CN114785845B - Session establishment method and device, storage medium and electronic device - Google Patents
Session establishment method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN114785845B CN114785845B CN202210386137.XA CN202210386137A CN114785845B CN 114785845 B CN114785845 B CN 114785845B CN 202210386137 A CN202210386137 A CN 202210386137A CN 114785845 B CN114785845 B CN 114785845B
- Authority
- CN
- China
- Prior art keywords
- trusted platform
- platform module
- key
- information
- authorization value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The embodiment of the invention provides a method and a device for establishing a session, a storage medium and an electronic device, wherein the method comprises the following steps: extracting a trusted platform module key and additional information included in first key information used by target user equipment, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original abstract information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment; acquiring abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value; and sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that verification is passed.
Description
Technical Field
The embodiment of the invention relates to the field of communication, in particular to a method and a device for establishing a session, a storage medium and an electronic device.
Background
With the rapid development of communication technology, the security of information transmission is increasingly paid attention to, and then, in order to ensure that the information transmission of users can run safely and reliably, the application of a secret key is one of the most effective information encryption measures at present.
However, in the related art, after the key is generated, the related information of the user to which the key belongs cannot be obtained quickly, so how to obtain the related information of the user to which the key belongs quickly is a problem to be solved, and how to protect the integrity of the related information of the user to which the key belongs is a problem to be considered.
In view of the above problems in the related art, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a session establishment method, a session establishment device, a storage medium and an electronic device, which at least solve the problems that related information of a user to which a key belongs cannot be known quickly and how to carry out integrity protection on the related information of the user to which the key belongs in the related technology.
According to an embodiment of the present invention, there is provided a session establishment method including: extracting a trusted platform module key and additional information included in first key information used by a target user device, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original summary information of original additional information calculated by the target user device, and the original additional information is information related to the target user device; acquiring abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value; and sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that verification is passed.
In an exemplary embodiment, obtaining summary information of the additional information includes: and calculating the summary information of the additional information in a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the original summary information calculated by the target user equipment.
In one exemplary embodiment, determining the first authorization value based on the summary information and the received original authorization value includes: acquiring the original authorization value input by the target user equipment; and carrying out password operation on the abstract information and the original authorization value to obtain the first authorization value.
In an exemplary embodiment, before extracting the trusted platform module key and the additional information included in the first key information used by the target user device, the method further comprises: acquiring the original abstract information of the input original additional information and the original authorization value; determining the target authorization value based on the original summary information and the original authorization value; transmitting the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; and acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorized session between the target user equipment and the trusted platform module.
In one exemplary embodiment, determining the original key information based on the trusted platform module key and the original additional information includes: and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
In an exemplary embodiment, after the trusted platform module key and the first authorization value are sent to the trusted platform module, the method further comprises: the trusted platform module obtains the target authorization value included in the trusted platform module key; the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result; the trusted platform module acquires signature information carried in the trusted platform module key; the trusted platform module determines the legitimacy of the first authorization value based on the first comparison result and determines the legitimacy of the trusted platform module key based on the signature information; and the trusted platform module establishes an authorization session between the target user equipment and the trusted platform module under the condition that the first authorization value is legal and the key of the trusted platform module is legal.
In an exemplary embodiment, the additional information includes at least one of the following information: the identification ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
According to another embodiment of the present invention, there is provided a session establishment apparatus including: the device comprises an extraction module, a target user equipment and a target platform module, wherein the extraction module is used for extracting a trusted platform module key and additional information which are included in first key information used by the target user equipment, the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original summary information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment; the first acquisition module is used for acquiring abstract information of the additional information and determining a first authorization value based on the abstract information and the received original authorization value; and the first sending module is used for sending the trusted platform module key and the first authorization value to the trusted platform module so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that verification is passed.
According to a further embodiment of the invention, there is also provided a computer readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, the additional information related to the user equipment is carried in the key information configured for the user equipment, so that the information related to the user equipment is conveniently known in an operating system layer, and in addition, the key carried in the key information is actually created based on the additional information, so that when the user equipment uses the key information to establish session connection with the trusted platform module, whether the additional information carried currently is complete or not can be verified based on the additional information carried in the key information and the key, thereby realizing verification of the integrity of the additional information and ensuring communication safety. Therefore, the problem that related information of the user to which the key belongs and how to carry out integrity protection on the related information of the user to which the key belongs cannot be known quickly in the related technology is solved.
Drawings
Fig. 1 is a block diagram of a hardware structure of a mobile terminal of a session establishment method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of establishing a session according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a process for generating a key BLOB from trusted platform module keys and additional information according to an embodiment of the present invention;
FIG. 4 is a flow chart of a user creating a trusted platform module key according to an embodiment of the present invention;
FIG. 5 is a flow chart of a user using a trusted platform module key according to an embodiment of the present invention;
fig. 6 is a block diagram of a structure of a session establishment apparatus according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
First, the related art related to the present invention will be described:
trusted platform module: i.e. TPM (Trusted Platform Module) or domestic version TCM (Trusted Cryptography Module), which is usually an independent security chip on the platform motherboard, provides functions such as platform integrity measurement, platform unique identity, hardware-level key protection, etc., and provides a basic hardware support for trusted computing.
Trusted platform module key: the key (for example, AES (Advanced Encryption Standard, advanced encryption standard), RSA (Rivest Shamir Adleman, asymmetric encryption), ECC (Ellipse Curve Ctyptography, elliptic curve encryption) key, etc.) that is encrypted and signed by the trusted platform module is generally referred to as a trusted platform module key in the specific embodiment of the present application, the trusted platform module is simply referred to as a key, and the trusted platform module can ensure confidentiality and integrity of the key, and support authorization modes such as password, HMAC (Hash-based Message Authentication Code, hash message authentication code), policy session, etc., so as to control access rights of the key, that is, only if a correct authorization value of the key is input to the trusted platform module, the trusted platform module can use the corresponding key to perform encryption and decryption operations.
The following describes how the present application solves the problems of the prior art with reference to examples:
the method embodiments provided in the embodiments of the present application may be performed in a mobile terminal, a computer terminal or similar computing device. Taking the operation on a mobile terminal as an example, fig. 1 is a block diagram of a hardware structure of a mobile terminal according to a session establishment method according to an embodiment of the present application. As shown in fig. 1, a mobile terminal may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, wherein the mobile terminal may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and not limiting of the structure of the mobile terminal described above. For example, the mobile terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a session establishment method in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, to implement the above-mentioned method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the mobile terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
In this embodiment, a method for establishing a session is provided, as shown in fig. 2, and the method includes the following steps:
s202, extracting a trusted platform module key and additional information included in first key information used by target user equipment, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, and the target authorization value is determined based on an original authorization value and original abstract information of original additional information calculated by the target user equipment;
s204, obtaining abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value;
s206, the trusted platform module key and the first authorization value are sent to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and an authorization session between the target user equipment and the trusted platform module is established under the condition that verification is passed.
The above operations may be performed by an underlying processor, for example, a processor that may execute predetermined code or processes, or an operating system, or may be another processing device or processing unit having similar processing capabilities.
In the above embodiment, the original summary information may be information carried in the original additional information, and may be original summary information determined by calculation based on reduction or addition of the original additional information or other specific calculation operations, etc., where in practical application, the original additional information may include an ID of an identifier of a target user device, a user name of the target user device, an access right of the target user device, a key name of a trusted platform module key, etc., where the original information may be information input by a user on an inputtable interface, or may be information extracted by the trusted platform module from a specific module or a request, for example, when the identifier ID of the target user device is not input by the user, the trusted platform module may detect that the identifier ID of the target user device is absent after receiving the additional information, and then may call the identifier ID of the corresponding target user device into a specific module or an operating system component of the target user device according to the information of the target user device, such as a storage unit of the trusted platform module or a storage unit of the target user device.
In the above embodiment, after the trusted platform module receives the request for verifying the trusted platform module key and the first authorization value, the trusted platform module key may be verified a priori, and then the first authorization value may be verified, or the first authorization value may be verified a priori, and then the trusted platform module key may be verified, or both may be verified simultaneously, but the authorization session between the target user device and the trusted platform module must be established only if both the trusted platform module key and the first authorization value are verified, for example, if the verification of the trusted platform module key is passed, but the authorization session between the target user device and the trusted platform module is not established if the verification of the first authorization value is not passed.
By the embodiment, the additional information related to the user equipment is carried in the key information configured for the user equipment, so that the information related to the user equipment is conveniently known in the operating system layer, and in addition, the key carried in the key information is actually created based on the additional information, so that when the user equipment establishes a session between the key information and the trusted platform module, whether the additional information carried currently is complete or not can be verified based on the additional information carried in the key information and the key, thereby realizing verification of the integrity of the additional information and ensuring communication safety. Therefore, the problem that related information of the user to which the key belongs and how to carry out integrity protection on the related information of the user to which the key belongs cannot be known quickly in the related technology is solved.
In an exemplary embodiment, obtaining summary information of the additional information includes: and calculating the summary information of the additional information in a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the original summary information calculated by the target user equipment. In this embodiment, when the precondition of establishing the authorization session between the target user equipment and the trusted platform module is that the verification of the trusted platform module key and the first authorization value is passed, whether the verification of the first authorization value is passed is based on a result of comparing the first authorization value with the target authorization value, and when the result of comparing the first authorization value with the target authorization value is consistent, it is explained that the summary information of the additional information is not tampered, that is, the first authorization value is not tampered, in practical application, the summary information of the additional information and the original summary information of the original additional information need to be calculated by adopting the same calculation mode, so that the accuracy of calculation can be ensured, and in addition, after the first authorization value and the target authorization value are respectively determined based on the summary information and the original summary information, whether the first authorization value is consistent with the target authorization value can be continued to be compared, and whether the first authorization value is legal can be verified.
In the above embodiment, the summary information of the additional information and the original summary information of the original additional information may be calculated by an operating system component (e.g., a background daemon process, a kernel driver module, etc.) of the target user device.
In one exemplary embodiment, determining the first authorization value based on the summary information and the received original authorization value includes: acquiring the original authorization value input by the target user equipment; and carrying out password operation on the abstract information and the original authorization value to obtain the first authorization value. In this embodiment, when determining the first authorization value, the original authorization value and the additional information currently extracted are needed to be used to calculate the first authorization value, and when obtaining the original authorization value, the original authorization value may be obtained by a method input by the target user equipment, and of course, the original authorization value may also be searched from the pre-stored data, and of course, other methods capable of obtaining the original authorization value may also be possible, and in addition, the above-mentioned cryptographic operation modes may also be various, for example, a hash operation mode or an encryption operation mode, etc., which are not limited herein.
In an exemplary embodiment, before extracting the trusted platform module key and the additional information included in the first key information used by the target user device, the method further comprises: acquiring the original abstract information of the input original additional information and the original authorization value; determining the target authorization value based on the original summary information and the original authorization value; transmitting the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; and acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorized session between the target user equipment and the trusted platform module. In this embodiment, the method may be the original digest information and the original authorization value of the original additional information input by the target user device, or the original digest information and the original authorization value of the original additional information input by other devices except the target user device, in addition, the target authorization value may be determined based on the original digest information and the original authorization value, and the target authorization value is sent to the trusted platform module to instruct the trusted platform module to create the trusted platform module key based on the target authorization value, so that the trusted platform module key and the original additional information are associated, and thus the extracted additional information can be conveniently verified based on the trusted platform module key.
In one exemplary embodiment, determining the original key information based on the trusted platform module key and the original additional information includes: and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information. In this embodiment, the predetermined structure may be a C-language structure, or may be a structure of another language, or the like, where the trusted platform key and the original additional information may be sequentially arranged, for example, an algorithm sentence denoted as the trusted platform key may be arranged in front of an algorithm sentence denoted as the original additional information, an algorithm sentence denoted as the original additional information may be arranged in front of an algorithm sentence denoted as the trusted platform key, or the like, and in addition, the trusted platform module key and the original additional information are stored together in a predetermined structure, and the operating system layer may determine which user device the trusted platform module key is used for based on the original additional information.
In an exemplary embodiment, after the trusted platform module key and the first authorization value are sent to the trusted platform module, the method further comprises: the trusted platform module obtains the target authorization value included in the trusted platform module key; the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result; the trusted platform module acquires signature information carried in the trusted platform module key; the trusted platform module determines the legitimacy of the first authorization value based on the first comparison result and determines the legitimacy of the trusted platform module key based on the signature information; and the trusted platform module establishes an authorization session between the target user equipment and the trusted platform module under the condition that the first authorization value is legal and the key of the trusted platform module is legal. In this embodiment, the signature information carried in the trusted platform module key may be added to the trusted platform module key when the trusted platform module creates the trusted platform module key based on the target authorization value, where the trusted platform module may determine whether the trusted platform module key is legal by verifying whether the signature information obtained from the trusted platform module key is consistent with the signature information added when the trusted platform module key is created by itself, for example, when the trusted platform module verifies that the signature information obtained from the trusted platform module key is consistent with the signature information added when the trusted platform module key is created by itself, the trusted platform module key may be verified to be legal, and when the trusted platform module verifies that the signature information obtained from the trusted platform module key is inconsistent with the signature information added when the trusted platform key is created by itself, the trusted platform module key may be verified to be illegal.
In an exemplary embodiment, the additional information includes at least one of the following information: the identification ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key. In this embodiment, the additional information may include, in addition to the ID of the target ue, the user name of the target ue, the access right of the target ue, the key name of the trusted platform module key, identification information of other ue, identification information of the key, and so on.
It will be apparent that the embodiments described above are merely some, but not all, embodiments of the invention.
The invention will be described in more detail with reference to the following examples:
first, additional information and keys related to the specific embodiment of the present invention will be described:
trusted platform module key additional information: metadata (meta-data) attached to the key of the trusted platform module is referred to in the embodiment of the present invention, for example, the name of the owner of the key, the key number, the access authority of the key on the operating system, etc., where these information are collectively referred to as additional information of the key of the trusted platform module in the embodiment of the present invention, simply referred to as additional information, the additional information is private data, and is invisible to the trusted platform module, and its integrity is not protected by the trusted platform module.
Key BLOB (corresponding to the first key information and original key information described above): it is the additional information that is stored together with the trusted platform module key in some data structure (corresponding to the predetermined structure described above) that generates the key BLOB.
Fig. 3 is a schematic diagram of a process of generating a key BLOB with additional information by a Trusted Platform Module (TPM) according to an embodiment of the present invention, as shown in fig. 3, generating a trusted platform module key, and combining and encapsulating the trusted platform module key with its additional information outside the trusted platform module to generate the key BLOB.
In a specific embodiment of the present invention, a process of creating a trusted platform module key by a user is further provided, and fig. 4 is a flowchart of creating a trusted platform module key by a user according to an embodiment of the present invention, as shown in fig. 4, where the process includes the following steps:
s402, inputting additional information (corresponding to the original additional information) of the trusted platform module key;
s404, inputting an authorization policy (such as a password for inputting an authorization value) and an authorization value (corresponding to the original authorization value) of the trusted platform module key;
s406, calculating abstract information of the additional information of the trusted platform module key by the target user equipment;
S408, performing cryptographic operations (such as hash operations, encryption operations, etc.) on the summary information (corresponding to the original summary information of the original additional information) calculated in the step S406 and the authorization value (corresponding to the original authorization value) of the trusted platform module key to obtain a new authorization value (corresponding to the target authorization value);
s410, the input authorization strategy, the new authorization value and the key related parameter (standard parameter used in the process of creating the key) are sent to the trusted platform module, and a key creation request is initiated to the trusted platform module;
s412, acquiring a newly created key of the trusted platform module from the trusted platform module;
s414, the input trusted platform module key additional information and the trusted platform module key acquired in S412 are stored together in a certain data structure (corresponding to the above predetermined structure), and a key BLOB (corresponding to the above original key information) is formed.
FIG. 5 is a flow chart of a user using a trusted platform module key according to an embodiment of the present invention, as shown in FIG. 5, the flow comprising the steps of:
s502, reading a key BLOB (corresponding to the first key information), and extracting the trusted platform module key additional information (corresponding to the additional information) and the trusted platform module key in the key BLOB;
S504, the user inputs the authorization value of the trusted platform module key (corresponding to the original authorization value and consistent with the input when the key is created);
s506, the target user equipment calculates abstract information of the additional information of the trusted platform module;
s508, performing a cryptographic operation (e.g., a hash operation, an encryption operation, etc.) on the summary information (summary information corresponding to the additional information) calculated in the step S506 and the authorization value (corresponding to the original authorization value) to obtain a new authorization value (corresponding to the first authorization value);
s510, sending the new authorization value and the trusted platform module key extracted from the key BLOB to the trusted platform module to request the trusted platform module to establish an authorization session;
s512, waiting for authorization of the trusted platform module;
s514, if the authorization value and the key of the trusted platform module are both correct, the trusted platform module establishes a session and accepts a key operation request (such as encryption, decryption, migration, etc.) initiated by a user;
s516, if the authorization value and the trusted platform module are both incorrect or either or both are incorrect, the trusted platform module denies the subsequent request.
As can be seen from the foregoing embodiments, if the content of the additional information of the trusted platform module key is changed, the summary information of the additional information is also changed, so that the authorization value is changed, and thus the authorization value when the authorization session is initiated is inconsistent with the authorization value when the key is created, so that the authorization is not passed, and then the user cannot use the key, and in addition, the following purposes are achieved by the embodiments of the present invention: the integrity, confidentiality and authorized access of the user key are guaranteed through the trusted platform module. The method and the device have the advantages that through an authorization mechanism of the trusted platform module, summary information of the key additional information of the trusted platform module is used as one of calculation factors of a key authorization value, and integrity verification of the key additional information of the trusted platform module is integrated into the key authorization process of the trusted platform module, so that the integrity of the key additional information of the trusted platform module is guaranteed.
The session establishment method provided by the invention can protect the integrity of the key and the additional information of the trusted platform module, namely solves the problem that the data integrity of the additional information of the key of the trusted platform module is not guaranteed, when the additional information of the key is tampered, the platform module can refuse to operate the key (operations comprise encryption, decryption, signature verification, deletion, password change, strategy change, authorization value change and the like), and in addition, the method can be applied to the scenes of IOT equipment, cloud computing platforms, personal computers and the like.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiment also provides a device for establishing a session, which is used for implementing the above embodiment and the preferred implementation, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 6 is a block diagram of a construction of a session establishment apparatus according to an embodiment of the present invention, as shown in fig. 6, the apparatus including:
an extracting module 62, configured to extract a trusted platform module key and additional information included in first key information used by a target user device, where the trusted platform module key is created by a trusted platform module based on a target authorization value, where the target authorization value is determined based on an original authorization value and original summary information of original additional information calculated by the target user device, and the original additional information is information related to the target user device;
a first obtaining module 64, configured to obtain summary information of the additional information, and determine a first authorization value based on the summary information and the received original authorization value;
A first sending module 66, configured to send the trusted platform module key and the first authorization value to the trusted platform module, so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establish an authorization session between the target user equipment and the trusted platform module if verification passes.
In one exemplary embodiment, the first acquisition module 64 includes: and the computing unit is used for computing the abstract information of the additional information in a first computing mode, wherein the first computing mode is consistent with the computing mode of the original abstract information computed by the target user equipment.
In one exemplary embodiment, the first acquisition module 64 includes: an obtaining unit, configured to obtain the original authorization value input by the target user equipment; and the operation unit is used for carrying out password operation on the abstract information and the original authorization value to obtain the first authorization value.
In an exemplary embodiment, the above apparatus further includes: the second obtaining module is used for obtaining the original abstract information and the original authorization value of the input original additional information before extracting the trusted platform module key and the additional information included in the first key information used by the target user equipment; the determining module is used for determining the target authorization value based on the original abstract information and the original authorization value; the second sending module is used for sending the target authorization value to the trusted platform module so as to instruct the trusted platform module to create a trusted platform module key based on the target authorization value; the third acquisition module is used for acquiring the trusted platform module key created by the trusted platform module and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorized session between the target user equipment and the trusted platform module.
In one exemplary embodiment, the determining module includes: and the storage unit is used for storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
In one exemplary embodiment, the trusted platform module includes: a fourth obtaining module, configured to obtain the target authorization value included in the trusted platform module key; the comparison module is used for comparing the first authorization value with the target authorization value to obtain a first comparison result; a fifth obtaining module, configured to obtain signature information carried in the trusted platform module key; a determining module, configured to determine validity of the first authorization value based on the first comparison result, and determine validity of the trusted platform module key based on the signature information; and the establishing module is used for establishing an authorized session between the target user equipment and the trusted platform module under the condition that the first authorized value is legal and the key of the trusted platform module is legal.
In an exemplary embodiment, the additional information includes at least one of the following information: the identification ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Embodiments of the present invention also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
In an exemplary embodiment, the electronic apparatus may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
The invention can ensure the integrity of the key additional information of the trusted platform module by utilizing the authorization mechanism of the trusted platform module, does not need to sign the key of the trusted platform module by adopting a key outside the trusted platform module, further can integrate the integrity verification of the key additional information of the trusted platform module into the key authorization process, and avoids the protection problem of an external signature key, thereby improving the security of key transmission, further greatly improving the integrity verification efficiency of the key additional information of the trusted platform module and reducing the calculation amount of the trusted platform module.
It will be appreciated by those skilled in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for establishing a session, comprising:
extracting a trusted platform module key and additional information included in first key information used by a target user device, wherein the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original summary information of original additional information calculated by the target user device, and the original additional information is information related to the target user device;
acquiring abstract information of the additional information, and determining a first authorization value based on the abstract information and the received original authorization value;
and sending the trusted platform module key and the first authorization value to the trusted platform module to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that verification is passed.
2. The method of claim 1, wherein obtaining summary information of the additional information comprises:
and calculating the summary information of the additional information in a first calculation mode, wherein the first calculation mode is consistent with the calculation mode of the original summary information calculated by the target user equipment.
3. The method of claim 1, wherein determining a first authorization value based on the summary information and the received original authorization value comprises:
acquiring the original authorization value input by the target user equipment;
and carrying out password operation on the abstract information and the original authorization value to obtain the first authorization value.
4. The method according to claim 1, wherein before extracting the trusted platform module key and the additional information included in the first key information used by the target user device, the method further comprises:
acquiring the original abstract information of the input original additional information and the original authorization value;
determining the target authorization value based on the original summary information and the original authorization value;
transmitting the target authorization value to a trusted platform module to instruct the trusted platform module to create a trusted platform module key based on the target authorization value;
And acquiring the trusted platform module key created by the trusted platform module, and determining original key information based on the trusted platform module key and the original additional information, wherein the original key information is used for establishing an authorized session between the target user equipment and the trusted platform module.
5. The method of claim 4, wherein determining original key information based on the trusted platform module key and the original additional information comprises:
and storing the trusted platform module key and the original additional information together according to a preset structure to obtain the original key information.
6. The method of claim 1, wherein after sending the trusted platform module key and the first authorization value to the trusted platform module, the method further comprises:
the trusted platform module obtains the target authorization value included in the trusted platform module key;
the trusted platform module compares the first authorization value with the target authorization value to obtain a first comparison result;
the trusted platform module acquires signature information carried in the trusted platform module key;
The trusted platform module determines the legitimacy of the first authorization value based on the first comparison result and determines the legitimacy of the trusted platform module key based on the signature information;
and the trusted platform module establishes an authorization session between the target user equipment and the trusted platform module under the condition that the first authorization value is legal and the key of the trusted platform module is legal.
7. The method according to any one of claims 1 to 6, characterized in that the additional information comprises at least one of the following information:
the identification ID of the target user equipment, the user name of the target user equipment, the access authority of the target user equipment and the key name of the trusted platform module key.
8. A session establishment apparatus, comprising:
the device comprises an extraction module, a target user equipment and a target platform module, wherein the extraction module is used for extracting a trusted platform module key and additional information which are included in first key information used by the target user equipment, the trusted platform module key is created by a trusted platform module based on a target authorization value, the target authorization value is determined based on an original authorization value and original summary information of original additional information calculated by the target user equipment, and the original additional information is information related to the target user equipment;
The first acquisition module is used for acquiring abstract information of the additional information and determining a first authorization value based on the abstract information and the received original authorization value;
and the first sending module is used for sending the trusted platform module key and the first authorization value to the trusted platform module so as to request the trusted platform module to verify the trusted platform module key and the first authorization value, and establishing an authorization session between the target user equipment and the trusted platform module under the condition that verification is passed.
9. A computer readable storage medium, characterized in that a computer program is stored in the computer readable storage medium, wherein the computer program, when being executed by a processor, implements the steps of the method according to any of the claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 7 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210386137.XA CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210386137.XA CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114785845A CN114785845A (en) | 2022-07-22 |
| CN114785845B true CN114785845B (en) | 2023-08-29 |
Family
ID=82429977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210386137.XA Active CN114785845B (en) | 2022-04-13 | 2022-04-13 | Session establishment method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785845B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642077A (en) * | 2004-01-13 | 2005-07-20 | 国际商业机器公司 | Credible digital time stamp generating and verifying method and system |
| CN102421096A (en) * | 2011-12-22 | 2012-04-18 | 厦门雅迅网络股份有限公司 | Method for safely transmitting data based on wireless network |
| CN103944736A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive method |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| CN105245340A (en) * | 2015-09-07 | 2016-01-13 | 天地融科技股份有限公司 | Identity authentication method based on remote account opening and system |
| CN110659476A (en) * | 2019-09-20 | 2020-01-07 | 北京海益同展信息科技有限公司 | Method and apparatus for resetting password |
| CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
| CN111404659A (en) * | 2020-03-02 | 2020-07-10 | 广州大学 | Privacy protection communication method, server and communication system based on chaotic system |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
| CN113572717A (en) * | 2020-04-29 | 2021-10-29 | 青岛海尔滚筒洗衣机有限公司 | Communication connection establishing method, washing and protecting equipment and server |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040098591A1 (en) * | 2002-11-15 | 2004-05-20 | Fahrny James W. | Secure hardware device authentication method |
| US7992193B2 (en) * | 2005-03-17 | 2011-08-02 | Cisco Technology, Inc. | Method and apparatus to secure AAA protocol messages |
| US7908483B2 (en) * | 2005-06-30 | 2011-03-15 | Intel Corporation | Method and apparatus for binding TPM keys to execution entities |
| US11012241B2 (en) * | 2018-09-10 | 2021-05-18 | Dell Products L.P. | Information handling system entitlement validation |
-
2022
- 2022-04-13 CN CN202210386137.XA patent/CN114785845B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642077A (en) * | 2004-01-13 | 2005-07-20 | 国际商业机器公司 | Credible digital time stamp generating and verifying method and system |
| CN102421096A (en) * | 2011-12-22 | 2012-04-18 | 厦门雅迅网络股份有限公司 | Method for safely transmitting data based on wireless network |
| CN103944736A (en) * | 2014-04-25 | 2014-07-23 | 天地融科技股份有限公司 | Data security interactive method |
| CN105071939A (en) * | 2015-07-15 | 2015-11-18 | 傅程燕 | User information authentication method and user information authentication system |
| CN105245340A (en) * | 2015-09-07 | 2016-01-13 | 天地融科技股份有限公司 | Identity authentication method based on remote account opening and system |
| CN110659476A (en) * | 2019-09-20 | 2020-01-07 | 北京海益同展信息科技有限公司 | Method and apparatus for resetting password |
| CN111241492A (en) * | 2019-12-27 | 2020-06-05 | 武汉烽火信息集成技术有限公司 | Product multi-tenant secure credit granting method, system and electronic equipment |
| CN111404659A (en) * | 2020-03-02 | 2020-07-10 | 广州大学 | Privacy protection communication method, server and communication system based on chaotic system |
| CN113572717A (en) * | 2020-04-29 | 2021-10-29 | 青岛海尔滚筒洗衣机有限公司 | Communication connection establishing method, washing and protecting equipment and server |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于Linux的数据安全传输的研究;李舒亮;习军;;微计算机信息(24);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114785845A (en) | 2022-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110378139B (en) | Data key protection method, system, electronic equipment and storage medium | |
| CN112596802B (en) | Information processing method and device | |
| CN110334503B (en) | Method for unlocking one device by using the other device | |
| CN112513857A (en) | Personalized cryptographic security access control in a trusted execution environment | |
| CN109194625B (en) | Client application protection method and device based on cloud server and storage medium | |
| CN108768963B (en) | Communication method and system of trusted application and secure element | |
| CN110874494B (en) | Method, device and system for processing password operation and method for constructing measurement trust chain | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| EP3206329B1 (en) | Security check method, device, terminal and server | |
| CN108200078B (en) | Downloading and installing method of signature authentication tool and terminal equipment | |
| JP4226556B2 (en) | Program execution control device, OS, client terminal, server, program execution control system, program execution control method, program execution control program | |
| KR101739203B1 (en) | Password-based user authentication method using one-time private key-based digital signature and homomorphic encryption | |
| CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| JP6756056B2 (en) | Cryptographic chip by identity verification | |
| CN112257086A (en) | User privacy data protection method and electronic equipment | |
| CN111901304B (en) | Registration method and device of mobile security equipment, storage medium and electronic device | |
| KR101642267B1 (en) | System for preventing forgery of application and method therefor | |
| CN114079921B (en) | Session key generation method, anchor point function network element and system | |
| CN112699404A (en) | Method, device and equipment for verifying authority and storage medium | |
| CN109905395B (en) | Method and related device for verifying credibility of client | |
| CN115509587B (en) | Firmware upgrading method and device, electronic equipment and computer readable storage medium | |
| CN111628985A (en) | Security access control method, security access control device, computer equipment and storage medium | |
| CN114785845B (en) | Session establishment method and device, storage medium and electronic device | |
| KR20110114990A (en) | Apparatus and method for securing a keyboard | |
| KR102094606B1 (en) | Apparatus and method for authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |