CN115714973A - Trusted computing based data security reinforcement method and device for 5G mobile terminal - Google Patents
Trusted computing based data security reinforcement method and device for 5G mobile terminal Download PDFInfo
- Publication number
- CN115714973A CN115714973A CN202211261781.0A CN202211261781A CN115714973A CN 115714973 A CN115714973 A CN 115714973A CN 202211261781 A CN202211261781 A CN 202211261781A CN 115714973 A CN115714973 A CN 115714973A
- Authority
- CN
- China
- Prior art keywords
- server
- information
- key
- terminal
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application relates to a 5G mobile terminal security reinforcing method and device based on trusted computing, computer equipment, storage media and computer program products. The method responds to the login request, the terminal and the server perform bidirectional verification based on the server public key and the server private key to obtain the symmetric key required by the communication, the symmetric key required by the communication is different, namely, one-time pad is ensured, and the forward safety and the backward safety of the communication are ensured. In the process that the terminal and the server perform bidirectional verification based on the server public key and the private key, through verification of a plurality of information dimensions such as verification codes, terminal identification, user information and the like, only the terminal sending a communication request can decrypt to obtain a communication key, bidirectional authentication of the terminal and the server is guaranteed, and communication between the terminal and the server is safer and more reliable.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method and an apparatus for reinforcing data security of a 5G mobile terminal based on trusted computing, a computer device, a storage medium, and a computer program product.
Background
Network security in the industrial field has been upgraded to security elements affecting the national defense level. China also speeds up the pace of construction of clean energy such as nuclear power and the like, and with deep integration of industrialization and informatization, the production efficiency and economic benefits of nuclear power stations are improved, and meanwhile, new safety risks also appear.
China also speeds up the pace in the aspect of construction of clean energy such as nuclear power and the like, along with the deep fusion of industrialization and informatization, the network gradually enters a nuclear power station, the deep fusion of the 5G network and the nuclear power can reduce the workload of workers in the first line of nuclear power production, improve the production safety control level of the nuclear power plant, reduce human accidents, reduce the radiation dose, improve the nuclear power operation performance, and promote the safe and economic development of the nuclear power industry. Meanwhile, the access of the 5G network brings certain safety risk to nuclear power safety production. Some malicious attackers can attack the nuclear power 5G network through the 5G terminal so as to achieve the purpose of damaging nuclear power production.
At present, mobile intelligent terminals are mostly constructed based On an SOC (System On Chip) Chip, and in order to perform security reinforcement On the Mobile intelligent terminals by adopting a Trusted computing technology, a Mobile Trusted Module (MTM) needs to be added On the Mobile intelligent terminals to provide Trusted services as a Trusted root. In order to construct a complete and reliable trust chain, it is necessary to ensure that each step is subjected to integrity verification from the MTM, the Bootloader, the system kernel to a third-party application in the system starting process. However, MTM is a functional rather than a hardware implementation, and studies have shown that MTM increases the power consumption of the system and reduces the performance of the cryptographic functions. Therefore, using MTM as the root of trust for embedded systems is not an ideal option.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a data security reinforcing method and apparatus for a 5G mobile terminal based on trusted computing, a computer device, and a computer readable storage medium.
In a first aspect, the application provides a data security reinforcing method of a 5G mobile terminal based on trusted computing. The method comprises the following steps:
responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
receiving the first signature information fed back by the server;
verifying the first signature information by using the server public key to obtain the verification code;
encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
sending the second request information to a server, enabling the server to respond to the second request information, decrypting the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal;
receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and encrypting the sensitive information based on the symmetric key, and communicating with the server.
In a second aspect, the application further provides a data security reinforcing device of the 5G mobile terminal based on trusted computing. The device comprises:
the sending module is used for responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
a receiving module, configured to receive the first signature information fed back by the server;
the verification code acquisition module is used for verifying the first signature information by using the server public key to acquire the verification code;
the encryption module is used for encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
the sending module is further used for sending the second request information to the server, the server responds to the second request information, the server decrypts the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, if the received user name and the verification code are consistent with the stored user name and verification code, a symmetric key and a session code are generated, the symmetric key and the session code are encrypted by using the terminal identifier to obtain second user verification information, the server private key is used for signing the second user verification information to obtain second signature information, and the second signature information is fed back to the terminal;
the key processing module is used for receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and the communication module is used for encrypting the sensitive information based on the symmetric key and communicating with the server.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
receiving the first signature information fed back by the server;
verifying the first signature information by using the server public key to obtain the verification code;
encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
sending the second request information to a server, enabling the server to respond to the second request information, decrypting the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal;
receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and encrypting the sensitive information based on the symmetric key, and communicating with the server. In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
receiving the first signature information fed back by the server;
verifying the first signature information by using the server public key to obtain the verification code;
encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
sending the second request information to a server, enabling the server to respond to the second request information, decrypting the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal;
receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and encrypting the sensitive information based on the symmetric key, and communicating with the server. In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
receiving the first signature information fed back by the server;
verifying the first signature information by using the server public key to obtain the verification code;
encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
sending the second request information to a server, enabling the server to respond to the second request information, decrypting the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal;
receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and encrypting the sensitive information based on the symmetric key, and communicating with the server.
According to the data security reinforcing method and device of the 5G mobile terminal based on the trusted computing, the computer equipment and the storage medium, the terminal and the service end respond to the login request, and perform bidirectional verification based on the server public key and the private key to obtain the symmetric key required by the communication, so that the symmetric key required by each communication is different, namely, one-time pad is ensured, and the forward security and the backward security of the communication are ensured. In the process that the terminal and the server perform bidirectional verification based on the server public key and the private key, through verification of a plurality of information dimensions such as verification codes, terminal identification, user information and the like, only the terminal sending a communication request can decrypt to obtain a communication key, bidirectional authentication of the terminal and the server is guaranteed, and communication between the terminal and the server is safer and more reliable.
Drawings
FIG. 1 is a diagram of an application environment of a 5G mobile terminal security reinforcing method based on trusted computing in an embodiment;
FIG. 2 is a flowchart illustrating a method for security enforcement of a 5G mobile terminal based on trusted computing in an embodiment;
FIG. 3 is a flowchart illustrating a method for security enforcement of a 5G mobile terminal based on trusted computing in an embodiment;
FIG. 4 is a diagram illustrating a terminal obtaining a validation code in one embodiment;
FIG. 5 is a diagram of authentication and key exchange in one embodiment;
FIG. 6 is a diagram of sensitive data key generation in one embodiment;
fig. 7 is a flowchart illustrating a security reinforcing method for a 5G mobile terminal based on trusted computing in another embodiment;
FIG. 8 is a flowchart illustrating a method for security enforcement of a 5G mobile terminal based on trusted computing in an embodiment;
FIG. 9 is a diagram of a trusted mobile terminal architecture in one embodiment;
FIG. 10 is a diagram of a trusted software based integrity measurement mechanism in one embodiment;
fig. 11 is a flowchart illustrating a security reinforcing method for a 5G mobile terminal based on trusted computing in another embodiment;
FIG. 12 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The 5G mobile terminal security reinforcing method based on trusted computing provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein, the terminal 102 communicates with the server 104 through the network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be placed on the cloud or other network server. The terminal 102 responds to the login request, encrypts user information based on the server public key to obtain first request information, sends the first request information to the server, the server 104 responds to the first request information to generate a verification code, decrypts the first request information based on a server private key corresponding to the server public key to obtain the user information, processes the user information and the verification code based on the server private key to obtain first signature information, and feeds the first signature information back to the terminal 102. Receiving first signature information fed back by a server; verifying the first signature information by using a server public key to obtain a verification code; encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information; sending second request information to a server, enabling the server to respond to the second request information, decrypting the second request information by using a server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal; receiving second signature information returned by the server, verifying the second signature information by using a server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key; and encrypting the sensitive information based on the symmetric key, and communicating with the server. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the portable wearable devices may be smart watches, smart bands, head-mounted devices, and the like. The server 104 may be implemented by an independent server or a server cluster composed of a plurality of servers.
Specifically, as shown in fig. 2 and fig. 3, a flow chart of a trusted computing based 5G mobile terminal security reinforcing method is provided, where the method is applied to the application environment shown in fig. 1, and includes the following steps:
step 202, in response to the login request, encrypting the user information based on the server public key to obtain first request information, sending the first request information to the server, the server responding to the first request information to generate a verification code, decrypting the first request information based on the server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to the terminal.
The server stores a key pair, and the key pair comprises a server public key pk and a server private key sk. The server public key is a public part of the key pair, the terminal stores the server public key, and the public key is encrypted by a sensitive data key by adopting a symmetric encryption algorithm and then stored in a safety area of the terminal equipment. And the private key of the server side is a non-public part, namely only the server side has the private key. Sensitive information communication between the terminal and the server can be realized by utilizing the server public key and the server private key, and the sensitive information can comprise a key pair and sensitive information of the terminal, such as user data and the like.
Specifically, as shown in fig. 4, the user triggers an initial login request based on the terminal, depending on the distributionThe initial verification code is used for initial login, after the login is successful, a server public key stored by the terminal is obtained, and the server public key is used for encrypting user information (such as a user name) to obtain first request information E pk (user), sending the first request information to the server, and the server responding to the first request information to generate the verification code password of the terminal. The server side uses the server side private key corresponding to the public key to decrypt the first request information E pk (user), obtaining user information user. After the verification code of the terminal is encrypted based on the user name, the terminal is signed by using a server private key to obtain first signature information Sig sk (E user (password)), and transmits the first signature information to the terminal.
And 204, receiving the first signature information fed back by the server, and verifying the first signature information by using the server public key to obtain a verification code.
The server public key and the server private key can be used for encryption and decryption, data encrypted by the server public key can only be decrypted by the server private key, and data signed by the server private key can only be verified by the server public key.
Specifically, after receiving first signature information fed back by the server, the terminal verifies the first signature information by using the server public key, and obtains a verification code encrypted by the user name after verification. And decrypting the authentication code encrypted by the user name to obtain the authentication code.
In this embodiment, through the above steps, the server generates the verification code, and returns the verification code to the terminal in an encrypted manner, and the terminal decrypts the encrypted verification code by using the server public key, so that the terminal can obtain the verification code safely.
And step 206, encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information.
Specifically, the terminal identifier may be a universal unique identifier UUID of the terminal device, and the server public key pk is used to encrypt the user name user, the verification code password, and the universal unique identifier UUID of the terminal device, so as to obtain the second request information E pk (user,password,UUID)。
And step 208, sending second request information to the server, responding to the second request information by the server, decrypting the second request information by using a server private key to obtain a user name, a verification code and a terminal identifier, generating a symmetric key and a session code if the received user name and the verification code are consistent with those stored, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal.
Specifically, as shown in fig. 5, the server receives the second request message E pk And (user, password, UUID), decrypting the second request information by using a server private key corresponding to the server public key to obtain a user name user, a verification code password and a terminal identification, wherein the terminal identification can be a universal unique identification code UUID of the terminal equipment. The server side verifies whether the user name user and the verification code password are consistent with the stored information. And if the information is consistent, the verification is successful. After the verification is successful, the server generates a symmetric key and a session code sessionID, and the symmetric key and the session code sessionID are encrypted by using the universal unique identifier UUID of the terminal to obtain second user verification information E UUID (key, sessionID), then the private key of the server is used for signing the second user verification information to obtain second signature information Sig sk (E UUID (key, sessionID)), and the second signature information Sig sk (E UUID (key, sessionID)) to the terminal.
In this embodiment, the server verifies the second request message sent by the terminal, thereby implementing the authentication of the terminal by the server. The server side encrypts the symmetric key by the universal unique identification code and signs by the private key of the server side, so that all terminals are considered to have the public key of the server side, other terminals can verify the signature to obtain the symmetric key, the communication is unsafe, and the communication key of other applications and the server side can be intercepted only by downloading one application. Therefore, the key needs to be encrypted by the universal unique identification code, so that only the terminal sending the communication request can decrypt the communication key by the universal unique identification code to obtain the communication key, namely the terminal needs to authenticate the service end, and the communication key can be decrypted after the authentication is passed. Therefore, the bidirectional authentication of the terminal and the server is ensured, and the safety of the communication key is ensured.
And step 210, receiving second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key.
Specifically, the terminal receives the second signature information Sig sk (E UUID (key, sessionID)), and uses the server public key corresponding to the server private key to sign the second signature information Sig sk (E UUID (key, sessionID)) to obtain second user authentication information E UUID (key, sessionID), authenticating information E to the second user using UUID, a universally unique identifier of the terminal UUID And (key, essencid) to obtain a symmetric key and a session code essencid. Therefore, the terminal obtains the symmetric key generated by the server for communication between the subsequent terminal and the server, and the symmetric key is subjected to double verification, namely, the server public key corresponding to the server private key is used for verifying the second signature information, and the universal unique identification code of the terminal is used for decrypting the second user verification information, so that the symmetric key has reliability.
And step 212, encrypting the sensitive information based on the symmetric key, and communicating with the server.
Specifically, when the terminal communicates with the server, the symmetric key is used to encrypt the transmitted sensitive information to obtain encrypted sensitive information C = En key And (Message), sending the encrypted sensitive information C to a receiving end, and decrypting by adopting a symmetric key after the receiving end receives the encrypted sensitive information C to obtain the transmitted sensitive information. Namely, message = Dec key (En key (Massage))。
According to the data security reinforcing method of the 5G mobile terminal based on the trusted computing, the terminal and the service end respond to the login request, the terminal and the service end perform bidirectional verification based on the public key and the private key of the service end to obtain the symmetric key required by the communication, the fact that the symmetric key required by each communication is different, namely one-time pad, is ensured, and forward security and backward security of the communication are ensured. In the process that the terminal and the server perform bidirectional verification based on the server public key and the private key, through verification of a plurality of information dimensions such as the verification code, the universal unique identification code of the terminal, the user information and the like, only the terminal sending the communication request can decrypt to obtain the communication key, bidirectional authentication of the terminal and the server is guaranteed, and communication between the terminal and the server is safer and more reliable.
In another embodiment, in response to a login request, encrypting user information based on a server public key to obtain first request information, and sending the first request information to the server includes: encrypting the user name and the first timestamp by using the server public key to generate first request information; the method comprises the steps of sending first request information to a server, responding the first request information by the server to generate a verification code and a second time stamp, decrypting the first request information according to a server private key corresponding to a server public key to obtain a first time stamp and a user name, storing the user name and the verification code, encrypting the verification code and the second time stamp by using the user name to obtain encrypted user verification information, and signing the encrypted user verification information by using the server private key to obtain first signature information. And the terminal receives the first signature information and verifies the time stamp of the first signature information.
Specifically, the terminal performs initial login according to the distributed initial verification code, and after the login is successful, sensitive information stored in a terminal security area is accessed to obtain a server public key pk. The terminal encrypts the user name user and the first timestamp by using the server public key to generate first request information E pk (user,timestamp1)。
The first request information E pk (user, timestamp 1) is sent to the server, and the server responds to the first request information E pk (user, timestamp 1) generating the validation code password and a second timestamp2. The server uses the server private key to request the first request information E pk And (user, timestamp 1) decrypting to obtain the user name user and the first timestamp1. Saving user name and verification code, and using userThe name encryption verification code password and the second time stamp timestamp2 generate E user (password, timestamp 2), obtaining the first signature information Sig by the server private key signature sk (E user (past, timestamp 2)), and transmits the first signature information to the terminal.
The terminal receives the first signature information Sig sk (E user (password, timestamp 2)), the first signature information is verified by using the server public key corresponding to the server private key, and the verification code and the second timestamp of the user name encryption are obtained after verification. And decrypting the authentication code encrypted by the user name and the second time stamp to obtain the authentication code and the second time stamp. And verifying the freshness of the time stamp, and if the difference value between the second time stamp and the first time stamp is smaller than a preset time value, successfully verifying and storing the verification code.
In this embodiment, the user name and the first timestamp are encrypted by using the server public key, and the encrypted data can only be decrypted by the server private key, so that the security of the data encrypted by the server public key can be ensured, and the encrypted data is prevented from being tampered in the transmission process. In the authentication process of the terminal and the server, in order to prevent replay attack, a time stamp is added into the verification information, and the time effectiveness of the information is ensured by checking the time stamp.
In one embodiment, the method for obtaining the server public key includes: accessing an encryption server public key stored in a terminal safety region, wherein the encryption server public key is generated in advance according to a terminal secret key; calling a key generation service to generate a symmetric key based on the digital fingerprint of the terminal, and generating a sensitive data key according to the symmetric key of the terminal and the terminal identifier; and decrypting the encrypted server public key according to the sensitive data key to obtain the server public key.
The digital fingerprint is a physical unclonable function PUF, is a one-way function determined by a special physical system, has two important attributes of randomness and unclonability, and the unclonability comes from uncertain factors randomly introduced in the production process of physical equipment. A static random access memory SRAM in a CPU chip is adopted as a PUF of a physical medium, a section of bit string S with uniqueness is randomly selected by a terminal in the production stage of a manufacturer, a specific area of the SRAM stores the S by using physical characteristics, the S is only reproduced from an SRAM PUF assembly at each normal power-on start, and is safely cached by a key manager in a safe area.
The sensitive data key generation process is shown in fig. 6, the SRAM is powered on by the system, and the bit string S is reassembled.
Using bit string S as input, using key derivation function KDF of key manager of trusted service to generate key k, i.e. k ← KDF (S)
Generating sensitive data key k by utilizing XOR of key k and terminal identification (the terminal identification can be universal unique identification UUID of terminal equipment) data I.e. by
From the sensitive data key k data Is obtained by adopting a symmetric encryption algorithm AES encryption
The sensitive data key k is generated by calling a sensitive data key generation process through accessing sensitive information M stored in a terminal safety area after the terminal successfully logs in data To obtain the public key pk of the server.
In this embodiment, a trusted secure storage is provided for sensitive data based on PUF characteristics, and a sensitive data key k is obtained by calling a flow of sensitive data key generation data And decrypting the sensitive information M according to the sensitive data secret key, namely decrypting the server public key encrypted by the sensitive data secret key to obtain the server public key.
In one embodiment, the method for encrypting the server side key comprises the following steps: responding to a starting instruction of the terminal, calling a key generation service to generate a terminal key based on the digital fingerprint of the terminal, and generating a sensitive data key according to the terminal key and the terminal identifier; and encrypting the server public key according to the sensitive data key to generate an encrypted server public key, and storing the encrypted server public key in a safe area of the terminal equipment.
Specifically, the encryption server public key is composed of a sensitive data key k data Symmetric encryption is carried out on the public key of the server side to obtain
And storing the encryption server public key M in a security area of the terminal equipment.
In this embodiment, the server public key is encrypted by using the sensitive data key, and the encrypted public key is stored in a secure area, so that the security of the encrypted server public key at the terminal is ensured, and the server public key is prevented from being stolen.
In one embodiment, the encrypting the user name, the verification code and the terminal identifier by using the server public key to obtain the second request information includes: and generating a third time stamp, and encrypting the user name, the verification code, the terminal identification and the third time stamp by using the server public key to generate second request information.
The terminal generates a third timestamp3, and encrypts the user name, the verification code, the terminal identification (such as a universal unique identification code) and the third timestamp by using the public key of the server to generate second request information E pk (user, password, UUID, timestamp 3), and sending the second request information as a request to the server.
And when the server side receives the second request information, responding to the second request information, decrypting the second request information by using a server side private key to obtain a terminal identifier of the user name and the verification code, and if the received user name and the verification code are consistent with the stored user name and the stored verification code and the third timestamp is valid, generating a symmetric key and a session code.
Specifically, the server decrypts the second request information E using the server private key sk pk (user, password, UUID, timestamp 3), obtain username, identifying code, terminal identification and third timestamp (user, password, UUID, timestamp 3), the information of comparison receipt username, identifying code and server side storage, if correct, verify the freshness of third timestamp, if the difference of third timestamp and second timestamp is less than preset timeIf the verification is successful, the server generates a symmetric key and a session code.
In this embodiment, after the second request information encrypted by using the server public key is received by the server, the second request information is decrypted by using the server private key, so that it is ensured that the encrypted information can only be obtained by the server holding the private key, that is, the server public key is used to securely send the user name, the verification code and the terminal identifier to the server, so that the server can encrypt the communication data by using the terminal identifier. And the server verifies the decrypted user name and the verification code to realize the verification of the identity of the terminal by the server. And verifying the third time stamp to ensure the timeliness of the communication data to resist replay attack.
In one embodiment, receiving second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key, includes: receiving signature information of a server, verifying the signature information by using a server public key, extracting encrypted user verification information, and decoding the encrypted user verification information to obtain a symmetric key and a fourth timestamp; if the fourth timestamp is valid, the symmetric key is stored.
Wherein the second signature information is the information for signing the second user verification information by using the server private key, namely Sig sk (E UUID (key, timestamp4, sessionID)). Specifically, the terminal receives the second signature information Sig sk (E UUID (key, timestamp4, sessionID)), the second signature information Sig is signed by using the server public key pk corresponding to the server private key sk sk (E UUID (key, timestamp4, sessionID)) to obtain second user authentication information E UUID (key, timestamp4, sessionID), decrypting the second user authentication information E using the terminal identification (the terminal identification may be a universal unique identifier UUID of the terminal) UUID (key, timestamp4, sessionID), obtaining a symmetric key, and if the fourth timestamp is valid, that is, the difference value between the fourth timestamp and the third timestamp is within a preset range, storing the symmetric key.
In this embodiment, the server public key corresponding to the server private key is used to verify the second signature information, so that the identity of the sender of the second signature information is verified. And then, the second user verification information is decrypted by using the universal unique identification code of the terminal, so that other terminals with the public key of the server side cannot decrypt the second user verification information, and the second user verification information can only be decrypted by the terminal sending the communication request, and therefore, only the terminal sending the communication request can obtain the symmetric key. Meanwhile, the added timestamp is verified, so that the timeliness of communication is guaranteed, and replay attack can be resisted.
In one embodiment, encrypting sensitive information based on a symmetric key, communicating with a server, comprises: encrypting the sensitive information based on the symmetric key to obtain encrypted sensitive information; and sending the encrypted sensitive information to the server, and decrypting the encrypted sensitive information by using the symmetric key by the server to obtain the sensitive information.
Specifically, the sensitive information Message is encrypted by using the symmetric key to obtain encrypted sensitive information C = En key (Message). And the server decrypts the encrypted sensitive information C by using the symmetric key to obtain the sensitive information Message.
In the embodiment, the sensitive information is encrypted by using the symmetric key, so that the sensitive information can be safely transmitted between the terminal and the server, and the sensitive information is effectively prevented from being stolen.
In one embodiment, a data security reinforcing method for a 5G mobile terminal based on trusted computing, as shown in fig. 7 and 8, includes:
and step 702, constructing a trusted mobile terminal system.
The Trustzone technology is a hardware isolation mechanism which is most distinctive, and separates a CPU kernel into a safe area and a common area, the Trustzone safe area can provide an isolated execution environment for a white list system core module, has strong control capability on a system memory and peripheral equipment, and can monitor the system behavior in real time.
As shown in fig. 9, the Trustzone hardware architecture includes two virtual processor cores: the processor core 1 is used to process a secure area and the processor core 2 is used to process a normal area. The software resources and hardware resources of the secure area are isolated from the software resources and hardware resources of the normal area, and the components of the normal area cannot access the software resources and hardware resources of the secure area.
The switching between the safe area and the normal area is completed by a monitoring mode, a monitor of the monitoring mode is equivalent to a safety gateway of the safe area and the normal area, the environment before the switching of the processor can be safely saved during the switching, and the system operation can be correctly restored by the environment after the switching. The safety area can directly enter a monitoring mode through a write program state register; and the ordinary area needs to enter a monitoring mode, and an interrupt, an external interrupt or a call SMC instruction is needed. The process of the normal area can only obtain the service of the safe area, but can not access the data of the safe area.
The trust chain transmission technology for expanding the trust relationship of trusted computing from local to the whole 5G mobile terminal system is a main technology for reinforcing the trusted security of the 5G mobile terminal, and can greatly improve the reliability of the terminal system. The transfer of the chain of trust can be divided into two main phases, the first phase is from the power-on of the terminal to the completion of the loading of the operating system, and the second phase is from the start of the operating system and the running of the application program. In the invention, in order to construct a complete and reliable trust chain, after the system is powered on and reset, the system is executed from a secure area Bootloader, the secure area verifies the ordinary Bootloader to ensure that codes executed by the ordinary area are authorized and not tampered, then the Bootloader of the ordinary area loads an operating system of the secure area, and finally a third party application is loaded to complete the starting of the 5G terminal.
As shown in fig. 10, from the secure area Bootloader, the normal area Bootloader, the system kernel to the third party application, each step is subjected to integrity verification, the first level measures the first level, and the first level confirms the first level, so that the hardware and the software are ensured to be in a trusted state, and the whole trust of the 5G mobile terminal is realized.
Step 708, receiving the first signature information fed back by the server, verifying the first signature information by using a server public key, and acquiring a verification code and a second timestamp; and verifying the second time stamp, and if the second time stamp is valid, saving the verification code.
And 710, generating a third timestamp, and encrypting the user name, the verification code, the terminal identifier and the third timestamp by using the server public key to obtain second request information.
Step 712, sending the second request information to the server, the server responding to the second request information, decrypting the second request information by using a server private key to obtain a user name, a verification code, a terminal identifier and a third timestamp, if the received user name and the verification code are consistent with the stored user name and the third timestamp is valid, generating a symmetric key, a session code and a fourth timestamp, encrypting the symmetric key, the session code and the fourth timestamp by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal.
Step 714, receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting the second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key and a fourth time stamp; and verifying the fourth timestamp, and if the fourth timestamp is valid, saving the symmetric key.
And 716, encrypting the sensitive information based on the symmetric key, and communicating with the server.
In the embodiment, the TCM trusted cryptographic module of the 5G terminal is realized based on the Trustzone technology, and the hardware security of the terminal is guaranteed from the two aspects of establishing a trusted mobile terminal system and establishing a trusted software-based integrity measurement mechanism. And providing reliable and safe storage and communication for sensitive data based on PUF characteristics, and ensuring the communication safety between the terminal and the server.
Correspondingly, as shown in fig. 11, there is also provided a data security reinforcing method for a 5G mobile terminal based on trusted computing, which is applied to a server and includes the following steps:
step 1102, receiving first request information sent by a terminal, wherein the first request information is obtained by the terminal responding to a login request and encrypting user information based on a server public key; generating a verification code in response to the first request message;
step 1104, decrypting the first request information based on a server private key corresponding to the server public key to obtain user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to the terminal; the terminal verifies the first signature information by using the server public key to obtain a verification code, encrypts the user name, the verification code and the terminal identification by using the server public key to obtain second request information, and sends the second request information to the server;
step 1106, receiving second request information sent by the terminal; responding to the second request information, and decrypting the second request information by using a server private key to obtain a user name and a terminal identifier of a verification code;
step 1108, if the received user name and verification code are consistent with the stored one, a symmetric key and a session code are generated;
step 1110, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using a server private key to obtain second signature information, feeding the second signature information back to the terminal, verifying the second signature information by using a server public key by the terminal, extracting the second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain the symmetric key;
and 1112, encrypting the sensitive information based on the symmetric key, and communicating with the server.
It should be understood that, although the embodiments described above refer to the steps in the flowcharts shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternatively with other steps or at least some of the steps or stages in other steps.
Based on the same inventive concept, the application also provides a security reinforcing device of the 5G mobile terminal based on trusted computing. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so that specific limitations in the following embodiment of the security reinforcing device for the 5G mobile terminal based on trusted computing may be referred to the limitations on the security reinforcing method for the 5G mobile terminal based on trusted computing, and are not described herein again.
In one embodiment, a security strengthening device of a 5G mobile terminal based on trusted computing is provided, which comprises: sending module, receiving module, identifying code acquisition module, encryption module, sending module, key processing module, communication module, wherein:
the sending module is used for responding to the login request, encrypting the user information based on the server public key to obtain first request information, sending the first request information to the server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on the server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to the terminal.
And the receiving module is used for receiving the first signature information fed back by the server.
And the verification code acquisition module is used for verifying the first signature information by using the server public key to acquire the verification code.
And the encryption module is used for encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information.
The sending module is further used for sending second request information to the server, the server responds to the second request information, the server decrypts the second request information by using a server private key to obtain a terminal identifier of a user name and a verification code, if the received user name and the verification code are consistent with the stored user name and verification code, a symmetric key and a session code are generated, the terminal identifier is used for encrypting the symmetric key and the session code to obtain second user verification information, the server private key is used for signing the second user verification information to obtain second signature information, and the second signature information is fed back to the terminal.
And the key processing module is used for receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting the second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain the symmetric key.
And the communication module is used for encrypting the sensitive information based on the symmetric key and communicating with the server.
In another embodiment, the sending module is configured to encrypt the user name and the first timestamp by using the server public key, and generate first request information;
the method comprises the steps of sending first request information to a server, responding the first request information by the server to generate a verification code and a second time stamp, decrypting the first request information according to a server private key corresponding to a server public key to obtain the first time stamp and a user name, storing the user name and the verification code, encrypting the verification code and the second time stamp by using the user name to obtain encrypted user verification information, and signing the encrypted user verification information by using the server private key to obtain first signature information.
In another embodiment, the sending module is further configured to access an encrypted server public key stored in the terminal secure area, where the encrypted server public key is generated in advance according to the terminal secret key; calling a key generation service to generate a key based on the digital fingerprint of the terminal, and generating a sensitive data key according to the terminal key and the terminal identifier; and decrypting the encrypted server public key according to the sensitive data key to obtain the server public key.
In another embodiment, the sending module is further configured to invoke a key generation service to generate a terminal key based on a digital fingerprint of the terminal in response to a start instruction of the terminal, and generate a sensitive data key according to the terminal key and the terminal identifier; and encrypting the server public key according to the sensitive data key to generate an encrypted server public key, and storing the encrypted server public key in a safe area of the terminal equipment.
In another embodiment, the encryption module is configured to, when the server receives the second request message, respond to the second request message, decrypt the second request message using the server private key to obtain a terminal identifier of the user name and the authentication code, and if the received user name and the authentication code are consistent with the stored terminal identifier and the third timestamp is valid, generate the symmetric key and the session code.
In another embodiment, the key processing module is configured to receive second signature message information from the server, verify the second signature message information using a public key of the server, extract encrypted second user verification information, and decode the encrypted second user verification information to obtain a symmetric key and a fourth timestamp; if the fourth timestamp is valid, the symmetric key verification code is stored.
In another embodiment, the communication module is configured to encrypt the sensitive information based on the symmetric key to obtain encrypted sensitive information; and sending the encrypted sensitive information to the server, and decrypting the encrypted sensitive information by using the symmetric key by the server to obtain the sensitive information.
Correspondingly, a data security reinforcing method and device of the 5G mobile terminal based on the trusted computing are also provided, and the method and device are applied to the server side and comprise the following steps: a receiving module, a sending module, a receiving module, a decryption module, a receiving module, a key processing module and a communication module, wherein
The receiving module is used for receiving first request information sent by the terminal, wherein the first request information is obtained by the terminal responding to a login request and encrypting user information based on a server public key; the verification code is generated in response to the first request message.
The sending module is used for decrypting the first request information based on a server private key corresponding to the server public key to obtain user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to the terminal; and the terminal verifies the first signature information by using the server public key to obtain a verification code, encrypts the user name, the verification code and the terminal identifier by using the server public key to obtain second request information, and sends the second request information to the server.
And the receiving module is used for receiving the second request information sent by the terminal.
And the decryption module is used for responding to the second request information and decrypting the second request information by using the server private key to obtain the terminal identification of the user name and the verification code.
The key processing module is used for generating a symmetric key and a session code if the received user name and the verification code are consistent with the stored user name and the stored verification code; the symmetric key and the session code are encrypted by using the terminal identification to obtain second user verification information, the second user verification information is signed by using a server private key to obtain second signature information, the second signature information is fed back to the terminal, the terminal verifies the second signature information by using the server public key, the second user verification information is extracted, and the terminal identification is used for decrypting the second user verification information to obtain the symmetric key.
And the communication module is used for encrypting the sensitive information based on the symmetric key and communicating with the server.
The above-described control of the respective modules in the security reinforcement of the trusted computing based 5G mobile terminal may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a controller, the internal structure of which may be as shown in fig. 12. The computer device includes a processor, a memory, a communication interface, and a display screen connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a trusted computing based 5G mobile terminal security enforcement method. The display of the computer device may be a liquid crystal display or an electronic ink display.
Those skilled in the art will appreciate that the architecture shown in fig. 12 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the data security reinforcing method for a trusted computing based 5G mobile terminal in the above embodiments when executing the computer program.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the data security enforcement method for a trusted computing based 5G mobile terminal in the above embodiments.
In one embodiment, a computer program product is provided, which includes a computer program that when executed by a processor implements the steps of the data security enforcement method for a trusted computing based 5G mobile terminal in the above embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods for implementing the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, the computer program can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the various embodiments provided herein may be, without limitation, general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, or the like.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A data security reinforcing method of a 5G mobile terminal based on trusted computing comprises the following steps:
responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
receiving the first signature information fed back by the server;
verifying the first signature information by using the server public key to obtain the verification code;
encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
sending the second request information to a server, responding to the second request information by the server, decrypting the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, generating a symmetric key and a session code if the received user name and the verification code are consistent with the stored user name and verification code, encrypting the symmetric key and the session code by using the terminal identifier to obtain second user verification information, signing the second user verification information by using the server private key to obtain second signature information, and feeding the second signature information back to the terminal;
receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and encrypting the sensitive information based on the symmetric key, and communicating with the server.
2. The method of claim 1, wherein the encrypting the user information based on the server public key in response to the login request to obtain first request information, and sending the first request information to the server comprises:
encrypting the user name and the first time stamp by using the server public key to generate first request information;
the first request information is sent to a server, the server responds to the first request information to generate a verification code and a second time stamp, the first request information is decrypted according to a server private key corresponding to the server public key, the first time stamp and the user name are obtained, the user name and the verification code are stored, the verification code and the second time stamp are encrypted by using the user name to obtain encrypted user verification information, and the encrypted user verification information is signed by using the server private key to obtain first signature information.
3. The method according to claim 1 or 2, wherein the manner of obtaining the server public key comprises:
accessing an encryption server public key stored in a terminal security region, wherein the encryption server public key is generated in advance according to a terminal secret key;
calling a key generation service to generate a key based on the digital fingerprint of the terminal, and generating a sensitive data key according to the terminal key and the terminal identifier;
and decrypting the encrypted server public key according to the sensitive data key to obtain a server public key.
4. The method of claim 3, wherein encrypting the server-side key comprises:
responding to a starting instruction of a terminal, calling a key generation service to generate a terminal key based on the digital fingerprint of the terminal, and generating a sensitive data key according to the terminal key and a terminal identifier;
and encrypting the server public key according to the sensitive data key to generate an encrypted server public key, and storing the encrypted server public key in a safe area of the terminal equipment.
5. The method of claim 1, wherein the encrypting the user name, the verification code, and the terminal identifier by using the server public key to obtain the second request information comprises:
generating a third time stamp, and encrypting the user name, the verification code, the terminal identification and the third time stamp by using a server public key to generate second request information;
and when the server receives the second request message, responding to the second request message, decrypting the second request message by using the server private key to obtain a terminal identifier of a user name and a verification code, and if the received user name and the verification code are consistent with the stored user name and the received verification code and the third timestamp is valid, generating a symmetric key and a session code.
6. The method according to claim 2, wherein the receiving the second signature information returned by the server, verifying the second signature information by using a server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key comprises:
receiving second signature information of a server, verifying the second signature information by using the server public key, extracting encrypted second user verification information, and decoding the encrypted second user verification information to obtain a symmetric key and a fourth timestamp;
if the fourth timestamp is valid, storing the symmetric key.
7. The method of claim 1, wherein encrypting sensitive information based on the symmetric key, communicating with the server, comprises:
encrypting the sensitive information based on the symmetric key to obtain encrypted sensitive information;
and sending the encrypted sensitive information to a server, and decrypting the encrypted sensitive information by using the symmetric key by the server to obtain the sensitive information.
8. A data security reinforcing method of a 5G mobile terminal based on trusted computing is characterized by comprising the following steps:
receiving first request information sent by a terminal, wherein the first request information is obtained by the terminal responding to a login request and encrypting user information based on a server public key;
generating a verification code in response to the first request message;
decrypting the first request information based on a server private key corresponding to the server public key to obtain user information, processing the user information and a verification code based on the server private key to obtain first signature information, and feeding the first signature information back to the terminal; the terminal verifies the first signature information by using the server public key to obtain the verification code, encrypts the user name, the verification code and the terminal identification by using the server public key to obtain second request information, and sends the second request information to the server;
receiving the second request information sent by the terminal;
responding to the second request information, and decrypting the second request information by using the server private key to obtain a user name and a terminal identifier of a verification code;
if the received user name and the verification code are consistent with the stored user name and the stored verification code, generating a symmetric key and a session code;
encrypting the symmetric key and the session code by using a terminal identification to obtain second user verification information, signing the second user verification information by using a server private key to obtain second signature information, feeding the second signature information back to the terminal, verifying the second signature information by using the server public key by using the terminal, extracting the second user verification information, decrypting the second user verification information by using the terminal identification to obtain a symmetric key, encrypting sensitive information based on the symmetric key, and communicating with the server.
9. A trusted computing based data security enforcement device for a 5G mobile terminal, the device comprising:
the sending module is used for responding to a login request, encrypting user information based on a server public key to obtain first request information, sending the first request information to a server, responding to the first request information by the server to generate a verification code, decrypting the first request information based on a server private key corresponding to the server public key to obtain the user information, processing the user information and the verification code based on the server private key to obtain first signature information, and feeding the first signature information back to a terminal;
a receiving module, configured to receive the first signature information fed back by the server;
the verification code acquisition module is used for verifying the first signature information by using the server public key to acquire the verification code;
the encryption module is used for encrypting the user name, the verification code and the terminal identification by using the server public key to obtain second request information;
the sending module is further used for sending the second request information to the server, the server responds to the second request information, the server decrypts the second request information by using the server private key to obtain a terminal identifier of a user name and a verification code, if the received user name and the verification code are consistent with the stored user name and verification code, a symmetric key and a session code are generated, the symmetric key and the session code are encrypted by using the terminal identifier to obtain second user verification information, the server private key is used for signing the second user verification information to obtain second signature information, and the second signature information is fed back to the terminal;
the key processing module is used for receiving the second signature information returned by the server, verifying the second signature information by using the server public key, extracting second user verification information, and decrypting the second user verification information by using the terminal identifier to obtain a symmetric key;
and the communication module is used for encrypting the sensitive information based on the symmetric key and communicating with the server.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211261781.0A CN115714973A (en) | 2022-10-14 | 2022-10-14 | Trusted computing based data security reinforcement method and device for 5G mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211261781.0A CN115714973A (en) | 2022-10-14 | 2022-10-14 | Trusted computing based data security reinforcement method and device for 5G mobile terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115714973A true CN115714973A (en) | 2023-02-24 |
Family
ID=85231118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211261781.0A Pending CN115714973A (en) | 2022-10-14 | 2022-10-14 | Trusted computing based data security reinforcement method and device for 5G mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115714973A (en) |
-
2022
- 2022-10-14 CN CN202211261781.0A patent/CN115714973A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106529308B (en) | data encryption method and device and mobile terminal | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN104217327A (en) | Financial IC (integrated circuit) card Internet terminal and trading method thereof | |
| CN114070614B (en) | Identity authentication method, apparatus, device, storage medium and computer program product | |
| TWI724684B (en) | Method, system and device for performing cryptographic operations subject to identity verification | |
| CN104125064B (en) | A kind of dynamic cipher authentication method, client and Verification System | |
| CN103888429A (en) | Virtual machine starting method, correlation devices and systems | |
| TW202137199A (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
| CN100476844C (en) | Method for realizing binding function between electronic key and computer | |
| CN116049802B (en) | Application single sign-on method, system, computer equipment and storage medium | |
| CN117041956A (en) | Communication authentication method, device, computer equipment and storage medium | |
| CN109302442B (en) | Data storage proving method and related equipment | |
| CN115001864B (en) | Communication authentication method and device for intelligent furniture, computer equipment and storage medium | |
| CN101355424B (en) | Method for safely migrating handhold equipment data | |
| CN116366289A (en) | Safety supervision method and device for remote sensing data of unmanned aerial vehicle | |
| US9135449B2 (en) | Apparatus and method for managing USIM data using mobile trusted module | |
| CN115348107A (en) | Internet of things equipment secure login method and device, computer equipment and storage medium | |
| CN112150151B (en) | Secure payment method, apparatus, electronic device and storage medium | |
| CN115714973A (en) | Trusted computing based data security reinforcement method and device for 5G mobile terminal | |
| CN114745178A (en) | Identity authentication method, identity authentication device, computer equipment, storage medium and program product | |
| CN204066182U (en) | A kind of financial IC card internet terminal | |
| CN114124440A (en) | Secure transmission method, device, computer equipment and storage medium | |
| CN111542050A (en) | TEE-based method for guaranteeing remote initialization safety of virtual SIM card | |
| CN114338173B (en) | Account registration method, system, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |