obtaining module, configured to obtain the original digest information and the original authorization value of the input original additional information before extracting a trusted platform module key and additional information included in first key information used by a target user equipment; a determining module, configured to determine the target authorization value based on the original digest information and the original authorization value; a second sending module, configured to send the target authorization value to a trusted platform module, so as to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; a third obtaining module, configured to obtain the trusted platform module key created by the trusted platform module, and determine original key information based on the trusted platform module key and the original additional information, where the original key information is used for establishing an authorization session between the target user equipment and the trusted platform module.
In one exemplary embodiment, the determining module includes: and the storage unit is used for storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
In an exemplary embodiment, the trusted platform module includes: a fourth obtaining module, configured to obtain the target authorization value included in the trusted platform module key; a comparison module, configured to compare the first authorization value with the target authorization value to obtain a first comparison result; a fifth obtaining module, configured to obtain signature information carried in the key of the trusted platform module; a determining module, configured to determine validity of the first authorization value based on the first comparison result, and determine validity of the trusted platform module key based on the signature information; an establishing module, configured to establish an authorized session between the target user equipment and the trusted platform module when it is determined that the first authorization value is legal and the trusted platform module key is legal.
In one exemplary embodiment, the additional information includes at least one of the following information: the ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
It should be noted that the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Embodiments of the present invention also provide a computer-readable storage medium having a computer program stored thereon, wherein the computer program is arranged to perform the steps of any of the above-mentioned method embodiments when executed.
In an exemplary embodiment, the computer readable storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
In an exemplary embodiment, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
For specific examples in this embodiment, reference may be made to the examples described in the above embodiments and exemplary embodiments, and details of this embodiment are not repeated herein.
According to the invention, the integrity of the key additional information of the trusted platform module can be ensured by utilizing the authorization mechanism of the trusted platform module, and the key of the trusted platform module does not need to be signed by adopting a key outside the trusted platform module, so that the integrity verification of the key additional information of the trusted platform module can be integrated into the key authorization process, the protection problem of an external signature key is avoided, the security of key transmission is improved, the integrity verification efficiency of the key additional information of the trusted platform module is greatly improved, and the calculation amount of the trusted platform module is reduced.
It will be apparent to those skilled in the art that the various modules or steps of the invention described above may be implemented using a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and they may be implemented using program code executable by the computing devices, such that they may be stored in a memory device and executed by the computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into various integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for establishing a session, comprising:
extracting a trusted platform module key and additional information included in first key information used by target user equipment, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment;
obtaining summary information of the additional information, and determining a first authorization value based on the summary information and the received original authorization value;
sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module if verification is passed.
2. The method of claim 1, wherein obtaining summary information of the additional information comprises:
and calculating the summary information of the additional information by a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the target user equipment for calculating the original summary information.
3. The method of claim 1, wherein determining a first authorization value based on the summary information and the received original authorization value comprises:
obtaining the original authorization value input by the target user device;
and carrying out password operation on the summary information and the original authorization value to obtain the first authorization value.
4. The method of claim 1, wherein prior to extracting the trusted platform module key and the additional information included in the first key information used by the target user device, the method further comprises:
acquiring the original abstract information and the original authorization value of the input original additional information;
determining the target authorization value based on the original summary information and the original authorization value;
sending the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value;
and acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorization session between the target user equipment and the trusted platform module.
5. The method of claim 4, wherein determining original key information based on the trusted platform module key and the original additional information comprises:
and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
6. The method in accordance with claim 1, after sending the trusted platform module key and the first authorization value to the trusted platform module, the method further comprising:
the trusted platform module obtains the target authorization value included in the trusted platform module key;
the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result;
the trusted platform module acquires signature information carried in the trusted platform module key;
the trusted platform module determines validity of the first authorization value based on the first comparison result and determines validity of the trusted platform module key based on the signature information;
and the trusted platform module establishes an authorization session between the target user equipment and the trusted platform module under the condition that the first authorization value is determined to be legal and the key of the trusted platform module is determined to be legal.
7. The method according to any one of claims 1 to 6, wherein the additional information comprises at least one of:
the ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
8. An apparatus for establishing a session, comprising:
an extracting module, configured to extract a trusted platform module key and additional information included in first key information used by a target user equipment, where the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original digest information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment;
a first obtaining module, configured to obtain summary information of the additional information, and determine a first authorization value based on the summary information and the received original authorization value;
a first sending module, configured to send the trusted platform module key and the first authorization value to the trusted platform module, so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establish an authorization session between the target user equipment and the trusted platform module if the verification passes.
9. A computer-readable storage medium, in which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method as claimed in any one of claims 1 to 7 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210386137.XA CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210386137.XA CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785845A true CN114785845A (en) | 2022-07-22 |
| CN114785845B CN114785845B (en) | 2023-08-29 |
Family
ID=82429977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210386137.XA Active CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785845B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098591A1 (en) * | 2002-11-15 | 2004-05-20 | Fahrny James W. | Secure hardware device authentication method |
| CN1642077A (en) * | 2004-01-13 | 2005-07-20 | 国际商业机器公司 | Credible digital time stamp generating and verifying method and system |
| US20060212928A1 (en) * | 2005-03-17 | 2006-09-21 | Fabio Maino | Method and apparatus to secure AAA protocol messages |
| US20070006169A1 (en) * | 2005-06-30 | 2007-01-04 | Alexander Iliev | Method and apparatus for binding TPM keys to execution entities |
| CN102421096A (en) * | 2011-12-22 | 2012-04-18 | 厦门雅迅网络股份有限公司 | Method for safely transmitting data based on wireless network |
| CN103944736A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive method |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| CN105245340A (en) * | 2015-09-07 | 2016-01-13 | 天地融科技股份有限公司 | Identity authentication method based on remote account opening and system |
| CN110659476A (en) * | 2019-09-20 | 2020-01-07 | 北京海益同展信息科技有限公司 | Method and apparatus for resetting password |
| US20200084042A1 (en) * | 2018-09-10 | 2020-03-12 | Dell Products L.P. | Information handling system entitlement validation |
| CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
| CN111404659A (en) * | 2020-03-02 | 2020-07-10 | 广州大学 | Privacy protection communication method, server and communication system based on chaotic system |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
| CN113572717A (en) * | 2020-04-29 | 2021-10-29 | 青岛海尔滚筒洗衣机有限公司 | Communication connection establishing method, washing and protecting equipment and server |
-
2022
- 2022-04-13 CN CN202210386137.XA patent/CN114785845B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098591A1 (en) * | 2002-11-15 | 2004-05-20 | Fahrny James W. | Secure hardware device authentication method |
| CN1642077A (en) * | 2004-01-13 | 2005-07-20 | 国际商业机器公司 | Credible digital time stamp generating and verifying method and system |
| US20060212928A1 (en) * | 2005-03-17 | 2006-09-21 | Fabio Maino | Method and apparatus to secure AAA protocol messages |
| US20070006169A1 (en) * | 2005-06-30 | 2007-01-04 | Alexander Iliev | Method and apparatus for binding TPM keys to execution entities |
| CN102421096A (en) * | 2011-12-22 | 2012-04-18 | 厦门雅迅网络股份有限公司 | Method for safely transmitting data based on wireless network |
| CN103944736A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive method |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| CN105245340A (en) * | 2015-09-07 | 2016-01-13 | 天地融科技股份有限公司 | Identity authentication method based on remote account opening and system |
| US20200084042A1 (en) * | 2018-09-10 | 2020-03-12 | Dell Products L.P. | Information handling system entitlement validation |
| CN110659476A (en) * | 2019-09-20 | 2020-01-07 | 北京海益同展信息科技有限公司 | Method and apparatus for resetting password |
| CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
| CN111404659A (en) * | 2020-03-02 | 2020-07-10 | 广州大学 | Privacy protection communication method, server and communication system based on chaotic system |
| CN113572717A (en) * | 2020-04-29 | 2021-10-29 | 青岛海尔滚筒洗衣机有限公司 | Communication connection establishing method, washing and protecting equipment and server |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| 吕海峰;丁勇;代洪艳;李新国;: "基于TPM的设备认证方案", 保密科学技术, no. 01 * |
| 张婕;吴振强;霍成义;见晓春;: "一种移动互联网络匿名认证协议", 计算机工程与应用, no. 13 * |
| 徐青慧;谢琪;: "基于身份的无可信私钥产生中心的代理签名方案的改进", 计算机应用, no. 12 * |
| 李舒亮;习军;: "基于Linux的数据安全传输的研究", 微计算机信息, no. 24 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114785845B (en) | 2023-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101740256B1 (en) | Apparatus for mobile app integrity assurance and method thereof | |
| CN109194625B (en) | Client application protection method and device based on cloud server and storage medium | |
| CN108768963B (en) | Communication method and system of trusted application and secure element | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| WO2015192670A1 (en) | User identity authentication method, terminal and service terminal | |
| CN110874494B (en) | Method, device and system for processing password operation and method for constructing measurement trust chain | |
| CN110688660B (en) | Method and device for safely starting terminal and storage medium | |
| CN110326266B (en) | Data processing method and device | |
| CN108200078B (en) | Downloading and installing method of signature authentication tool and terminal equipment | |
| EP3206329B1 (en) | Security check method, device, terminal and server | |
| WO2022105462A1 (en) | Database multi-authentication method and system, terminal, and storage medium | |
| CN111666564B (en) | Application program safe starting method and device, computer equipment and storage medium | |
| JP4226556B2 (en) | Program execution control device, OS, client terminal, server, program execution control system, program execution control method, program execution control program | |
| KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
| CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN111901303A (en) | Device authentication method and apparatus, storage medium, and electronic apparatus | |
| CN115549930B (en) | Verification method for logging in operating system | |
| CN114079921A (en) | Generation method of session key, anchor point function network element and system | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN114785845B (en) | Session establishment method and device, storage medium and electronic device | |
| CN113297563B (en) | Method and device for accessing privileged resources of system on chip and system on chip | |
| CN112825093A (en) | Security baseline checking method, host, server, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |