CN115941204B - Data anti-replay method and system based on HSE - Google Patents
Data anti-replay method and system based on HSE Download PDFInfo
- Publication number
- CN115941204B CN115941204B CN202211555325.7A CN202211555325A CN115941204B CN 115941204 B CN115941204 B CN 115941204B CN 202211555325 A CN202211555325 A CN 202211555325A CN 115941204 B CN115941204 B CN 115941204B
- Authority
- CN
- China
- Prior art keywords
- authentication
- client
- count value
- result
- hse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000004364 calculation method Methods 0.000 claims abstract description 53
- 238000012545 processing Methods 0.000 claims abstract description 39
- 230000006854 communication Effects 0.000 claims abstract description 32
- 238000004891 communication Methods 0.000 claims abstract description 31
- 230000004044 response Effects 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims description 16
- 230000002265 prevention Effects 0.000 claims description 12
- 238000012795 verification Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 abstract description 12
- 230000000977 initiatory effect Effects 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 101100264195 Caenorhabditis elegans app-1 gene Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
Abstract
The invention discloses a data anti-replay method and a data anti-replay system based on HSE, wherein a client and an authentication end perform key exchange to generate and store a symmetric key; initiating an authentication request, receiving a random number returned by an authentication end in response to the authentication request and processing the random number based on a preset processing rule; performing HMAC calculation on the processed random number by using the symmetric key, and transmitting a calculation result and a current count value to an authentication end; and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and waiting for the response of the authentication end to update the count value. Compared with the existing HSE module, the anti-replay method and system of the invention have the advantages that a data anti-replay mechanism is added, the sensitive data of the user is effectively prevented from being replayed, the communication safety of the user is ensured, and the information leakage and property loss of the user are avoided.
Description
Technical Field
The invention relates to the technical field of software safety protection, in particular to a data anti-replay method and system based on HSE.
Background
Currently, a client app on the market has a hardware security engine HSE (hardware security engine) module, which provides an interface for performing security operations such as encryption, signature, etc. on data of the client app, and the HSE module stores sensitive data of the client app, such as: personal information, keys, etc.
However, when the client app invokes the security interfaces such as encryption, signature and the like, the HSE does not have an authentication and replay prevention mechanism for the client app, so that an illegal user client app performs illegal calculation by means of replay attack or man-in-the-middle attack, and performs replay attack after intercepting the encrypted information of sensitive data identity information and transaction information, thereby causing economic loss of users. For example: the client app1 sends a transaction data to the hardware security engine HSE for decryption and signature, and if the transaction data is intercepted by the illegal client app2, the transaction data can be repeatedly sent to the hardware security engine HSE for the same operation, so that the hardware security engine HSE is deceived for decryption and signature operation. Without protection against replay, the transaction data may be repeated multiple times to deduct money from the user account, resulting in economic loss to the user. The existing HSE lacks a data replay prevention mechanism, so that user sensitive data faces the threat of replay attack, and information leakage and even property loss are caused.
Disclosure of Invention
Therefore, compared with the existing HSE module, the data anti-replay method and system provided by the invention have the advantages that a data anti-replay mechanism is added, the sensitive data of a user is effectively prevented from being replayed, the communication safety of the user is ensured, and the information leakage and property loss of the user are avoided, so that the problems in the background technology are solved.
In order to achieve the above purpose, the present invention provides the following technical solutions:
in a first aspect, an embodiment of the present invention provides an HSE-based data anti-replay method, applied to a client, including:
performing key exchange with an authentication end, generating a symmetric key and storing the symmetric key;
initiating an authentication request, receiving a random number returned by an authentication end in response to the authentication request and processing the random number based on a preset processing rule;
performing HMAC calculation on the processed random number by using the symmetric key, and transmitting a calculation result and a current count value to an authentication end;
and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and waiting for the response of the authentication end to update the count value.
Optionally, the symmetric key is stored in a white box, and the process of storing the symmetric key by the white box includes: and encrypting the symmetric key based on a preset symmetric encryption algorithm, and storing the encrypted result into a file system or a storage medium.
Optionally, the process of processing the random number based on a preset processing rule includes: the first byte minus 1 and the last byte plus 1 are processed for the random number.
In a second aspect, an embodiment of the present invention provides an anti-replay method for data based on HSE, which is applied to an authentication end loaded with an HSE module and connected with a client through a communication interface, including:
performing key exchange with the client, generating a symmetric key and storing the symmetric key in an HSE module;
responding to the authentication request of the client, generating a random number and sending the random number to the client;
receiving a current count value and a calculation result sent by a client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting communication data of the subsequent client and the authentication end;
and receiving and processing the application instruction of the client, and updating the count value and the authentication result marking state after the processing is completed.
Optionally, the process of receiving the current count value and the calculation result sent by the client and comparing and authenticating the current count value and the calculation result includes: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the client, the symmetric key in the HSE module is used for carrying out HMAC calculation on the random number and comparing the random number with the calculation result sent by the client, when the calculation result is inconsistent, authentication fails, an authentication request is released, an authentication failure result is sent to the client, and when the calculation result is consistent, authentication is successful.
Optionally, the authentication result marks the state, including: the authentication failure result is denoted as init=0 and the authentication success result is denoted as verify=1, wherein the initial default state is init=0.
Optionally, the process of updating the count value includes: the count value is stored in the nonvolatile memory and is used for comparing the count value of the request verification between the client and the HSE module, when the count values of the client and the HSE module are the same, the count value corresponding to the authentication success is increased by 1 to update, and otherwise, the authentication failure count value is unchanged.
In a third aspect, an embodiment of the present invention provides an HSE-based data anti-replay system, applied to a client, including:
the key exchange module is used for carrying out key exchange with the authentication end, generating a symmetric key and storing the symmetric key;
the request processing module is used for initiating an authentication request, receiving a random number returned by an authentication terminal in response to the authentication request and processing the random number based on a preset processing rule;
the authentication processing module is used for performing HMAC calculation on the processed random number by using the symmetric key and sending the calculation result and the current count value to the authentication end;
the receiving processing module is used for receiving the authentication result sent by the authentication end, and when the authentication is successful, the receiving processing module initiates an application instruction and waits for the response of the authentication end to update the count value.
In a fourth aspect, an embodiment of the present invention provides an HSE-based data playback prevention system, applied to an authentication end on which an HSE module is mounted, connected to a client through a communication interface, including:
the key exchange module is used for carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module;
the request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client;
the authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result and recording a secret key for encrypting communication data of the subsequent client and the authentication end;
and the receiving response module is used for receiving and processing the application instruction of the client, and updating the count value and the authentication result marking state after the processing is completed.
In a fifth aspect, an embodiment of the present invention provides a computer apparatus, including: the client and the authentication end comprise at least one memory and a processor, the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so that the method in the first aspect or the second aspect is executed.
The technical scheme of the invention has the following advantages:
according to the data anti-replay method and system based on the HSE, a client side and an authentication side carrying the HSE module carry out key exchange, and a symmetric key is generated and stored; the client initiates an authentication request, receives a random number returned by the authentication end in response to the authentication request and processes the random number based on a preset processing rule; performing HMAC calculation on the processed random number by using the symmetric key, and transmitting a calculation result and a current count value to an authentication end; receiving an authentication result sent by an authentication end, when authentication is successful, initiating an application instruction and updating a count value after waiting for response of the authentication end; the authentication terminal responds to the authentication request of the client and generates a random number to be sent to the client; receiving a current count value and a calculation result sent by a client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting communication data of the subsequent client and the authentication end; and receiving and processing the application instruction of the client, and updating the count value and the authentication result marking state after the processing is completed. Compared with the existing HSE module, the anti-replay method and system of the invention have the advantages that a data anti-replay mechanism is added, the sensitive data of the user is effectively prevented from being replayed, the communication safety of the user is ensured, and the information leakage and property loss of the user are avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an HSE-based data anti-replay method provided in an embodiment of the present invention;
FIG. 2 is another flow chart of an HSE-based data anti-replay method provided in an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a normal transaction provided in an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a replay attack transaction provided in an embodiment of the present invention;
FIG. 5 is a schematic flow chart of an HSE-based data replay attack blocking transaction according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a structure of an HSE-based data playback prevention system according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of another structure of an HSE-based data playback prevention system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the present invention better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments, but not intended to limit the scope of the present disclosure. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
Example 1
The embodiment of the invention provides an HSE-based data anti-replay method, which is applied to a client, as shown in fig. 1, and comprises the following steps:
step S11: and carrying out key exchange with the authentication end, generating a symmetric key and storing the symmetric key.
In this embodiment, a preset method is adopted to perform key exchange, and a symmetric key is generated. Specifically, the preset method comprises the following steps: the RSA key exchange method and the SM2 key exchange method are merely illustrative, and are adaptively modified according to specific application scenarios.
In this embodiment, the symmetric key is stored in a white box, and the process of storing the symmetric key by the white box includes: and encrypting the symmetric key based on a preset symmetric encryption algorithm, and storing the encrypted result into a file system or a storage medium. In one embodiment, the preset symmetric encryption algorithm is an AES encryption algorithm, which is only used as an example, and not limited thereto, and is determined according to a specific adaptation scenario.
Step S12: and initiating an authentication request, receiving a random number returned by the authentication end in response to the authentication request, and processing the random number based on a preset processing rule.
In this embodiment, a process for processing a random number based on a preset processing rule includes: the first byte minus 1 and the last byte plus 1 are given to the random number by way of example only and not limitation.
Step S13: and performing HMAC calculation on the processed random number by using the symmetric key, and sending the calculation result and the current count value to the authentication end.
Specifically, an HMAC calculation and counting mechanism is adopted, so that sensitive data is effectively prevented from being replayed, and the data security is ensured.
Step S14: and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and waiting for the response of the authentication end to update the count value.
In one embodiment, the application instruction is a transaction instruction, which is merely illustrative and not limiting.
The data anti-replay method based on the HSE increases the anti-replay mechanism of the client and the HSE module, and adopts the HMAC calculation and counting mechanism, thereby being beneficial to preventing the replay of sensitive data and ensuring the communication safety of the client and the HSE module.
Example 2
The embodiment of the invention provides a data anti-replay method based on HSE, which is applied to an authentication end loaded with an HSE module and is connected with a client through a communication interface, as shown in figure 2, and comprises the following steps:
step S21: and carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module.
In this embodiment, the process of generating and storing the symmetric key includes: and carrying out key exchange based on a preset method, generating a symmetric key and storing the symmetric key in the HSE module. Specifically, the preset method comprises the following steps: the RSA key exchange method and the SM2 key exchange method are merely illustrative, and are adaptively modified according to specific application scenarios.
Step S22: responding to the authentication request of the client and generating a random number to be sent to the client.
Step S23: and receiving the current count value and the calculation result sent by the client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting communication data of the subsequent client and the authentication end.
In this embodiment, a process of receiving a current count value and a calculation result sent by a client and comparing and authenticating the current count value and the calculation result includes: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the client, the symmetric key in the HSE module is used for carrying out HMAC calculation on the random number and comparing the random number with the calculation result sent by the client, when the calculation result is inconsistent, authentication fails, an authentication request is released, an authentication failure result is sent to the client, and when the calculation result is consistent, authentication is successful.
In this embodiment, the authentication result marks the state, including: the authentication failure result is denoted as init=0 and the authentication success result is denoted as verify=1, wherein the initial default state is init=0.
Step S24: and receiving and processing the application instruction of the client, and updating the count value and the authentication result marking state after the processing is completed.
In this embodiment, the process of updating the count value includes: the count value is stored in the nonvolatile memory and is used for comparing the count value of the request verification between the client and the HSE module, when the count values of the client and the HSE module are the same, the count value corresponding to the authentication success is increased by 1 to update, and otherwise, the authentication failure count value is unchanged.
In a specific embodiment, a communication interface between an authentication end and a client includes: SPI, UART and IIC are only exemplified, and are not limited thereto, and are determined according to actual application scenarios.
Compared with the existing HSE module, the data replay prevention method based on the HSE increases the replay prevention mechanism of the client and the HSE module, and can effectively prevent sensitive data of a user from being replayed; and secondly, the increased count in the anti-replay mechanism enables the HSE module to only perform one operation on sensitive data and the secret key to be stored in the HSE module, so that the communication process is safer.
Example 3
As shown in fig. 3, the flow of normal transaction includes the following steps:
step 1: the client user 1 purchases and generates 100-element transaction data;
step 2: the server issues transaction data corresponding to 100 yuan;
step 3: the client calls an HSE module of the authentication end to perform signature operation on 100-element transaction data;
step 4: the HSE module returns a successful signature result to the client;
step 5: and the client sends the successful signature result to the server, and the server deducts 100 yuan from the client user 1 after the successful signature verification.
When there is no anti-replay mechanism between the client and the HSE module, the anti-replay mechanism is easy to be subjected to replay attack, and the flow of replay attack transaction, as shown in fig. 4, includes the following steps:
step 1: the client user 2 illegally intercepts and obtains 100-element transaction data of the user 1;
step 2: the server issues transaction data corresponding to 100 yuan;
step 3: the client calls an HSE module of the authentication end to perform signature operation on 100-element transaction data;
step 4: the HSE module returns the successful signature result to the client
Step 5: and the client sends the successful signature result to the server, and the server deducts 100 yuan from the client user 1 after the successful signature verification.
After adding the data anti-replay method based on HSE provided by the embodiment of the present invention in the normal transaction process, the transaction process is shown in fig. 5, and includes the following steps:
step 1: the client user 1 purchases and generates 100-element transaction data;
step 2: the server issues transaction data corresponding to 100 yuan;
step 3.1: the client performs key exchange with an authentication end carrying an HSE module, generates a symmetric key and stores the symmetric key, wherein the symmetric key of the authentication end is stored in the HSE module;
step 3.2: the symmetric key of the client is stored in a white box;
step 3.3: the client initiates an authentication request;
step 3.4: the authentication terminal responds to the authentication request of the client and generates a random number to be sent to the client;
step 3.5: after the returned random number is processed based on a preset processing rule, the client calls a symmetric key in the white box to perform HMAC calculation on the processed random number, and sends a calculation result and a current count value to the authentication end;
step 3.6: the authentication terminal receives the current count value and the calculation result sent by the client terminal and carries out comparison authentication on the current count value and the calculation result, when the authentication is successful, the authentication result is sent to the client terminal, and meanwhile, the marking state of the authentication result is updated and the secret key is recorded for encrypting communication data between the subsequent client terminal and the authentication terminal;
step 3.7: the client receives an authentication result sent by the authentication end, and when authentication is successful, the key of the HSE module of the authentication end is called to carry out signature operation on 100-element transaction data;
step 4: the HSE module returns a successful signature result to the client and updates the count value and the authentication result marking state;
step 5: and the client sends the successful signature result to the server, and the server deducts 100 yuan from the client user 1 after the successful signature verification.
The embodiment of the invention provides a data replay prevention method based on HSE, which can effectively prevent sensitive data of a user from being replayed and ensure the communication safety of the user.
Example 4
The embodiment of the invention provides a data anti-replay system based on HSE, which is applied to a client, as shown in FIG. 6, and comprises the following steps:
the key exchange module is used for carrying out key exchange with the authentication end, generating a symmetric key and storing the symmetric key; this module performs the method described in step S11 in embodiment 1, and will not be described here.
The request processing module is used for initiating an authentication request, receiving a random number returned by an authentication terminal in response to the authentication request and processing the random number based on a preset processing rule; this module performs the method described in step S12 in embodiment 1, and will not be described here.
The authentication processing module is used for performing HMAC calculation on the processed random number by using the symmetric key and sending the calculation result and the current count value to the authentication end; this module performs the method described in step S13 in embodiment 1, and will not be described here.
The receiving processing module is used for receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and waiting for the response of the authentication end to update the count value; this module performs the method described in step S14 in embodiment 1, and will not be described here.
The data replay prevention system based on the HSE provided by the embodiment of the invention can effectively prevent sensitive data of the user from being replayed, ensure the communication safety of the user and avoid the information leakage and property loss of the user.
Example 5
The embodiment of the invention provides an HSE-based data replay prevention system, which is applied to an authentication end carrying an HSE module and is connected with a client through a communication interface, as shown in fig. 7, and comprises:
the key exchange module is used for carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module; this module performs the method described in step S21 in embodiment 2, and will not be described here.
The request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client; this module performs the method described in step S22 in embodiment 2, and will not be described here.
The authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result and recording a secret key for encrypting communication data of the subsequent client and the authentication end; this module performs the method described in step S23 in embodiment 2, and will not be described here.
The receiving response module is used for receiving and processing the application instruction of the client, and updating the count value and the authentication result marking state after the processing is completed; this module performs the method described in step S24 in embodiment 2, and will not be described here.
The data replay prevention system based on the HSE provided by the embodiment of the invention can effectively prevent sensitive data of the user from being replayed, ensure the communication safety of the user and effectively avoid the information leakage and property loss of the user.
Example 6
An embodiment of the present invention provides a computer apparatus including: the client and the authentication end, the structures of which are shown in fig. 8, comprise: at least one processor 801, at least one communication interface 803, memory 804, and at least one communication bus 802. Communication bus 802 is used to enable connectivity communications among these components, and communication interface 803 may include a display screen and a keyboard, and optional communication interface 803 may also include standard wired, wireless interfaces. The memory 804 may be a high-speed volatile random access memory, may be a non-volatile memory, or may be at least one memory device located remotely from the processor 801. Wherein the processor 801 may perform the method of embodiment 1 or embodiment 2. A set of program codes is stored in the memory 804, and the processor 801 calls the program codes stored in the memory 804 for executing the method of embodiment 1 or embodiment 2.
The communication bus 802 may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. Communication bus 802 may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one line is shown in fig. 8, but not only one bus or one type of bus.
The Memory 804 may include a Volatile Memory (RAM) such as a random access Memory (Random Access Memory); the Memory may also include a Non-volatile Memory (Non-volatile Memory), such as a Flash Memory (Flash Memory), a Hard Disk (HDD) or a Solid-state Drive (SSD); the memory 804 may also include a combination of the above types of memory.
The processor 801 may be a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), or a combination of CPU and NP.
The processor 801 may further include a hardware chip, among others. The hardware chip may be an Application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD for short), a field programmable gate array (Field Programmable Gate Array, FPGA for short), general-purpose array logic (Generic Array Logic, GAL for short), or any combination thereof.
Optionally, the memory 804 is also used for storing program instructions. The processor 801 may call program instructions to implement the method of the present invention as in embodiment 1 or embodiment 2.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. And obvious variations or modifications thereof are contemplated as falling within the scope of the present invention.
Claims (3)
1. The data anti-replay method based on the HSE is applied to an authentication end loaded with an HSE module and is connected with a client through a communication interface, and is characterized by comprising the following steps:
performing key exchange with the client, generating a symmetric key and storing the symmetric key in an HSE module;
responding to the authentication request of the client, generating a random number and sending the random number to the client;
receiving a current count value and a calculation result sent by a client and comparing and authenticating the current count value and the calculation result, wherein the comparing and authenticating process comprises the following steps: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the client, performing HMAC calculation on the random number by using a symmetric key in the HSE module and comparing the random number with a calculation result sent by the client, when the calculation result is inconsistent, performing authentication failure, releasing an authentication request and sending an authentication failure result to the client, and when the calculation result is consistent, performing authentication successfully; when authentication is successful, an authentication result is sent to the client, and meanwhile, the marking state of the authentication result is updated and a secret key is recorded for encrypting communication data between the subsequent client and the authentication end;
receiving and processing an application instruction of a client, and updating a count value and an authentication result marking state after the processing is completed, wherein the process of updating the count value comprises the following steps: the count value is stored in a nonvolatile memory, and is used for comparing the count value of request verification between the client and the HSE module, when the count values of the client and the HSE module are the same, the count value corresponding to authentication success is increased by 1 to update, otherwise, the authentication failure count value is unchanged, wherein the authentication result marks the state and comprises: the authentication failure result is denoted as init=0 and the authentication success result is denoted as verify=1, wherein the initial default state is init=0.
2. An HSE-based data replay prevention system, which is applied to an authentication end loaded with an HSE module and is connected with a client through a communication interface, is characterized by comprising:
the key exchange module is used for carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module;
the request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client;
the authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the current count value and the calculation result, and the process of comparing and authenticating comprises the following steps: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the client, performing HMAC calculation on the random number by using a symmetric key in the HSE module and comparing the random number with a calculation result sent by the client, when the calculation result is inconsistent, performing authentication failure, releasing an authentication request and sending an authentication failure result to the client, and when the calculation result is consistent, performing authentication successfully; when authentication is successful, an authentication result is sent to the client, and meanwhile, the marking state of the authentication result is updated and a secret key is recorded for encrypting communication data between the subsequent client and the authentication end;
the receiving response module is used for receiving and processing the application instruction of the client, updating the count value and updating the authentication result marking state after the processing is completed, and the process of the count value updating mode comprises the following steps: the count value is stored in a nonvolatile memory, and is used for comparing the count value of request verification between the client and the HSE module, when the count values of the client and the HSE module are the same, the count value corresponding to authentication success is increased by 1 to update, otherwise, the authentication failure count value is unchanged, wherein the authentication result marks the state and comprises: the authentication failure result is denoted as init=0 and the authentication success result is denoted as verify=1, wherein the initial default state is init=0.
3. A computer device, comprising: an authentication side comprising at least one memory and a processor, said memory and said processor being communicatively coupled to each other, said memory having stored therein computer instructions, said processor executing said computer instructions to thereby perform the method of claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211555325.7A CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211555325.7A CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115941204A CN115941204A (en) | 2023-04-07 |
| CN115941204B true CN115941204B (en) | 2024-04-12 |
Family
ID=86551667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211555325.7A Active CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941204B (en) |
Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005357A (en) * | 2006-12-28 | 2007-07-25 | 北京飞天诚信科技有限公司 | Method and system for updating certification key |
| EP2221742A1 (en) * | 2009-02-20 | 2010-08-25 | Comcast Cable Holdings, LLC | Authenticated communication between security devices |
| CN102694652A (en) * | 2012-01-13 | 2012-09-26 | 武传坤 | Method for realizing lightweight authenticated encryption by using symmetric cryptographic algorithm |
| CN105515762A (en) * | 2016-01-28 | 2016-04-20 | 中山市倍能照明科技有限公司 | Encryption system based on Rivet, Shamir and Adleman (RSA) and advanced encryption standard (AES) encryption algorithms and encryption method |
| CN106713327A (en) * | 2016-12-29 | 2017-05-24 | 上海众人网络安全技术有限公司 | Authentication method and system of verification code security reinforcement |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
| CN108965218A (en) * | 2017-05-25 | 2018-12-07 | 华为技术有限公司 | A kind of perturbed controller safety communicating method, apparatus and system |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
| CN109218251A (en) * | 2017-06-29 | 2019-01-15 | 国民技术股份有限公司 | A kind of authentication method and system of anti-replay |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN109756872A (en) * | 2018-12-06 | 2019-05-14 | 国网山东省电力公司电力科学研究院 | The end-to-end data processing method of power grid NB-IoT based on physics unclonable function |
| EP3684088A1 (en) * | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| CN112231777A (en) * | 2020-12-14 | 2021-01-15 | 武汉新芯集成电路制造有限公司 | Monotonic counter and monotonic counting method thereof |
| CN112291774A (en) * | 2020-12-31 | 2021-01-29 | 飞天诚信科技股份有限公司 | Method and system for communicating with authenticator |
| CN112311544A (en) * | 2020-12-31 | 2021-02-02 | 飞天诚信科技股份有限公司 | Method and system for communication between server and authenticator |
| CN112398649A (en) * | 2020-11-13 | 2021-02-23 | 浪潮电子信息产业股份有限公司 | Method and system for encrypting server by using USBKey and CA |
| CN112491843A (en) * | 2020-11-17 | 2021-03-12 | 苏州浪潮智能科技有限公司 | Database multiple authentication method, system, terminal and storage medium |
| CN112784250A (en) * | 2021-01-27 | 2021-05-11 | 深圳融安网络科技有限公司 | Identity authentication method, client, server and storage medium |
| CN113194465A (en) * | 2021-04-20 | 2021-07-30 | 歌尔股份有限公司 | BLE connection verification method and device between terminals and readable storage medium |
| CN113556321A (en) * | 2021-06-22 | 2021-10-26 | 杭州安恒信息技术股份有限公司 | Password authentication method, system, electronic device and storage medium |
| CN114205083A (en) * | 2021-12-22 | 2022-03-18 | 中国电信股份有限公司 | SRv 6-based security authentication method, network node and authentication system |
| CN114692124A (en) * | 2022-04-18 | 2022-07-01 | 镁佳(北京)科技有限公司 | Data reading and writing method and device and electronic equipment |
| CN115412909A (en) * | 2021-05-10 | 2022-11-29 | 华为技术有限公司 | Communication method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11431485B2 (en) * | 2019-04-15 | 2022-08-30 | Aclara Technologies Llc | System and method for improved security in advanced metering infrastructure networks |
-
2022
- 2022-12-06 CN CN202211555325.7A patent/CN115941204B/en active Active
Patent Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005357A (en) * | 2006-12-28 | 2007-07-25 | 北京飞天诚信科技有限公司 | Method and system for updating certification key |
| EP2221742A1 (en) * | 2009-02-20 | 2010-08-25 | Comcast Cable Holdings, LLC | Authenticated communication between security devices |
| CN102694652A (en) * | 2012-01-13 | 2012-09-26 | 武传坤 | Method for realizing lightweight authenticated encryption by using symmetric cryptographic algorithm |
| CN105515762A (en) * | 2016-01-28 | 2016-04-20 | 中山市倍能照明科技有限公司 | Encryption system based on Rivet, Shamir and Adleman (RSA) and advanced encryption standard (AES) encryption algorithms and encryption method |
| CN106713327A (en) * | 2016-12-29 | 2017-05-24 | 上海众人网络安全技术有限公司 | Authentication method and system of verification code security reinforcement |
| CN108965218A (en) * | 2017-05-25 | 2018-12-07 | 华为技术有限公司 | A kind of perturbed controller safety communicating method, apparatus and system |
| CN109218251A (en) * | 2017-06-29 | 2019-01-15 | 国民技术股份有限公司 | A kind of authentication method and system of anti-replay |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN109756872A (en) * | 2018-12-06 | 2019-05-14 | 国网山东省电力公司电力科学研究院 | The end-to-end data processing method of power grid NB-IoT based on physics unclonable function |
| EP3684088A1 (en) * | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| CN112398649A (en) * | 2020-11-13 | 2021-02-23 | 浪潮电子信息产业股份有限公司 | Method and system for encrypting server by using USBKey and CA |
| CN112491843A (en) * | 2020-11-17 | 2021-03-12 | 苏州浪潮智能科技有限公司 | Database multiple authentication method, system, terminal and storage medium |
| CN112231777A (en) * | 2020-12-14 | 2021-01-15 | 武汉新芯集成电路制造有限公司 | Monotonic counter and monotonic counting method thereof |
| CN112291774A (en) * | 2020-12-31 | 2021-01-29 | 飞天诚信科技股份有限公司 | Method and system for communicating with authenticator |
| CN112311544A (en) * | 2020-12-31 | 2021-02-02 | 飞天诚信科技股份有限公司 | Method and system for communication between server and authenticator |
| CN112784250A (en) * | 2021-01-27 | 2021-05-11 | 深圳融安网络科技有限公司 | Identity authentication method, client, server and storage medium |
| CN113194465A (en) * | 2021-04-20 | 2021-07-30 | 歌尔股份有限公司 | BLE connection verification method and device between terminals and readable storage medium |
| CN115412909A (en) * | 2021-05-10 | 2022-11-29 | 华为技术有限公司 | Communication method and device |
| CN113556321A (en) * | 2021-06-22 | 2021-10-26 | 杭州安恒信息技术股份有限公司 | Password authentication method, system, electronic device and storage medium |
| CN114205083A (en) * | 2021-12-22 | 2022-03-18 | 中国电信股份有限公司 | SRv 6-based security authentication method, network node and authentication system |
| CN114692124A (en) * | 2022-04-18 | 2022-07-01 | 镁佳(北京)科技有限公司 | Data reading and writing method and device and electronic equipment |
Non-Patent Citations (4)
| Title |
|---|
| Marc Fischlin ; Christian Janson ; Sogol Mazaheri.Backdoored Hash Functions: Immunizing HMAC and HKDF.《2018 IEEE 31st Computer Security Foundations Symposium (CSF)》.2018,全文. * |
| 分布式日志系统REST安全接口设计;文勇军;黄浩;樊志良;唐立军;;网络安全技术与应用(第04期);全文 * |
| 基于远程证明的可信Modbus/TCP协议研究;詹静;杨静;;工程科学与技术(第01期);全文 * |
| 钟成 ; 李兴华 ; 宋园园 ; 马建峰 ; .无线网络中基于共享密钥的轻量级匿名认证协议.计算机学报.2017,(第05期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115941204A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10909531B2 (en) | Security for mobile applications | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN107004083B (en) | Device key protection | |
| EP3099090A1 (en) | Network locking or card locking method and device for a mobile terminal, terminal, sim card, storage media | |
| CN110190964B (en) | Identity authentication method and electronic equipment | |
| WO2022083324A1 (en) | Message encryption method and device, message decryption method and device, and mobile terminal | |
| WO2012055166A1 (en) | Removable storage device, and data processing system and method based on the device | |
| AU2015369711A1 (en) | Software tampering detection and reporting process | |
| US20100077472A1 (en) | Secure Communication Interface for Secure Multi-Processor System | |
| US20190139026A1 (en) | Mobile payment method, system on chip, and terminal | |
| CN112019548A (en) | User-defined interface signature method, server and system for preventing malicious attacks | |
| WO2022126644A1 (en) | Model protection device, method, and computing device | |
| CN109891823B (en) | Method, system, and non-transitory computer readable medium for credential encryption | |
| CN115941204B (en) | Data anti-replay method and system based on HSE | |
| TWI728212B (en) | Authentication method based on ciphertext | |
| CN108270767B (en) | Data verification method | |
| CN113239343B (en) | Encryption method for internal authentication, smart card, internal authentication method and card reader | |
| US11593780B1 (en) | Creation and validation of a secure list of security certificates | |
| CN114692124A (en) | Data reading and writing method and device and electronic equipment | |
| US20210209574A1 (en) | Security protection of association between a user device and a user | |
| CN117063174A (en) | Security module and method for inter-app trust through app-based identity | |
| RU2633186C1 (en) | Personal device for authentication and data protection | |
| WO2017114601A1 (en) | Method for protecting the use of a cryptographic key in two different cryptographic environments | |
| CN111049808A (en) | Real-name authentication method and device | |
| CN113010908B (en) | Safe storage method suitable for large-capacity SIM card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |