CN116415227A - Key updating method, server, client and storage medium - Google Patents
Key updating method, server, client and storage medium Download PDFInfo
- Publication number
- CN116415227A CN116415227A CN202111677659.7A CN202111677659A CN116415227A CN 116415227 A CN116415227 A CN 116415227A CN 202111677659 A CN202111677659 A CN 202111677659A CN 116415227 A CN116415227 A CN 116415227A
- Authority
- CN
- China
- Prior art keywords
- key
- client
- information
- data packet
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000012795 verification Methods 0.000 claims abstract description 31
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004891 communication Methods 0.000 claims description 12
- 238000013507 mapping Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- OTZZZISTDGMMMX-UHFFFAOYSA-N 2-(3,5-dimethylpyrazol-1-yl)-n,n-bis[2-(3,5-dimethylpyrazol-1-yl)ethyl]ethanamine Chemical compound N1=C(C)C=C(C)N1CCN(CCN1C(=CC(C)=N1)C)CCN1C(C)=CC(C)=N1 OTZZZISTDGMMMX-UHFFFAOYSA-N 0.000 description 2
- 241001441724 Tetraodontidae Species 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a key updating method, a server, a client and a storage medium, belonging to the field of information security. The method comprises the following steps: acquiring an authentication data packet sent by a client, and checking the authentication data packet, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client; when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet; when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information; and updating a second key corresponding to the client in the server and the first key in the client according to the target key information. The technical scheme of the invention improves the safety and convenience of key updating between the client and the server.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method for updating a key, a server, a client, and a storage medium.
Background
Network transmission security is a problem that users pay more and more attention to, and traditional network security methods (such as VPN, firewall and NAC) cannot fully protect organizations, because TCP/IP adopts a method of "first connection and then identity verification" based on implicit trust. A Zero Trust (ZT) software defined boundary (Software Defined Perimeter, SDP) security model is an identity and context based logical access boundary created around an application or group of applications, and SDP architecturally allows only trusted traffic messages to pass while discarding illegal messages. In the whole operation period of the system, the key updating requirement is caused by the emergency such as the requirement of the key periodical updating in the safety management and the key leakage.
Therefore, how to improve the security and convenience of key update between a client and a server is a problem to be solved.
Disclosure of Invention
The embodiment of the invention provides a key updating method, a server, a client and a storage medium, aiming at improving the security and convenience of key updating between the client and the server.
In a first aspect, an embodiment of the present invention provides a key updating method, applied to a server, where the method includes:
Acquiring an authentication data packet sent by a client, and checking the authentication data packet, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client;
when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet;
when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
In a second aspect, an embodiment of the present invention provides another key updating method, applied to a client, where the method includes:
when a key updating instruction is acquired, generating an authentication data packet according to a first key and identity attribute information stored by the client;
the authentication data packet is sent to a server for the server to check the authentication data packet, and when the authentication data packet passes the check, the identity of the client is authenticated according to the identity attribute information in the authentication data packet;
When the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
In a third aspect, embodiments of the present invention further provide a server comprising a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connection communication between the processor and the memory, wherein the computer program, when executed by the processor, implements the steps of any of the key updating methods as provided in the present specification.
In a fourth aspect, embodiments of the present invention further provide a server comprising a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connection communication between the processor and the memory, wherein the computer program, when executed by the processor, implements the steps of any of the key updating methods as provided in the present specification.
In a fifth aspect, embodiments of the present invention further provide a storage medium for computer readable storage, wherein the storage medium stores one or more programs executable by one or more processors to implement the steps of any of the methods of key updating as provided in the present specification.
The embodiment of the invention provides a key updating method, a server, a client and a storage medium, wherein the authentication data packet sent by the client is acquired and verified, and the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client; when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet; when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information; and then updating the second key corresponding to the client in the server and the first key in the client according to the target key information. By carrying out identity authentication on the client, the security of key updating can be improved, more accurate target key information can be generated according to key updating negotiation information, and the second key corresponding to the client in the server and the first key in the client are updated through the target key information, so that the security and convenience of key updating between the client and the server are greatly improved.
Drawings
Fig. 1 is a schematic flow chart of a key updating method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating sub-steps of the key updating method in FIG. 1;
fig. 3 is a flowchart of another key updating method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a scenario of a key updating method according to an embodiment of the present invention;
fig. 5 is a schematic block diagram of a server according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a client according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
It is to be understood that the terminology used in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The existing key updating mode comprises the key updating through a key management service (Key Management Service, KMS), but the mode can only be implemented in cloud platform service, namely, the key storage and distribution are implemented in the cloud service, and the key updating mode is not applicable to a scene of the key updating of a client-server working model; another way is to generate the key at the server and then copy it to the client to update the key off-line, which is less secure and easily stolen.
In order to solve the above problems, embodiments of the present invention provide a key update method, a server, a client, and a storage medium. The key updating method can be applied to a server, and the server can be an independent server or a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), basic cloud computing services such as big data and artificial intelligent platforms and the like. The key updating method comprises the steps of obtaining an authentication data packet sent by a client and checking the authentication data packet, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client; when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet; when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information; and updating the second key corresponding to the client in the server and the first key in the client according to the target key information. By carrying out identity authentication on the client, the security of key updating can be improved, more accurate target key information can be generated according to key updating negotiation information, and the second key corresponding to the client in the server and the first key in the client are updated through the target key information, so that the security and convenience of key updating between the client and the server are greatly improved.
In an embodiment, the key updating method can also be applied to a client, and the client can be a base station, a mobile phone, a tablet computer, a notebook computer, a desktop computer and other devices.
Some embodiments of the present invention are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a flowchart of a key updating method according to an embodiment of the present invention.
As shown in fig. 1, the key updating method includes steps S101 to S104.
Step S101, an authentication data packet sent by a client is obtained, and the authentication data packet is checked, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client.
The first key and the second key are keys generated according to historical key information, the historical key information is target key information generated by updating the key last time, the first key and the second key are obtained by encrypting through a symmetric encryption algorithm and are identical keys, the first key and the second key are obtained by encrypting through an asymmetric encryption algorithm, and the first key and the second key are matched keys.
In one embodiment, a validity period of the second key is obtained; when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value, a key update request is sent to a client; and acquiring an authentication data packet returned by the client based on the key updating request. The preset time difference may be set according to practical situations, and the embodiment is not limited thereto, for example, the preset time difference may be set to 24 hours. When the validity period of the second key is about to expire, a key update request is sent to the client to improve the security of the communication between the client and the server.
In an embodiment, when information that the second key is leaked is obtained, a key update request is sent to the client; and acquiring an authentication data packet returned by the client based on the key updating request. The condition that the second key leaks may be determined according to the actual situation, which is not limited in this embodiment, for example, when data in the memory storing the second key is stolen, it is determined that the second key leaks. When the second key is leaked, a key updating request is sent to the client so as to improve the safety of communication between the client and the server.
In an embodiment, the authentication data packet includes a first hash value, where the first hash value is generated by the client according to the timestamp, identity attribute information of the client, and a first key, and after the server receives the authentication data packet sent by the client, the server obtains the first hash value from the authentication data packet, generates a second hash value according to the timestamp, the identity attribute information of the client, and the second key, determines whether the first hash value is identical to the second hash value, determines that the authentication data packet passes the verification if the first hash value is identical to the second hash value, and determines that the authentication data packet fails the verification if the first hash value is not identical to the second hash value.
In an embodiment, the manner of generating the second hash value according to the timestamp, the identity attribute information of the client, and the second key may be: and acquiring a preset hash algorithm, and processing the timestamp, the identity attribute information of the client and the second key based on the preset hash algorithm to obtain a second hash value. The preset hash algorithm may be selected according to practical situations, and this embodiment is not limited in particular, for example, the preset hash algorithm may be SHA-1. The second hash value can be accurately calculated through the preset hash algorithm. It should be noted that, the generation manner of the first hash value is the same as the generation manner of the second hash value, so the generation manner of the first hash value may refer to the generation manner of the second hash value, and will not be described in detail.
And step S102, when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet.
The identity attribute information includes an equipment identifier of the client, internet protocol address (Internet Protocol Address, IP address) information, and/or an operating system identifier, where the equipment identifier and the operating system identifier may be selected according to practical situations, and this embodiment is not specifically limited to this, and for example, the equipment identifier may be an equipment unique identifier of the client, and the operating system identifier may include an identifier corresponding to a window system and an identifier corresponding to an Android system.
In one embodiment, as shown in fig. 2, step S102 includes sub-steps S1021 through S1022.
And step S1021, acquiring history access information of the client.
And acquiring the access log file and/or the latest authorization record information corresponding to the client, and acquiring the historical access information from the access log file and/or the latest authorization record information. Of course, the historical access information of the client may also be obtained by other modes, which is not limited in particular.
Sub-step S1022, performing identity authentication on the client according to the identity attribute information and the historical access information in the authentication data packet.
Illustratively, determining a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information; and determining the identity credibility of the client according to the matching score, and determining that the client passes identity authentication when the identity credibility is greater than or equal to a preset threshold value. The preset threshold may be set according to actual situations, which is not specifically limited in this embodiment. And determining whether the client passes authentication or not according to the identity credibility by determining the identity credibility of the client.
In an embodiment, the identity attribute information in the authentication data packet includes a first device identification code, first internet protocol address (Internet Protocol Address, IP address) information, and/or a first operating system identification, the identity attribute information in the history access information includes a second device identification code, second internet protocol address (Internet Protocol Address, IP address) information, and/or a second operating system identification, a first match score between the first device identification code and the second device identification code is determined, a second match score between the first internet protocol address information and the second internet protocol address information is determined, a third match score between the first operating system identification and the second operating system identification is determined, and a match score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information is determined based on the first match score, the second match score, and the third match score.
In an embodiment, the manner of determining the first matching score between the first device identification code and the second device identification code may be: multiplying the first equipment identification code with a preset first weight parameter value to obtain a first parameter value, and multiplying the second equipment identification code with a preset second weight parameter value to obtain a second parameter value; calculating the difference value between the first parameter value and the second parameter value and taking the absolute value to obtain a first target parameter value; obtaining a first mapping relation table between a preset target parameter value and a matching score, and inquiring the matching score corresponding to the first target parameter value from the first mapping relation table to obtain a first matching score between a first equipment identification code and a second equipment identification code. The first mapping relation table is established in advance according to the target parameter value and the matching score, and the first mapping relation table may be established according to the actual situation, which is not limited in this embodiment.
In an embodiment, the manner of determining the second matching score between the first internet protocol address information and the second internet protocol address information may be: multiplying the first internet protocol address information with a preset first weight parameter value to obtain a third parameter value; multiplying the second internet protocol address information with a preset second weight parameter value to obtain a fourth parameter value; calculating the difference value of the third parameter value and the fourth parameter value, and taking the absolute value to obtain a second target parameter value; obtaining a first mapping relation table between a preset target parameter value and a matching score, and inquiring the matching score corresponding to a second target parameter value from the first mapping relation table to obtain a second matching score between the first internet protocol address information and the second internet protocol address information.
In an embodiment, the manner of determining the third matching score between the first operating system identification and the second operating system identification may be: multiplying the first operating system identifier with a preset first weight parameter value to obtain a fifth parameter value, and multiplying the second operating system identifier with a preset second weight parameter value to obtain a sixth parameter value; calculating the difference value between the fifth parameter value and the sixth parameter value and taking the absolute value to obtain a third target parameter value; obtaining a first mapping relation table between a preset target parameter value and a matching score, and inquiring the matching score corresponding to a third target parameter value from the first mapping relation table to obtain a third matching score between a first operating system identifier and a second operating system identifier.
In an embodiment, the manner of determining the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information according to the first matching score, the second matching score and the third matching score may be: and accumulating the first matching score, the second matching score and the third matching score to obtain the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information.
It should be noted that, if the identity attribute information in the authentication data packet includes the first device identification code, the first matching score is a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information; the identity attribute information in the authentication data packet comprises first internet protocol address information, and the second matching score is the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information; the identity attribute information in the authentication data packet comprises a first operating system identifier, and the third matching score is the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information; the identity attribute information in the authentication data packet comprises a first equipment identification code and first Internet protocol address information, and then the first matching score and the second matching score are accumulated to obtain a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information; the identity attribute information in the authentication data packet comprises a first equipment identification code and a first operating system identification, and then the first matching score and the third matching score are accumulated to obtain a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information; the identity attribute information in the authentication data packet comprises first internet protocol address information and a first operating system identifier, and then the first matching score and the third matching score are accumulated to obtain a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information; the identity attribute information in the authentication data packet comprises first internet protocol address information, first internet protocol address information and a first operating system identifier; and accumulating the first matching score, the second matching score and the third matching score to obtain the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information.
In an embodiment, the manner of determining the identity reliability of the client according to the matching score may be: and acquiring a second mapping relation table between the preset matching score and the identity credibility, and inquiring the identity credibility corresponding to the matching score from the second mapping relation table to obtain the identity credibility of the client. The second mapping relation table is established in advance according to the matching score and the identity reliability, and the establishment of the second mapping relation table can be established according to practical situations, which is not particularly limited in this embodiment. The identity credibility of the client can be accurately determined through the second mapping relation table.
In an embodiment, if the identity reliability is smaller than a preset threshold, sending an identity verification request to the client; and receiving the authentication information sent by the client based on the authentication request, and authenticating the client according to the authentication information. By sending the identity verification request to carry out identity verification, the accuracy of identity verification can be improved.
It should be noted that the authentication request may be selected according to practical situations, and this embodiment is not limited to this, for example, the authentication request may be a transmission of an authentication code to the client.
If the identity reliability is smaller than the preset threshold, the first identity verification code is sent to the client, the client receives the second identity verification code as the second identity verification code, the second identity verification code sent by the client is received, whether the second identity verification code is identical to the first identity verification code or not is determined, and if the second identity verification code is identical to the first identity verification code, the client passes the identity authentication; if the second authentication code is different from the first authentication code, determining that the client fails to pass the authentication.
Step S103, when the client passes the identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information.
The method comprises the steps that first key updating information sent by a client is obtained, the first key updating information comprises an encryption suite list supported by the client, the encryption suite list is a list of encryption algorithms supported by the client, the server determines the same encryption algorithm according to the encryption suite list and the list of encryption algorithms supported by the server, generates a first random number, generates second key updating information according to the same encryption algorithm and the first random number, sends the second key updating information to the client, generates a second random number according to the first random number in the second key updating information, generates third key updating information according to the same encryption algorithm and the second random number, and generates key updating negotiation information according to the same encryption algorithm and the second random number in the third key updating information. The encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm, the first key and the second key obtained by encrypting the symmetric encryption algorithm are the same, the first key and the second key obtained by encrypting the asymmetric encryption algorithm are matched, the symmetric encryption algorithm and the asymmetric encryption algorithm can be set according to practical situations, the embodiment is not limited in particular, for example, the symmetric encryption algorithm can be an algorithm such as a TDEA algorithm, a Blowfish algorithm and an RC5 algorithm, and the asymmetric encryption algorithm can be an algorithm such as an RSA, an Elgamal and a knapsack algorithm.
In an embodiment, the method for generating the target key information according to the key update negotiation information may be: the encryption algorithm and the encryption random number of the key are obtained from the key update negotiation information, the encryption random number is encrypted through the encryption algorithm, and target key information is obtained, wherein the target key information comprises a target first key and a target second key. The encryption algorithm is based on encrypting the encrypted random number, so that the target key information can be accurately obtained.
And step S104, updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
And acquiring a target second key from the target key information, and updating the second key corresponding to the client in the server by the target second key to finish updating the key corresponding to the client in the server. Generating target key information to the client, acquiring a target first key from the target key information by the client, and updating the first key by the target first key to finish updating the key in the client.
In one embodiment, the second key is discarded when the client key update success information and the server key update success information are received; and sending an enabling target second key instruction to the client, discarding the first key according to the enabling target second key instruction when the client receives the enabling target second key instruction, and generating an authentication data packet by using the target first key. And if the client key updating success information and the server key updating success information are not received, continuing to use the first key and the second key. By further determining whether the key is successfully updated and then using the updated key for authentication, the security of communication between the client and the server can be improved.
According to the key updating method in the embodiment, the authentication data packet sent by the client is obtained and verified, wherein the authentication data packet is generated by the client based on the stored first key and the identity attribute information of the client; when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet; when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information; and then updating the second key corresponding to the client in the server and the first key in the client according to the target key information. By carrying out identity authentication on the client, the security of key updating can be improved, more accurate target key information can be generated according to key updating negotiation information, and the second key corresponding to the client in the server and the first key in the client are updated through the target key information, so that the security and convenience of key updating between the client and the server are greatly improved.
Referring to fig. 3, fig. 3 is a flowchart of another key updating method according to an embodiment of the invention.
As shown in fig. 3, the key updating method includes steps S201 to S204.
Step 201, when a key update instruction is acquired, an authentication data packet is generated according to the first key and the identity attribute information stored by the client.
Acquiring the validity period of a first key; and generating a key updating instruction when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value. The preset time difference may be set according to practical situations, and the embodiment is not limited thereto, for example, the preset time difference may be set to 24 hours. When the validity period of the first key is about to expire, a key update instruction is generated to improve the security of communication between the client and the server.
In one embodiment, a key update instruction is generated when a first key is obtained to be compromised. The condition that the first key leaks may be determined according to an actual condition, and the embodiment is not limited to this specifically, for example, when data in the memory storing the first key is stolen, it is determined that the first key leaks. When the first secret key leaks, a secret key updating instruction is generated so as to improve the safety of communication between the client and the server.
In one embodiment, a first key and identity attribute information stored by a client are obtained, and an authentication data packet is generated according to the first key and the identity attribute information. Wherein the identity attribute information includes a device identification code, internet protocol address (Internet Protocol Address, IP address) information, and/or an operating system identification of the client.
Step S202, the authentication data packet is sent to a server so that the server can check the authentication data packet, and when the authentication data packet passes the check, the identity of the client is authenticated according to the identity attribute information in the authentication data packet.
The authentication data packet comprises a first hash value, the first hash value is generated by the client according to the timestamp, the identity attribute information of the client and the first key, the server acquires the first hash value from the authentication data packet after receiving the authentication data packet sent by the client, generates a second hash value according to the timestamp, the identity attribute information of the client and the second key, determines whether the first hash value is identical to the second hash value, determines that the authentication data packet passes the verification if the first hash value is identical to the second hash value, and determines that the authentication data packet fails the verification if the first hash value is not identical to the second hash value.
In an embodiment, the identity attribute information in the authentication data packet includes a first device identification code, first internet protocol address (Internet Protocol Address, IP address) information, and/or a first operating system identification, the identity attribute information in the history access information includes a second device identification code, second internet protocol address (Internet Protocol Address, IP address) information, and/or a second operating system identification, a first match score between the first device identification code and the second device identification code is determined, a second match score between the first internet protocol address information and the second internet protocol address information is determined, a third match score between the first operating system identification and the second operating system identification is determined, and a match score between the identity attribute information in the authentication data packet and the identity attribute information in the history access information is determined based on the first match score, the second match score, and the third match score.
In an embodiment, if the identity reliability is smaller than a preset threshold, sending an identity verification request to the client; and receiving the authentication information sent by the client based on the authentication request, and authenticating the client according to the authentication information. By sending the identity verification request to carry out identity verification, the accuracy of identity verification can be improved.
Step 203, when the client passes the identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information.
When the client passes identity authentication, the client sends first key updating information to the server, wherein the first key updating information comprises an encryption suite list supported by the client, the encryption suite list is a list of encryption algorithms supported by the client, the server determines the same encryption algorithm according to the encryption suite list and the list of encryption algorithms supported by the server, generates a first random number, generates second key updating information according to the same encryption algorithm and the first random number, sends the second key updating information to the client, and generates a second random number according to the first random number in the second key updating information, generates third key updating information according to the same encryption algorithm and the second random number, and generates key updating negotiation information according to the same encryption algorithm and the second random number in the third key updating information. The encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm, the first key and the second key obtained by encrypting the symmetric encryption algorithm are the same, the first key and the second key obtained by encrypting the asymmetric encryption algorithm are matched, the symmetric encryption algorithm and the asymmetric encryption algorithm can be set according to practical situations, the embodiment is not limited in particular, for example, the symmetric encryption algorithm can be an algorithm such as a TDEA algorithm, a Blowfish algorithm and an RC5 algorithm, and the asymmetric encryption algorithm can be an algorithm such as an RSA, an Elgamal and a knapsack algorithm.
And step S204, updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
Acquiring a target first key from target key information, and updating the first key in the client by the target first key to finish updating the key in the client; and sending the target key information to a server, acquiring a target second key from the target key information by the server, and updating a second key corresponding to the client in the server by the target second key to finish updating the key corresponding to the client in the server.
Exemplary, as shown in fig. 4, S301 is an authentication packet sent by the client 10 to the server 20; s302, the server 20 checks the authentication data packet, and when the authentication data packet passes the check, the identity authentication is performed on the client according to the identity attribute information in the authentication data packet; s303, the client 10 performs key update negotiation with the server 20 to obtain key update negotiation information; s304, the server 20 generates target key information according to the key update negotiation information; s305, the server 20 updates a second key corresponding to the client 10 in the server 20 according to the target key information; s306, the server 20 sends the target key information to the client 10; s307, the client 10 updates the first key according to the target key information.
In the key updating method in the above embodiment, when a key updating instruction is acquired, an authentication data packet is generated according to the first key and the identity attribute information stored in the client; sending an authentication data packet to a server for the server to check the authentication data packet, and carrying out identity authentication on the client according to identity attribute information in the authentication data packet when the authentication data packet passes the check; when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information; and updating the second key corresponding to the client in the server and the first key in the client according to the target key information. By carrying out identity authentication on the client, the security of key updating can be improved, more accurate target key information can be generated according to key updating negotiation information, and the second key corresponding to the client in the server and the first key in the client are updated through the target key information, so that the security and convenience of key updating between the client and the server are greatly improved.
Referring to fig. 5, fig. 5 is a schematic block diagram of a server according to an embodiment of the present invention.
As shown in fig. 5, the server 400 includes a processor 401 and a memory 402, and the processor 401 and the memory 402 are connected by a bus 403, such as an I2C (Inter-integrated Circuit) bus.
In particular, the processor 401 is used to provide computing and control capabilities, supporting the operation of the entire server. The processor 401 may be a central processing unit (Central Processing Unit, CPU), but the processor 401 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Specifically, the Memory 402 may be a Flash chip, a Read-Only Memory (ROM) disk, an optical disk, a U-disk, a removable hard disk, or the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the server to which the present inventive arrangements are applied, and that a particular server may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
The processor is configured to run a computer program stored in the memory, and implement any one of the key updating methods provided by the embodiments of the present invention when the computer program is executed.
In an embodiment, the processor is configured to run a computer program stored in a memory and to implement the following steps when the computer program is executed:
acquiring an authentication data packet sent by a client, and checking the authentication data packet, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client;
when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet;
when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
In an embodiment, when implementing the identity authentication of the client according to the identity attribute information in the authentication data packet, the processor is configured to implement:
Acquiring historical access information of the client;
and authenticating the identity of the client according to the identity attribute information and the historical access information in the authentication data packet.
In an embodiment, when implementing the identity authentication of the client according to the identity attribute information and the historical access information in the authentication data packet, the processor is configured to implement:
determining a matching score between identity attribute information in the authentication data packet and identity attribute information in the historical access information;
and determining the identity credibility of the client according to the matching score, and determining that the client passes identity authentication when the identity credibility is greater than or equal to a preset threshold value.
In an embodiment, the identity attribute information in the authentication data packet by the processor includes a first device identification code, first internet protocol address information and/or a first operating system identification; the identity attribute information in the history access information comprises a second equipment identification code, second internet protocol address information and/or a second operating system identification; and when determining the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information, the method is used for realizing:
Determining a first matching score between the first device identification code and the second device identification code;
determining a second matching score between the first internet protocol address information and the second internet protocol address information;
determining a third matching score between the first operating system identification and the second operating system identification;
and determining a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information according to the first matching score and/or the second matching score and/or the third matching score.
In an embodiment, the processor in implementation is further configured to implement:
if the identity credibility is smaller than a preset threshold, an identity verification request is sent to the client;
and receiving the authentication information sent by the client based on the authentication request, and carrying out authentication on the client according to the authentication information.
In an embodiment, when implementing obtaining the authentication data packet sent by the client, the processor is configured to implement:
acquiring the second the validity period of the key;
when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value, a key update request is sent to the client;
And acquiring an authentication data packet returned by the client based on the key updating request.
It should be noted that, for convenience and brevity of description, specific working processes of the server described above may refer to corresponding processes in the foregoing embodiments of the key updating method, and are not described herein again.
Referring to fig. 6, fig. 6 is a schematic block diagram of a client according to an embodiment of the present invention.
As shown in fig. 6, a client 500 includes a processor 501 and a memory 502, the processor 501 and the memory 502 being connected by a bus 503, such as an I2C (Inter-integrated Circuit) bus.
In particular, the processor 501 is used to provide computing and control capabilities, supporting the operation of the entire client. The processor 501 may be a central processing unit (Central Processing Unit, CPU), the processor 501 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Specifically, the Memory 502 may be a Flash chip, a Read-Only Memory (ROM) disk, an optical disk, a U-disk, a removable hard disk, or the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of a portion of the structure associated with the present inventive arrangements and is not limiting of the client to which the present inventive arrangements are applied, and that a particular client may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
The processor is configured to run a computer program stored in the memory, and implement any one of the key updating methods provided by the embodiments of the present invention when the computer program is executed.
In an embodiment, the processor is configured to run a computer program stored in a memory and to implement the following steps when the computer program is executed:
when a key updating instruction is acquired, generating an authentication data packet according to a first key and identity attribute information stored by the client;
the authentication data packet is sent to a server for the server to check the authentication data packet, and when the authentication data packet passes the check, the identity of the client is authenticated according to the identity attribute information in the authentication data packet;
When the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
In an embodiment, the processor is further configured to implement:
acquiring the validity period of the first key;
and generating the key updating instruction when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value.
It should be noted that, for convenience and brevity of description, a specific working process of the client described above may refer to a corresponding process in the foregoing embodiment of the key updating method, which is not described herein again.
Embodiments of the present invention also provide a storage medium for computer readable storage storing one or more programs executable by one or more processors to implement the steps of any of the methods of key updating as provided in the present specification.
The storage medium may be an internal storage unit of the server and/or the client according to the foregoing embodiments, for example, a hard disk or a memory of the server and/or the client. The storage medium may also be an external storage device of the server and/or the client, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the server and/or the client.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
It should be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments. While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (11)
1. A key updating method, applied to a server, comprising:
acquiring an authentication data packet sent by a client, and checking the authentication data packet, wherein the authentication data packet is generated by the client based on a stored first key and identity attribute information of the client;
when the authentication data packet passes the verification, carrying out identity authentication on the client according to the identity attribute information in the authentication data packet;
when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
2. The method for updating a key according to claim 1, wherein said authenticating the client according to the identity attribute information in the authentication data packet comprises:
acquiring historical access information of the client;
and authenticating the identity of the client according to the identity attribute information and the historical access information in the authentication data packet.
3. The method for updating a key according to claim 2, wherein said authenticating the client based on the identity attribute information and the history access information in the authentication packet comprises:
determining a matching score between identity attribute information in the authentication data packet and identity attribute information in the historical access information;
and determining the identity credibility of the client according to the matching score, and determining that the client passes identity authentication when the identity credibility is greater than or equal to a preset threshold value.
4. A method of updating a key according to claim 3, wherein the identity attribute information in the authentication data packet comprises a first device identification code, first internet protocol address information and/or a first operating system identification; the identity attribute information in the history access information comprises a second equipment identification code, second internet protocol address information and/or a second operating system identification; the determining the matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information comprises the following steps:
determining a first matching score between the first device identification code and the second device identification code;
Determining a second matching score between the first internet protocol address information and the second internet protocol address information;
determining a third matching score between the first operating system identification and the second operating system identification;
and determining a matching score between the identity attribute information in the authentication data packet and the identity attribute information in the historical access information according to the first matching score and/or the second matching score and/or the third matching score.
5. A method of updating a key according to claim 3, the method further comprising:
if the identity credibility is smaller than a preset threshold, an identity verification request is sent to the client;
and receiving the authentication information sent by the client based on the authentication request, and carrying out authentication on the client according to the authentication information.
6. The method for updating a key according to any one of claims 1 to 5, wherein the acquiring an authentication packet sent by the client includes:
acquiring the validity period of the second key;
when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value, a key update request is sent to the client;
And acquiring an authentication data packet returned by the client based on the key updating request.
7. A key updating method, applied to a client, the method comprising:
when a key updating instruction is acquired, generating an authentication data packet according to a first key and identity attribute information stored by the client;
the authentication data packet is sent to a server for the server to check the authentication data packet, and when the authentication data packet passes the check, the identity of the client is authenticated according to the identity attribute information in the authentication data packet;
when the client passes identity authentication, acquiring key update negotiation information, and generating target key information according to the key update negotiation information;
and updating a second key corresponding to the client in the server and the first key in the client according to the target key information.
8. The method of updating a key according to claim 7, wherein the method further comprises:
acquiring the validity period of the first key;
and generating the key updating instruction when the slave difference value between the validity period and the current system time is smaller than or equal to a preset time difference value.
9. A server comprising a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connected communication between the processor and the memory, wherein the computer program, when executed by the processor, implements the steps of the key updating method according to any of claims 1 to 6.
10. A client comprising a processor, a memory, a computer program stored on the memory and executable by the processor, and a data bus for enabling a connected communication between the processor and the memory, wherein the computer program, when executed by the processor, implements the steps of the key updating method according to claim 7 or 8.
11. A storage medium for computer-readable storage, wherein the storage medium stores one or more programs executable by one or more processors to implement the steps of the key updating method of any of claims 1 to 8.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111677659.7A CN116415227A (en) | 2021-12-31 | 2021-12-31 | Key updating method, server, client and storage medium |
PCT/CN2022/138592 WO2023124958A1 (en) | 2021-12-31 | 2022-12-13 | Key update method, server, client and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111677659.7A CN116415227A (en) | 2021-12-31 | 2021-12-31 | Key updating method, server, client and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116415227A true CN116415227A (en) | 2023-07-11 |
Family
ID=86997698
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111677659.7A Pending CN116415227A (en) | 2021-12-31 | 2021-12-31 | Key updating method, server, client and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN116415227A (en) |
WO (1) | WO2023124958A1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116980111A (en) * | 2023-09-22 | 2023-10-31 | 北京格尔国信科技有限公司 | Key updating method, system, equipment and storage medium |
CN117216802B (en) * | 2023-11-07 | 2024-02-27 | 联通(广东)产业互联网有限公司 | Database security authentication method and device, electronic equipment and storage medium |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6621003B2 (en) * | 2015-05-08 | 2019-12-18 | パナソニックIpマネジメント株式会社 | Authentication method, authentication system, and controller |
CN107104932A (en) * | 2016-02-23 | 2017-08-29 | 中兴通讯股份有限公司 | Key updating method, apparatus and system |
CN106952096A (en) * | 2017-03-03 | 2017-07-14 | 中国工商银行股份有限公司 | Security certification system, method and the credible identifying device of client of client device |
CN108418691B (en) * | 2018-03-08 | 2020-10-27 | 湖南大学 | Dynamic network identity authentication method based on SGX |
CN112532392B (en) * | 2020-11-16 | 2022-10-25 | 中信银行股份有限公司 | Key processing method, device, equipment and storage medium |
-
2021
- 2021-12-31 CN CN202111677659.7A patent/CN116415227A/en active Pending
-
2022
- 2022-12-13 WO PCT/CN2022/138592 patent/WO2023124958A1/en unknown
Also Published As
Publication number | Publication date |
---|---|
WO2023124958A1 (en) | 2023-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
US11546173B2 (en) | Methods, application server, IoT device and media for implementing IoT services | |
CN111064569B (en) | Cluster key obtaining method and device of trusted computing cluster | |
US10693879B2 (en) | Methods, devices and management terminals for establishing a secure session with a service | |
EP4231680A1 (en) | Identity authentication system, method and apparatus, device, and computer readable storage medium | |
US9325697B2 (en) | Provisioning and managing certificates for accessing secure services in network | |
GB2562454A (en) | Anonymous attestation | |
WO2023124958A1 (en) | Key update method, server, client and storage medium | |
CN113472790B (en) | Information transmission method, client and server based on HTTPS protocol | |
CN104753674A (en) | Application identity authentication method and device | |
EP3598333B1 (en) | Electronic device update management | |
US11917081B2 (en) | Issuing device and method for issuing and requesting device and method for requesting a digital certificate | |
CN113285932B (en) | Method for acquiring edge service, server and edge device | |
CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
CN113569210A (en) | Distributed identity authentication method, equipment access method and device | |
CN111314269B (en) | Address automatic allocation protocol security authentication method and equipment | |
CN110771087B (en) | Private key update | |
KR20190127867A (en) | Method for managing reputation level of communication device | |
CN112148345B (en) | Method, device, electronic equipment and computer readable medium for transmitting small program package | |
CN113079506A (en) | Network security authentication method, device and equipment | |
CN114117554B (en) | Law enforcement data credibility verification method, processing method and system and law enforcement instrument | |
CN114007218B (en) | Authentication method, authentication system, terminal and digital identity authentication functional entity | |
US20230254149A1 (en) | Probabilistic data structure for managing tokens | |
CN113569209B (en) | User registration method and device based on block chain | |
WO2022053055A1 (en) | Method for accessing broadband access server, server, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |