CN116886317B - Method, system and equipment for distributing secret key between server and terminal equipment - Google Patents

Method, system and equipment for distributing secret key between server and terminal equipment Download PDF

Info

Publication number
CN116886317B
CN116886317B CN202311146028.1A CN202311146028A CN116886317B CN 116886317 B CN116886317 B CN 116886317B CN 202311146028 A CN202311146028 A CN 202311146028A CN 116886317 B CN116886317 B CN 116886317B
Authority
CN
China
Prior art keywords
terminal equipment
server
key
terminal
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311146028.1A
Other languages
Chinese (zh)
Other versions
CN116886317A (en
Inventor
陆舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN202311146028.1A priority Critical patent/CN116886317B/en
Publication of CN116886317A publication Critical patent/CN116886317A/en
Application granted granted Critical
Publication of CN116886317B publication Critical patent/CN116886317B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The invention discloses a method, a system and equipment for distributing secret keys between a server and terminal equipment, wherein the method comprises the following steps: the method comprises the steps that after a terminal device and a server verify that received opposite side certificates are legal, key pairs are respectively generated, the server verifies that a terminal device hardware serial number sent by the terminal device is legal according to the terminal device certificates, after the terminal device verifies that a server code is legal according to the server certificates, the terminal device and the server respectively generate intermediate keys according to a private key of a key pair generated by the terminal device and a public key of a key pair generated by the opposite side, a protection key is generated according to the intermediate keys, the terminal device hardware serial number and the server code, an application master key is generated and stored according to terminal device information, the application master key ciphertext is obtained by encrypting the application master key by using the protection key, and the application master key ciphertext is sent to the terminal device; and the terminal equipment uses the protection key to decrypt the application master key ciphertext to obtain the application master key, and correspondingly stores the terminal equipment information and the application master key.

Description

Method, system and equipment for distributing secret key between server and terminal equipment
Technical Field
The present invention relates to the field of information security, and in particular, to a method, a system, and an apparatus for distributing a key between a server and a terminal device.
Background
The prior art terminal device key injection scheme, in which an application key is injected into one terminal device and another terminal device is usually performed in a secure environment, requires identity verification by a personal computer terminal tool. For example, one terminal device, i.e. the master POS device, decrypts the application key ciphertext downloaded from the personal computer end tool to obtain the application key, and injects the application key into another terminal device, i.e. the POS device. However, the above-mentioned solutions of the prior art have the following drawbacks: because a safe local environment is needed, the system cannot be separated from the safe environment, and is limited by the environment, so that remote operation cannot be performed; in addition, since the key update injection flow is complicated and a plurality of devices such as a personal computer and a plurality of terminal devices are required to be operated, the operation is more complicated.
Disclosure of Invention
The invention provides a method, a system and equipment for distributing keys between a server and terminal equipment, and solves the technical problems.
The invention provides a method for distributing secret keys between a server and terminal equipment, which comprises the following steps:
step 1, terminal equipment generates a terminal session identifier, signs the terminal session identifier by using a terminal equipment preset private key to obtain a terminal equipment first signature result, and sends a terminal equipment certificate, the terminal session identifier and the terminal equipment first signature result to a server;
step 2, the server uses a public key of the terminal equipment certificate in the terminal equipment certificate to check the first signature result of the terminal equipment, then generates a server session identifier, generates first data to be signed according to the server session identifier and the terminal session identifier, uses a preset server private key to sign the first data to be signed, then generates a first signature result of the server, and sends the server certificate, the first data to be signed and the first signature result of the server to the terminal equipment;
step 3, the terminal equipment uses the public key of the server certificate in the server certificate to successfully sign the first signature result of the server, and generates a terminal equipment key pair, wherein the terminal equipment key pair comprises: the terminal equipment key pair public key and the terminal equipment key pair private key form terminal equipment second data to be signed according to the first data to be signed, the terminal equipment hardware serial number and the terminal equipment key pair public key, the terminal equipment preset private key is used for signing the terminal equipment second data to be signed to obtain a terminal equipment second signature result, and the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signature result are sent to the server;
And 4, after the server uses the public key of the terminal equipment certificate to successfully verify the second signature result of the terminal equipment and verifies that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate, generating a server key pair, wherein the server key pair comprises: generating server second to-be-signed data according to the server code and the server key pair public key, signing the server second to-be-signed data by using a preset server private key to obtain a server second signature result, and sending the server second to-be-signed data and the server second signature result to the terminal equipment;
step 5, the terminal equipment uses the public key of the server certificate to check the signature of the second signature result of the server successfully, and when judging that the server code in the data to be signed of the server is consistent with the server code in the server certificate, generates an intermediate key according to the preset elliptic curve parameter value, the private key of the terminal equipment key pair and the public key of the server key pair, generates a terminal equipment protection key according to the intermediate key, the terminal equipment hardware serial number and the server code, stores the terminal equipment protection key, generates the third data to be signed of the terminal equipment according to the terminal equipment hardware serial number, the terminal equipment merchant number and the terminal equipment terminal number, signs the third data to be signed of the terminal equipment by using the terminal equipment preset private key to obtain a third signature result of the terminal equipment, and sends the third data to be signed of the terminal equipment and the third signature result of the terminal equipment to the server;
Step 6, after the server uses the public key of the terminal equipment certificate to check the signature of the third signature result of the terminal equipment and verifies that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed are legal, generating an intermediate key according to the preset elliptic curve parameter value, the private key of the server key pair and the public key of the terminal equipment key pair, generating a server protection key according to the intermediate key, the hardware serial number of the terminal equipment and the server code, generating an application master key according to the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment, storing the preset application master key index and the application master key in a corresponding way, encrypting the application master key by using the server protection key to obtain an application master key ciphertext, and transmitting the application master key index and the application master key ciphertext to the terminal equipment;
and 7, the terminal equipment uses the stored terminal equipment protection key to decrypt the application master key ciphertext to obtain the application master key, and correspondingly stores the application master key index, the terminal equipment merchant number and the application master key.
The invention provides a system for distributing secret keys between a server and terminal equipment, which comprises: a terminal device and a server, wherein,
The terminal device comprises: the first generation and transmission module is used for generating a terminal session identifier, signing the terminal session identifier by using a terminal device preset private key to obtain a terminal device first signature result, and transmitting a terminal device certificate, the terminal session identifier and the terminal device first signature result to the server;
the judgment and signing verification module is used for judging that the server certificate is legal according to the preset root certificate and triggering the second generation and transmission module after the first signature result of the server is successfully signed by using the public key of the server certificate in the server certificate;
the second generating and sending module is used for generating a terminal equipment key pair, forming terminal equipment second to-be-signed data according to the first to-be-signed data, the terminal equipment hardware serial number and the terminal equipment key pair public key, signing the terminal equipment second to-be-signed data by using a terminal equipment preset private key to obtain a terminal equipment second signature result, and sending the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signature result to the server;
the signature verification judging module is used for successfully verifying the second signature result of the server by using the public key of the server certificate, and triggering the third generation and transmission module when judging that the server code in the second data to be signed of the server is consistent with the server code in the server certificate;
A third generation and transmission module, configured to generate an intermediate key according to a preset elliptic curve parameter value, a private key of a terminal device key pair, and a public key of a server key pair, generate a terminal device protection key according to the intermediate key, a terminal device hardware serial number, and a server code, store the terminal device protection key, generate terminal device third to-be-signed data according to the terminal device hardware serial number, a terminal device merchant number, and a terminal device terminal number, use the terminal device preset private key to sign the terminal device third to-be-signed data, obtain a terminal device third signature result, and transmit the terminal device third to-be-signed data and the terminal device third signature result to the server;
the decryption storage module is used for decrypting the application master key ciphertext by using the stored terminal equipment protection key to obtain an application master key, and correspondingly storing the application master key index, the terminal equipment merchant number and the application master key;
the server comprises: the first verification and approval module is used for verifying that the terminal equipment certificate is legal according to the preset root certificate and triggering the fourth generation and transmission module after the terminal equipment first signature result is successfully verified and signed by using the terminal equipment certificate public key in the terminal equipment certificate;
A fourth generation and transmission module, configured to generate a server session identifier, generate first to-be-signed data according to the server session identifier and the terminal session identifier, sign the first to-be-signed data using a preset server private key, generate a server first signature result, and transmit the first to-be-signed data and the server first signature result to the terminal device;
the second verification and approval module is used for successfully verifying a second signature result of the terminal equipment by using the public key of the terminal equipment certificate, and triggering a fifth generation and transmission module after verifying that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate;
a fifth generation and transmission module, configured to generate a server key pair, generate server second to-be-signed data according to the server code and the server key pair public key, obtain a server second signature result after signing the server second to-be-signed data by using a preset server private key, and transmit the server second to-be-signed data and the server second signature result to the terminal device;
the third verification and signature verification module is used for using the public key of the terminal equipment certificate to successfully verify the third signature result of the terminal equipment, and triggering the sixth generation and transmission module after verifying that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed of the terminal equipment are legal;
And a sixth generation and transmission module, configured to generate an intermediate key according to the preset elliptic curve parameter value, the server key pair private key and the terminal device key pair public key, generate a server protection key according to the intermediate key, the terminal device hardware serial number and the server code, generate an application master key according to the terminal device hardware serial number, the terminal device merchant number and the terminal device terminal number, store a preset application master key index in correspondence with the application master key, encrypt the application master key with the server protection key to obtain an application master key ciphertext, and transmit the application master key index and the application master key ciphertext to the terminal device.
The invention also provides a device for distributing keys between a server and a terminal device, the device comprising at least one processor, a memory and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to implement the above method.
The invention has the beneficial effects that: the invention provides a method, a system and equipment for distributing keys between a server and terminal equipment, which provides guarantee for the injection safety of application keys through key negotiation, and the technical scheme of the invention can be applied to unsafe environments, can be applied to a remote mode and a local mode, has stronger applicability, does not need to operate too many equipment in the implementation process, thus simplifying the operation flow, ensuring the safety of the application keys and realizing the safety of transaction keys.
Drawings
Fig. 1 is a flowchart of a method for distributing a key between a server and a terminal device according to a first embodiment of the present invention;
fig. 2 to fig. 7 are flowcharts of a procedure for negotiating a protection key and generating an application key in a method for distributing keys between a server and a terminal device according to a second embodiment of the present invention;
fig. 8 is a flowchart of a process of using an application key in a method for distributing a key between a server and a terminal device according to a second embodiment of the present invention;
fig. 9 is a flowchart of a method for distributing keys between a server and a terminal device according to a third embodiment of the present invention;
fig. 10 and fig. 11 are flowcharts of a method for distributing keys between a server and a terminal device according to a fourth embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
The embodiment provides a method for distributing keys between a server and a terminal device, as shown in fig. 1, including the following steps:
step 101, terminal equipment generates a terminal session identifier, signs the terminal session identifier by using a terminal equipment preset private key to obtain a terminal equipment first signature result, and sends a terminal equipment certificate, the terminal session identifier and the terminal equipment first signature result to a server;
step 102, a server uses a public key of a terminal equipment certificate in the terminal equipment certificate to successfully sign a first signature result of the terminal equipment, generates a server session identifier, generates first data to be signed according to the server session identifier and the terminal session identifier, signs the first data to be signed by using a preset server private key, generates a first signature result of the server, and sends the server certificate, the first data to be signed and the first signature result of the server to the terminal equipment;
step 103, after the terminal device successfully signs the first signature result of the server by using the public key of the server certificate in the server certificate, generating a terminal device key pair, where the terminal device key pair includes: the terminal equipment key pair public key and the terminal equipment key pair private key form terminal equipment second data to be signed according to the first data to be signed, the terminal equipment hardware serial number and the terminal equipment key pair public key, the terminal equipment preset private key is used for signing the terminal equipment second data to be signed to obtain a terminal equipment second signature result, and the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signature result are sent to the server;
Step 104, after the server uses the public key of the terminal equipment certificate to successfully verify the second signature result of the terminal equipment and verifies that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate, a server key pair is generated, and the server key pair comprises: generating server second to-be-signed data according to the server code and the server key pair public key, signing the server second to-be-signed data by using a preset server private key to obtain a server second signature result, and sending the server second to-be-signed data and the server second signature result to the terminal equipment;
step 105, when the terminal device uses the public key of the server certificate to check the signature of the second signature result of the server successfully and judges that the server code in the data to be signed of the server is consistent with the server code in the server certificate, an intermediate key is generated according to the preset elliptic curve parameter value, the private key of the terminal device key pair and the public key of the server key pair, a terminal device protection key is generated according to the intermediate key, the terminal device hardware serial number and the server code, a terminal device protection key is stored, terminal device third data to be signed is generated according to the terminal device hardware serial number, the terminal device merchant number and the terminal device terminal number, the terminal device third data to be signed is signed by using the terminal device preset private key, a terminal device third signature result is obtained, and the terminal device third data to be signed and the terminal device third signature result are sent to the server;
Step 106, after the server uses the public key of the terminal equipment certificate to check the signature of the third signature result of the terminal equipment and verifies that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed are legal, an intermediate key is generated according to the preset elliptic curve parameter value, the private key of the server key pair and the public key of the terminal equipment key pair, a server protection key is generated according to the intermediate key, the hardware serial number of the terminal equipment and the server code, an application master key is generated according to the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment, a preset application master key index and the application master key are correspondingly stored, the application master key ciphertext is obtained by encrypting the application master key by using the server protection key, and the application master key index and the application master key ciphertext are sent to the terminal equipment;
and step 107, the terminal equipment decrypts the application master key ciphertext by using the stored terminal equipment protection key to obtain the application master key, and correspondingly stores the application master key index, the terminal equipment merchant number and the application master key.
In a possible embodiment, after step 106, before step 107, further includes: the server clears the terminal session identifier, the server key pair, the terminal device key pair public key, the terminal device hardware serial number, the terminal device merchant number, the terminal device terminal number and the terminal device certificate.
In one possible implementation manner, the generating the first data to be signed according to the server session identifier and the terminal session identifier is specifically: and taking the dissimilation result of the server session identifier and the terminal session identifier as first data to be signed.
In a possible implementation manner, the generating the terminal device key pair in step 103 specifically includes: the terminal equipment generates a third random number as a terminal equipment key pair private key, and the terminal equipment performs point multiplication operation on the terminal equipment key pair private key and a preset elliptic curve parameter value to obtain a terminal equipment key pair public key;
the generating a server key pair in step 104 specifically includes: the server generates a fourth random number as a server key pair private key, and the server performs point multiplication operation on the server key pair private key and a preset elliptic curve parameter value to obtain a server key pair public key.
In one possible implementation, step 106 further includes: the server calculates an application master key according to a master key preset key verification algorithm to obtain a server application master key verification value, and sends the server application master key verification value to the terminal equipment;
in step 107, the application master key index, the terminal equipment merchant number and the application master key are stored in a specific manner: and the terminal equipment calculates an application master key according to a master key preset key verification algorithm to obtain a terminal equipment application master key verification value, judges whether the terminal equipment application master key verification value is consistent with the received server application master key verification value, stores the application master key index, the terminal equipment merchant number and the application master key correspondingly if the terminal equipment application master key verification value is consistent with the received server application master key verification value, and finishes if the terminal equipment application master key index, the terminal equipment merchant number and the application master key are not consistent with the received server application master key verification value.
In one possible implementation, step 104 is specifically:
after the server uses the public key of the terminal equipment certificate to successfully sign the second signature result of the terminal equipment and verifies that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate, the server generates a server key pair and a server random code, and the server key pair comprises: generating server second to-be-signed data by the server key pair public key and the server key pair private key according to a preset protection key index, a server random code, a server code and the server key pair public key, signing the server second to-be-signed data by using the preset server private key to obtain a server second signature result, and transmitting the server second to-be-signed data and the server second signature result to the terminal equipment;
step 105 is specifically: when the terminal equipment uses a public key of a server certificate to check a signature of a second signature result of the server, and judges that the server code in the data to be signed of the server is consistent with the server code in the server certificate, a terminal equipment random code is generated, an intermediate key is generated according to a preset elliptic curve parameter value, a private key of a terminal equipment key pair and the public key of the server key pair, a terminal equipment protection key is generated according to the intermediate key, the server random code in the data to be signed of the server, the terminal equipment random code, a terminal equipment hardware serial number and the server code, a corresponding storage terminal equipment protection key is indexed according to the preset protection key in the data to be signed of the server, terminal equipment third to-be-signed data is generated according to the terminal equipment hardware serial number, a terminal equipment merchant number, the terminal equipment random code and the terminal equipment terminal number, the terminal equipment third to-be-signed data is signed by using the terminal equipment preset private key, a terminal equipment third to obtain a terminal equipment signature result, and the terminal equipment third to-be signed data and the terminal equipment third signature result is sent to the server;
In step 106, the server protection key is specifically generated according to the intermediate key, the hardware serial number of the terminal device and the server code: generating a server protection key according to the intermediate key, a server random code in the third data to be signed of the terminal equipment, the terminal equipment random code, a terminal equipment hardware serial number and a server code;
step 106 further comprises transmitting a preset protection key index to the terminal equipment;
step 107 specifically comprises: and the terminal equipment searches the corresponding terminal equipment protection key according to the preset protection key index, decrypts the application master key ciphertext by using the found terminal equipment protection key to obtain the application master key, and correspondingly stores the application master key index, the terminal equipment merchant number and the application master key.
In a possible implementation manner, step 102 further includes, before step 102, verifying, by the server, whether the terminal device certificate is legal according to the preset root certificate, if yes, executing step 102, and if not, reporting by the server an error;
step 103 further comprises:
and the terminal equipment judges whether the server certificate is legal or not according to the preset root certificate, if so, the step 103 is executed, if not, the terminal equipment prompts errors, and the operation is ended.
In a possible implementation manner, in step 103, the forming, according to the first data to be signed, the hardware serial number of the terminal device, and the public key of the terminal device, the second data to be signed of the terminal device is specifically:
and forming second data to be signed of the terminal equipment according to the server session identifier, the terminal session identifier, the hardware serial number of the terminal equipment and the public key of the terminal equipment key pair in the first data to be signed.
In one possible embodiment, after step 107, the method further comprises:
step 108, the terminal equipment sends the terminal equipment merchant number, the terminal equipment terminal number and the batch number to the server;
step 109, after judging that the terminal equipment merchant number and the terminal equipment terminal number are legal, the server searches an application master key corresponding to the terminal equipment according to the terminal equipment merchant number and the terminal equipment terminal number, generates a transaction key according to the terminal equipment merchant number, the terminal equipment terminal number and the batch number, encrypts the transaction key by using the application master key to obtain a transaction key ciphertext, and sends the terminal equipment merchant number, the terminal equipment terminal number, the batch number and the transaction key ciphertext to the terminal equipment;
step 110, after the terminal equipment judges that the terminal equipment merchant number, the terminal equipment terminal number and the batch number are legal, the corresponding application master key index is searched according to the terminal equipment merchant number, the corresponding application master key in the terminal equipment is found according to the application master key index, the corresponding application master key is used for decrypting the transaction key ciphertext, the transaction key is obtained, and the transaction key is stored in the terminal equipment.
In one possible embodiment, step 109 is specifically: after judging that the terminal equipment merchant number and the terminal equipment terminal number are legal, the server searches an application master key corresponding to the terminal equipment according to the terminal equipment merchant number and the terminal equipment terminal number, generates a transaction key according to the terminal equipment merchant number, the terminal equipment terminal number and the batch number, calculates a first transaction key verification value, encrypts the transaction key by using the application master key to obtain a transaction key ciphertext, and sends the terminal equipment merchant number, the terminal equipment terminal number, the batch number, the transaction key ciphertext and the first transaction key verification value to the terminal equipment;
in step 110, a transaction key is obtained, and the transaction key is stored in a terminal device specifically as follows: obtaining a transaction key, calculating a second transaction key check value, judging whether the first transaction key check value is consistent with the second transaction key check value, if so, storing the transaction key into terminal equipment, if not, prompting an error by the terminal equipment, and ending.
In one possible implementation manner, the generating the first data to be signed according to the server session identifier and the terminal session identifier is specifically: and taking the splicing result of the server session identifier and the terminal session identifier as first data to be signed.
In one possible implementation, step 101 is specifically: the terminal equipment sends the terminal session identifier and the terminal equipment certificate to a server;
step 102 specifically comprises: after verifying that the terminal equipment certificate is legal according to the preset root certificate, the server sends a server session identifier and the server certificate to the terminal equipment;
step 103, step 104 and step 105 are replaced with: after verifying that the server certificate is legal according to the preset root certificate, the terminal equipment calculates according to the server session identifier and the terminal session identifier to obtain a terminal verification session identifier, signs terminal equipment information by using a terminal equipment certificate private key in the terminal equipment certificate to obtain a terminal equipment signature result, and sends the terminal verification session identifier, the terminal equipment information and the terminal equipment signature result to the server;
step 106 is specifically: the server generates a server verification session identifier according to the terminal session identifier and the server session identifier, verifies that the terminal verification session identifier is successful according to the server verification session identifier, then uses a terminal equipment certificate public key in a terminal equipment certificate to sign a terminal equipment signature result according to terminal equipment information, generates a protection key according to the terminal equipment information after the signature verification is successful, generates an application master key, encrypts the application master key by using the protection key to obtain an application master key ciphertext, encrypts the protection key by using the terminal equipment certificate public key to obtain a server encryption result, uses a preset server private key to sign spliced data of the server encryption result and the application master key ciphertext to obtain a server signature result, and sends the server encryption result, the server signature result and the application master key ciphertext to the terminal equipment;
Step 107 specifically comprises: and the terminal equipment uses a server public key in a server certificate to successfully sign a server signature result according to the application master key ciphertext, uses a terminal equipment certificate private key to decrypt a server encryption result to obtain a protection key, and uses the protection key to decrypt the application master key ciphertext to obtain the application master key.
In one possible implementation, step 101 is specifically: the terminal equipment generates a terminal equipment random number and a key set, and the terminal equipment random number and the key set are sent to a server;
step 102 specifically comprises: the server sends the self-generated server random number to the terminal equipment, sends the server encryption certificate and the server signature certificate in a format corresponding to the ECC algorithm identifier in the key suite to the terminal equipment, signs the data obtained after the terminal equipment random number, the server random number and the server encryption certificate generated by the server are spliced by using a preset server private key to obtain a server signature result, sends the server signature result to the terminal equipment, sends a terminal equipment certificate request instruction to the terminal equipment, and sends an end operation instruction to the terminal equipment;
Steps 103 to 107 are replaced with: the terminal equipment sends a terminal equipment certificate to a server, generates a protection key according to the server random number, the terminal equipment random number and the terminal equipment information, encrypts the protection key by using a public key of a server encryption certificate to generate a protection key ciphertext, sends the protection key ciphertext to the server, splices the terminal equipment random number, a key suite, a server signature certificate, a server signature result, a terminal equipment certificate request instruction, an end operation instruction, the terminal equipment certificate and the protection key ciphertext to obtain terminal equipment spliced data, hashes the terminal equipment spliced data according to a checking algorithm in the key suite to obtain a terminal equipment hash value, signs the terminal equipment hash value according to a signature algorithm in the key suite by using a terminal equipment certificate private key to obtain a terminal equipment signature result, sends the terminal equipment signature result to the server, sends an encryption operation prompting instruction to the server, and generates an application master key according to the server random number, the terminal equipment random number and the protection key.
Example two
The embodiment provides a method for distributing keys between a server and terminal equipment, which comprises the processes of negotiating a protection key, generating an application key and using the application key.
As shown in fig. 2 to 7, the process of negotiating a protection key and generating an application key includes the steps of:
step 201, a terminal device obtains a first time stamp and a first random number through a security chip of the terminal device, and forms a terminal session identifier according to the first time stamp and the first random number;
step 202, a terminal device takes a terminal session identifier as data to be signed, and signs the terminal session identifier by using a terminal device preset private key to obtain a terminal first signature result;
step 203, the terminal device sends the terminal device certificate, the terminal session identifier and the first signature result of the terminal device to the server;
step 204, the server receives a terminal equipment certificate, a terminal session identifier and a first signature result of the terminal equipment;
step 205, the server verifies whether the timestamp in the terminal session identifier is valid, if yes, step 206 is executed, if not, the server reports an error;
step 206, the server verifies whether the terminal equipment certificate is legal according to the preset root certificate, if yes, step 207 is executed, and if not, the server reports errors;
specifically, step 206 in this embodiment specifically includes:
step a1, a server acquires a signature field in a terminal equipment certificate, decrypts data of the signature field in the terminal equipment certificate according to a public key of a preset root certificate, judges whether decryption is successful, obtains terminal equipment certificate decryption data if yes, executes step a2, and reports errors if no;
Step a2, the server acquires a hash value field in the terminal equipment certificate, performs hash operation on the data in the hash value field of the certificate by using a predetermined hash algorithm to obtain the hash value of the terminal equipment certificate, judges whether the decrypted data of the terminal equipment certificate and the hash value of the terminal equipment certificate are identical, if so, the terminal equipment certificate is legal, step 207 is executed, if not, the terminal equipment certificate is illegal, and the server reports errors.
In this embodiment, step 206 may further include: step 206', the server verifies whether the terminal equipment certificate is valid, if yes, step 206 is executed, if no, the server reports an error.
Step 206' is specifically: the server determines whether the expiration date of the terminal device certificate is valid, and if so, step 206 is performed, and if not, the server reports an error.
Step 206' is specifically: the server determines whether the status of the terminal device certificate is a revoked status, and if not, executes step 206, and if so, the server reports an error.
Step 207, the server analyzes the terminal equipment certificate to obtain a public key of the terminal equipment certificate and a hardware serial number of the terminal equipment;
step 208, the server uses the public key of the terminal equipment certificate to check the first signature result of the terminal equipment, and judges whether the check is successful, if yes, step 209 is executed, if not, the server reports errors;
Step 209, the server verifies whether the hardware serial number of the terminal equipment is legal, if yes, step 210 is executed, if not, the server reports errors;
in this step, the server verifies whether the hardware serial number of the terminal device is legal or not, specifically: the server verifies whether the obtained hardware serial number of the terminal equipment is the same as the preset hardware serial number of the terminal equipment in the server database, if so, the step 210 is executed legally, if not, the server reports errors illegally;
step 210, the server acquires a second time stamp and a second random number, and forms a server session identifier according to the second time stamp and the second random number;
step 211, the server performs exclusive or operation on the server session identifier and the terminal session identifier to obtain first data to be signed of the server, and signs the first data to be signed of the server by using a preset server private key to obtain a first signature result of the server;
step 212, the server sends the server certificate, the server session identifier and the server first signature result to the terminal equipment;
step 213, the terminal device receives the server certificate, the server session identifier and the server first signature result;
step 214, the terminal device verifies whether the timestamp in the server session identifier is valid, if yes, step 215 is executed, if not, the terminal device prompts an error, and the process is ended;
Step 215, the terminal equipment judges whether the server certificate is legal or not according to the preset root certificate, if yes, step 216 is executed, if not, the terminal equipment prompts for errors, and the process is finished;
specifically, step 215 in this embodiment specifically includes:
step b1, the terminal equipment obtains the signature field in the server certificate, decrypts the signature field data in the server certificate according to the public key of the root certificate, judges whether decryption is successful, if so, executes step b2 after obtaining the decrypted data of the server certificate, and if not, the server reports errors;
and b2, the terminal equipment acquires a hash value field in the server certificate, performs hash operation on data in the hash value field of the certificate by using a preset hash algorithm to obtain a hash value of the server certificate, judges whether the decrypted data of the server certificate and the hash value of the server certificate are the same, if so, the server certificate is legal, step 216 is executed, if not, the server certificate is illegal, and the server reports errors.
Step 216, the terminal device analyzes the server certificate to obtain a server certificate public key and a server code;
step 217, the terminal device uses the public key of the server certificate to check the first signature result of the server, and judges whether the check result is successful, if yes, step 218 is executed, if not, the terminal device prompts error, and ends;
Step 218, the terminal device exclusive-ors the terminal session identifier and the server session identifier to obtain first data to be signed of the terminal device;
step 219, the terminal equipment generates a terminal equipment key pair according to a preset first algorithm;
in this embodiment, the terminal device key pair includes: the terminal equipment key pair public key and the terminal equipment key pair private key comprise the following steps: the terminal equipment generates a third random number as a terminal equipment key pair private key, and the terminal equipment performs point multiplication operation on the terminal equipment key pair private key and a preset elliptic curve parameter value to obtain a terminal equipment key pair public key;
step 220, the terminal equipment splices the public key with the terminal equipment hardware serial number and the terminal equipment key to obtain second data to be signed of the terminal equipment;
step 221, the terminal equipment splices the first data to be signed of the terminal equipment and the second data to be signed of the terminal equipment to obtain a first splicing result of the terminal equipment, and signs the first splicing result of the terminal equipment by using a preset private key of the terminal equipment to obtain a second signature result of the terminal equipment;
step 222, the terminal device sends the second data to be signed and the second signature result to the server;
Step 223, the server receives the second data to be signed of the terminal device and the second signature result of the terminal device;
step 224, the server uses the public key of the terminal equipment certificate to check the second signature result of the terminal equipment, and judges whether the check is successful, if yes, step 225 is executed, if not, the server reports errors;
step 225, the server verifies whether the hardware serial number of the terminal device in the second data to be signed of the terminal device is consistent with the hardware serial number in the terminal device certificate, if yes, step 226 is executed, if no, the server reports errors;
step 226, the server performs exclusive OR operation on the server session identifier and the terminal session identifier to obtain first data to be signed of the server;
step 227, the server generates a server key pair according to a preset first algorithm;
in this embodiment, the server key pair includes a server key pair public key and a server key pair private key, and this step specifically includes: the server generates a fourth random number as a terminal equipment key pair private key, and the server performs point multiplication operation on the server key pair private key and a preset elliptic curve parameter value to obtain a server key pair public key;
step 228, the server generates a server random code, and splices the public key with a preset symmetric algorithm identifier, a preset protection key index, a server code, the server random code and the server key to obtain first spliced data of the server;
Step 229, the server splices the first signature data of the server and the first splicing data of the server to obtain second splicing data of the server, and signs the second splicing data of the server by using a preset server private key to obtain a second signature result of the server;
step 230, the server sends the first splicing data of the server and the second signature result of the server to the terminal equipment;
step 231, the terminal device receives the first splicing data of the server and the second signature result of the server;
step 232, the terminal device uses the public key of the server certificate to check the second signature result of the server, and judges whether the check is successful, if yes, step 233 is executed, if not, the terminal device prompts for errors, and the process is ended;
step 233, the terminal device judges whether the server code in the first spliced data of the server is consistent with the server code in the server certificate, if so, step 234 is executed, if not, the terminal device prompts an error, and the process is ended;
step 234, the terminal device performs a dot product operation on the private key of the terminal device key pair and the public key of the server key pair according to the preset elliptic curve parameter value to generate an intermediate key;
step 235, the terminal equipment generates a terminal equipment random code, and the intermediate secret key, the server random code, the terminal equipment hardware serial number and the server code are spliced to obtain second spliced data of the terminal equipment; carrying out hash operation on the second spliced data of the terminal equipment according to a preset algorithm to obtain a terminal equipment protection key;
Step 236, the terminal equipment injects the terminal equipment protection key into the terminal equipment security chip for corresponding storage according to the preset symmetric algorithm identification and the preset protection key index;
step 237, the terminal device performs exclusive OR operation on the terminal session identifier and the server session identifier to obtain first data to be signed of the terminal device;
step 238, the terminal equipment splices the terminal equipment hardware serial number, the terminal equipment merchant number, the terminal equipment terminal number and the terminal equipment random code to obtain second spliced data of the terminal equipment;
step 239, the terminal device splices the first data to be signed of the terminal device with the second spliced data of the terminal device to obtain third spliced data of the terminal device, and signs the third spliced data of the terminal device by using a preset private key of the terminal device to obtain a third signature result of the terminal device;
step 240, the terminal device sends the second spliced data of the terminal device and the third signature result of the terminal device to the server;
step 241, the server receives the second spliced data of the terminal device and the third signature result of the terminal device;
step 242, the server uses the public key of the terminal equipment certificate to check the third signature result of the terminal equipment, and judges whether the check is successful, if yes, step 243 is executed, if no, the server reports errors;
Step 243, the server verifies whether the hardware serial number of the terminal device is consistent with the hardware serial number in the terminal device certificate, and verifies whether the terminal device merchant number and the terminal device terminal number in the second spliced data of the terminal device are legal, if yes, step 244 is executed, if no, the server reports errors;
step 244, the server performs ECC point multiplication operation on the private key of the server key pair and the public key of the terminal equipment key pair to generate an intermediate key;
the method specifically comprises the following steps: the server takes the product of the private key of the server key pair and the public key of the terminal equipment key pair as an intermediate key;
step 245, the server splices the intermediate key, the server random code, the terminal equipment hardware serial number and the server code to obtain second spliced data of the server; carrying out hash operation on the second spliced data of the server according to a preset algorithm to obtain a server protection key;
step 246, the server generates an application master key according to the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment; presetting a key verification algorithm according to a master key, and calculating an application master key to obtain a server application master key verification value; the server correspondingly stores the application master key, the terminal equipment merchant number and the terminal equipment terminal number;
In this embodiment, the application master key is the application key.
In this embodiment, the steps 238 and 239 may be: the terminal equipment splices the first data to be signed of the terminal equipment and the hardware serial number of the terminal equipment to obtain third spliced data of the terminal equipment, and signs the third spliced data of the terminal equipment by using a preset private key of the terminal equipment to obtain a third signature result of the terminal equipment;
the step 243 specifically includes: the server verifies whether the hardware serial number of the terminal equipment is consistent with the hardware serial number in the terminal equipment certificate, if so, step 244 is executed, and if not, the server reports errors;
step 246 is preceded by: and the server searches the corresponding terminal equipment merchant number and the terminal equipment terminal number in the server database according to the terminal equipment hardware serial number.
Step 247, the server encrypts the application master key by using the protection key according to a preset symmetric algorithm to obtain an application master key ciphertext;
step 248, the server sends the preset protection key index, the preset application master key index, the application master key ciphertext and the server application master key check value to the terminal equipment, and clears the terminal equipment session identifier, the server key pair, the public key of the terminal key pair, the hardware serial number of the terminal equipment, the merchant number of the terminal equipment, the terminal number of the terminal equipment, the serial number of the security chip, the server application master key check value and the terminal equipment certificate;
Step 249, the terminal device receives the protection key index, the application master key ciphertext, and the server application master key check value;
step 250, the terminal equipment judges whether the corresponding protection key and the preset symmetric algorithm in the security chip can be found according to the preset protection key index, if so, step 251 is executed, if not, the terminal equipment prompts an error and ends;
step 251, the terminal equipment decrypts the cipher text of the application master key by using the protection key in the security chip according to a preset symmetric algorithm to obtain the application master key; presetting a key verification algorithm according to a master key, and calculating an application master key to obtain an application master key verification value of the terminal equipment;
step 252, the terminal device checks whether the terminal device application master key check value is consistent with the server application master key check value, if so, step 253 is executed, if not, the terminal device prompts an error, and the process is ended;
and step 253, the terminal equipment injects the application master key into the terminal equipment security chip for corresponding storage according to the application master key index, the terminal equipment merchant number and the terminal equipment terminal number.
As shown in fig. 8, the application key use process includes the steps of:
Step 301, a terminal device obtains a terminal device merchant number, a terminal device terminal number and a batch number, and sends the terminal device merchant number, the terminal device terminal number and the batch number to a server;
step 302, the server receives the terminal equipment merchant number, the terminal equipment terminal number and the batch number sent by the terminal equipment, judges whether the terminal equipment merchant number and the terminal equipment terminal number are legal and valid, if yes, executes step 303, and if no, the server reports errors;
step 303, the server searches the application master key corresponding to the terminal equipment according to the terminal equipment merchant number and the terminal equipment terminal number, judges whether the corresponding application master key is queried, if yes, executes step 304, if no, the server reports errors;
step 304, the server generates a transaction key according to the terminal equipment merchant number, the terminal equipment terminal number and the batch number;
step 305, the server encrypts the transaction key by using the application master key according to a preset transaction key algorithm to obtain a transaction key ciphertext, and calculates a first transaction key verification value;
step 306, the server sends the transaction response code, the terminal equipment merchant number, the terminal equipment terminal number, the batch number, the preset transaction key algorithm identification, the transaction key ciphertext and the first transaction key check value to the terminal equipment;
Step 307, the terminal device receives the transaction response code, the terminal device merchant number, the terminal device terminal number, the batch number, the preset transaction key algorithm identifier, the transaction key ciphertext and the first transaction key verification value;
step 308, the terminal device judges whether the transaction response code is a normal response code, if yes, step 309 is executed, if no, the terminal device prompts an error, and the process is ended;
step 309, the terminal device determines whether the received terminal device merchant number, terminal device terminal number, batch number are consistent with the terminal device merchant number, terminal device terminal number, batch number sent to the server, if yes, step 310 is executed, if no, the terminal device prompts for errors, and the process is ended;
step 310, the terminal device searches the corresponding application master key index according to the terminal device merchant number, finds the corresponding application master key in the security chip according to the application master key index, identifies the corresponding preset transaction key algorithm according to the preset transaction key algorithm, decrypts the transaction key ciphertext by using the application master key in the security chip to obtain the transaction key, calculates the second transaction key check value, judges whether the first transaction key check value is consistent with the second transaction key check value, if yes, executes step 311, if no, the terminal device prompts for errors, and ends;
In step 311, the terminal device stores the transaction key in the security chip.
Example III
The present embodiment provides a method for distributing a key between a server and a terminal device, as shown in fig. 9, including the following steps:
step 401, terminal equipment generates a terminal equipment random number, and generates a key suite according to an ECC algorithm identifier, a signature algorithm and a verification algorithm;
step 402, the terminal equipment sends the terminal equipment random number and the key suite to a server;
step 403, the server receives the terminal equipment random number and the key suite, generates a server random number, and sends the server random number to the terminal equipment;
step 404, the server searches the server signature certificate with the format corresponding to the ECC algorithm identification in the key suite, and sends the server signature certificate and the server encryption certificate to the terminal equipment;
step 405, the server generates server spliced data by splicing the terminal equipment random number, the server random number and the server encryption certificate, signs the server spliced data by using a server private key according to an algorithm corresponding to the ECC mark in the key suite to obtain a server signature result, and sends the server signature result to the terminal equipment;
Step 406, the server sends a terminal equipment certificate request instruction to the terminal equipment;
step 407, the server sends an end operation instruction to the terminal device;
step 408, the terminal device sends the terminal device certificate to the server;
step 409, the terminal device generates a protection key according to the server random number, the terminal device random number and the terminal device information, encrypts the protection key by using the public key of the server encryption certificate to obtain a protection key ciphertext, and sends the protection key ciphertext to the server;
step 410, the terminal equipment splices the terminal equipment random number, the key suite, the server signature certificate, the server signature result, the terminal equipment certificate request instruction, the end operation instruction, the terminal equipment certificate and the protection key ciphertext to obtain terminal equipment spliced data, hashes the terminal equipment spliced data according to a checking algorithm in the key suite to obtain a terminal equipment hash value, signs the terminal equipment hash value according to a signature algorithm in the key suite by using the terminal equipment certificate private key to obtain a terminal equipment signature result, and sends the terminal equipment signature result to the server;
step 411, the terminal device sends an encryption operation prompt instruction to the server;
In step 412, the terminal device generates an application master key using the RRS algorithm based on the server nonce, the terminal device nonce, and the protection key.
Example IV
The present embodiment provides a method for distributing keys between a server and a terminal device, as shown in fig. 10 and 11, including the steps of:
step 501, terminal equipment generates a first random number, and forms a terminal session identifier according to the first random number;
step 502, the terminal device sends a terminal session identifier and a terminal device certificate to a server;
step 503, the server receives the terminal session identifier and the terminal equipment certificate;
step 504, the server verifies whether the terminal equipment certificate is legal, if yes, step 505 is executed, if not, the server reports errors;
step 505, the server analyzes the terminal equipment certificate to obtain a public key of the terminal equipment certificate, generates a second random number, and forms a server session identifier according to the second random number;
step 506, the server sends the server session identifier and a preset server certificate chain to the terminal device;
step 507, the terminal device receives a server session identifier and a server certificate chain;
step 508, the terminal equipment verifies whether the server certificate chain is legal, if yes, step 509 is executed, if not, the terminal equipment prompts for errors, and the process is finished;
Step 509, the terminal device analyzes the server certificate chain to obtain a server certificate public key, performs exclusive or operation according to the server session identifier and the terminal session identifier to generate a terminal device verification session identifier, and signs the terminal device information by using a terminal device private key to obtain a terminal device signature result;
step 510, the terminal device sends the terminal device verification session identifier, the terminal device information and the terminal device signature result to the server;
step 511, the server receives the terminal equipment verification session identifier, the terminal equipment information and the terminal equipment signature result, and generates a server verification session identifier by performing exclusive-or operation according to the server session identifier and the terminal session identifier;
step 512, the server verifies whether the terminal equipment verification session identifier is the same as the server verification session identifier, if yes, step 513 is executed, if not, the server reports an error;
step 513, the server performs signature verification on the terminal device signature result according to the terminal device certificate public key and the terminal device information, and judges whether the signature verification result is successful, if yes, step 514 is executed, and if not, the server reports errors;
step 514, the server generates a server random code, generates a protection key according to the server random code, encrypts the protection key by using a terminal equipment certificate public key to obtain a server encryption result, generates an application master key according to terminal equipment information, encrypts the application master key by using the protection key to obtain an application master key ciphertext, splices the server encryption result and the application master key ciphertext to obtain server spliced data, and signs the server spliced data by using a preset server private key to obtain a server signature result;
Step 515, the server sends the server encryption result, the application master key ciphertext and the server signature result to the terminal device;
step 516, the terminal device receives the server encryption result, the application master key ciphertext and the server signature result;
step 517, the terminal device uses the public key of the server certificate to check the server signature result according to the server encryption result and the application master key ciphertext, and judges whether the check result is successful, if yes, step 518 is executed, if no, the terminal device prompts errors, and the process is ended;
and 518, the terminal equipment decrypts the server encryption result by using the terminal equipment certificate private key to obtain a protection key, decrypts the application master key ciphertext by using the protection key to obtain an application master key, and stores the application master key.
Optionally, the embodiment of the application also provides a system for distributing keys between the server and the terminal equipment, comprising the terminal equipment and the server, wherein,
the terminal device comprises: the first generation and transmission module is used for generating a terminal session identifier, signing the terminal session identifier by using a terminal device preset private key to obtain a terminal device first signature result, and transmitting a terminal device certificate, the terminal session identifier and the terminal device first signature result to the server;
The judgment and signing verification module is used for judging that the server certificate is legal according to the preset root certificate and triggering the second generation and transmission module after the first signature result of the server is successfully signed by using the public key of the server certificate in the server certificate;
the second generating and sending module is used for generating a terminal equipment key pair, forming terminal equipment second to-be-signed data according to the first to-be-signed data, the terminal equipment hardware serial number and the terminal equipment key pair public key, signing the terminal equipment second to-be-signed data by using a terminal equipment preset private key to obtain a terminal equipment second signature result, and sending the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signature result to the server;
the signature verification judging module is used for successfully verifying the second signature result of the server by using the public key of the server certificate, and triggering the third generation and transmission module when judging that the server code in the second data to be signed of the server is consistent with the server code in the server certificate;
a third generation and transmission module, configured to generate an intermediate key according to a preset elliptic curve parameter value, a private key of a terminal device key pair, and a public key of a server key pair, generate a terminal device protection key according to the intermediate key, a terminal device hardware serial number, and a server code, store the terminal device protection key, generate terminal device third to-be-signed data according to the terminal device hardware serial number, a terminal device merchant number, and a terminal device terminal number, use the terminal device preset private key to sign the terminal device third to-be-signed data, obtain a terminal device third signature result, and transmit the terminal device third to-be-signed data and the terminal device third signature result to the server;
The decryption storage module is used for decrypting the application master key ciphertext by using the stored terminal equipment protection key to obtain an application master key, and correspondingly storing the application master key index, the terminal equipment merchant number and the application master key;
the server comprises: the first verification and approval module is used for verifying that the terminal equipment certificate is legal according to the preset root certificate and triggering the fourth generation and transmission module after the terminal equipment first signature result is successfully verified and signed by using the terminal equipment certificate public key in the terminal equipment certificate;
a fourth generation and transmission module, configured to generate a server session identifier, generate first to-be-signed data according to the server session identifier and the terminal session identifier, sign the first to-be-signed data using a preset server private key, generate a server first signature result, and transmit the first to-be-signed data and the server first signature result to the terminal device;
the second verification and approval module is used for successfully verifying a second signature result of the terminal equipment by using the public key of the terminal equipment certificate, and triggering a fifth generation and transmission module after verifying that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate;
a fifth generation and transmission module, configured to generate a server key pair, generate server second to-be-signed data according to the server code and the server key pair public key, obtain a server second signature result after signing the server second to-be-signed data by using a preset server private key, and transmit the server second to-be-signed data and the server second signature result to the terminal device;
The third verification and signature verification module is used for using the public key of the terminal equipment certificate to successfully verify the third signature result of the terminal equipment, and triggering the sixth generation and transmission module after verifying that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed of the terminal equipment are legal;
and a sixth generation and transmission module, configured to generate an intermediate key according to the preset elliptic curve parameter value, the server key pair private key and the terminal device key pair public key, generate a server protection key according to the intermediate key, the terminal device hardware serial number and the server code, generate an application master key according to the terminal device hardware serial number, the terminal device merchant number and the terminal device terminal number, store a preset application master key index in correspondence with the application master key, encrypt the application master key with the server protection key to obtain an application master key ciphertext, and transmit the application master key index and the application master key ciphertext to the terminal device.
Optionally, an embodiment of the present application further provides an apparatus for distributing a key between a server and a terminal device, where the apparatus includes at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, where the at least one processor executes the instructions to implement the method in the above embodiment. When the device is a chip system, the device may be formed by a chip, or may include a chip and other discrete devices, which is not particularly limited in the embodiment of the present application; the chip is coupled to the memory for executing the computer program stored in the memory for performing the method disclosed in the above embodiments.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (15)

1. A method of distributing keys between a server and a terminal device, the method comprising:
step 1, terminal equipment generates a terminal session identifier, signs the terminal session identifier by using a terminal equipment preset private key to obtain a terminal equipment first signature result, and sends a terminal equipment certificate, the terminal session identifier and the terminal equipment first signature result to a server;
step 2, the server uses a public key of the terminal equipment certificate to successfully check the first signature result of the terminal equipment, generates a server session identifier, generates first data to be signed according to the server session identifier and the terminal session identifier, uses a preset server private key to sign the first data to be signed, generates a first signature result of the server, and sends the server certificate, the first data to be signed and the first signature result of the server to the terminal equipment;
Step 3, the terminal equipment uses the public key of the server certificate to successfully verify the first signature result of the server to generate a terminal equipment key pair, wherein the terminal equipment key pair comprises: a terminal equipment key pair public key and a terminal equipment key pair private key form terminal equipment second data to be signed according to the first data to be signed, a terminal equipment hardware serial number and the terminal equipment key pair public key, a terminal equipment second signing result is obtained after the terminal equipment preset private key is used for signing the terminal equipment second data to be signed, and the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signing result are sent to the server;
step 4, after the server uses the public key of the terminal equipment certificate to successfully verify the second signature result of the terminal equipment and verifies that the received terminal equipment hardware serial number is consistent with the terminal equipment hardware serial number in the terminal equipment certificate, a server key pair is generated, and the server key pair comprises: generating server second to-be-signed data according to a server code and a server key pair public key, signing the server second to-be-signed data by using the preset server private key to obtain a server second signature result, and transmitting the server second to-be-signed data and the server second signature result to the terminal equipment;
Step 5, the terminal equipment uses the public key of the server certificate to check the signature of the server second signature result successfully, and when judging that the server code in the server second data to be signed is consistent with the server code in the server certificate, generates an intermediate key according to a preset elliptic curve parameter value, a private key of the terminal equipment key pair and the public key of the server key pair, generates a terminal equipment protection key according to the intermediate key, the terminal equipment hardware serial number and the server code, stores the terminal equipment protection key, generates terminal equipment third data to be signed according to the terminal equipment hardware serial number, the terminal equipment merchant number and the terminal equipment terminal number, signs the terminal equipment third data to be signed by using the terminal equipment preset private key to obtain a terminal equipment third signature result, and sends the terminal equipment third data to be signed and the terminal equipment third signature result to the server;
step 6, the server uses the public key of the terminal equipment certificate to check the third signature result of the terminal equipment to succeed in verifying that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed are legal, generates an intermediate key according to the preset elliptic curve parameter value, the private key of the server key pair and the public key of the terminal equipment key pair, generates a server protection key according to the intermediate key, the hardware serial number of the terminal equipment and the server code, generates an application master key according to the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment, stores a preset application master key index corresponding to the application master key, encrypts the application master key by using the server protection key to obtain an application master key ciphertext, and sends the application master key index and the application master ciphertext to the terminal equipment;
And 7, the terminal equipment uses the stored terminal equipment protection key to decrypt the application master key ciphertext to obtain the application master key, and correspondingly stores the application master key index, the terminal equipment merchant number and the application master key.
2. The method of claim 1, wherein after step 6, before step 7, further comprising: the server clears the terminal session identifier, the server key pair, the terminal device key pair public key, the terminal device hardware serial number, the terminal device merchant number, the terminal device terminal number and the terminal device certificate.
3. The method of claim 1, wherein,
the generating the first data to be signed according to the server session identifier and the terminal session identifier specifically includes: and taking the dissimilation result of the server session identifier and the terminal session identifier as first data to be signed.
4. The method of claim 1, wherein the generating the terminal device key pair in step 3 specifically includes: the terminal equipment generates a third random number as a terminal equipment key pair private key, and the terminal equipment performs point multiplication operation on the terminal equipment key pair private key and a preset elliptic curve parameter value to obtain a terminal equipment key pair public key;
The generating a server key pair in the step 4 specifically includes: and the server generates a fourth random number as a server key pair private key, and the server performs point multiplication operation on the server key pair private key and a preset elliptic curve parameter value to obtain a server key pair public key.
5. The method of claim 4, wherein,
the step 6 further includes: the server calculates the application master key according to a master key preset key verification algorithm to obtain a server application master key verification value, and the server application master key verification value is sent to the terminal equipment;
in the step 7, the storing the application master key index, the terminal equipment merchant number and the application master key in correspondence is specifically: and the terminal equipment calculates the application master key to obtain a terminal equipment application master key check value according to a master key preset key check algorithm, judges whether the terminal equipment application master key check value is consistent with the received server application master key check value, stores the application master key index, the terminal equipment merchant number and the application master key correspondingly if the terminal equipment application master key check value is consistent with the received server application master key check value, and finishes if the terminal equipment application master key check value is not consistent with the received server application master key check value.
6. The method according to claim 1, wherein the step 4 is specifically:
after the server uses the public key of the terminal equipment certificate to successfully sign the second signature result of the terminal equipment and verifies that the received hardware serial number of the terminal equipment is consistent with the hardware serial number of the terminal equipment in the terminal equipment certificate, the server generates a server key pair and a server random code, and the server key pair comprises: generating server second to-be-signed data by a server key pair public key and a server key pair private key according to a preset protection key index, the server random code, a server code and the server key pair public key, signing the server second to-be-signed data by using the preset server private key to obtain a server second signature result, and transmitting the server second to-be-signed data and the server second signature result to the terminal equipment;
the step 5 specifically comprises the following steps: the terminal equipment uses the public key of the server certificate to check the signature of the server second signature result successfully, generates a terminal equipment random code when judging that the server code in the server second data to be signed is consistent with the server code in the server certificate, generates an intermediate key according to a preset elliptic curve parameter value, the private key and the server key, generates a terminal equipment protection key according to the intermediate key, the server random code in the server second data to be signed, the terminal equipment random code, the terminal equipment hardware serial number and the server code, correspondingly stores the terminal equipment protection key according to a preset protection key index in the server second data to be signed, generates terminal equipment third data to be signed according to the terminal equipment hardware serial number, the terminal equipment merchant number, the terminal equipment random code and the terminal equipment terminal number, signs the terminal equipment third data to be signed by using the terminal equipment preset private key, and then obtains a terminal equipment third result, and sends the terminal equipment third result to the terminal equipment to be signed;
In the step 6, the server protection key is specifically generated according to the intermediate key, the hardware serial number of the terminal device and the server code: generating a server protection key according to the intermediate key, a server random code in the third data to be signed of the terminal equipment, the terminal equipment random code, the terminal equipment hardware serial number and the server code;
the step 6 further comprises the step of initiating the preset protection key cable to the terminal equipment;
the step 7 specifically comprises the following steps: and the terminal equipment searches the corresponding terminal equipment protection key according to the preset protection key index, decrypts the application master key ciphertext by using the found terminal equipment protection key to obtain an application master key, and correspondingly stores the application master key index, the terminal equipment merchant number and the application master key.
7. The method of claim 1, wherein the step 2 is preceded by verifying, by the server, whether the terminal device certificate is legal according to a preset root certificate, if yes, executing the step 2, and if no, reporting an error by the server;
the step 3 further includes:
and the terminal equipment judges whether the server certificate is legal or not according to a preset root certificate, if yes, the step 3 is executed, if not, the terminal equipment prompts errors and ends the operation.
8. The method of claim 1, wherein the forming the second data to be signed of the terminal device according to the first data to be signed, the terminal device hardware serial number, and the terminal device key pair public key in the step 3 is specifically:
and forming second data to be signed of the terminal equipment according to the server session identifier, the terminal equipment hardware serial number and the terminal equipment key pair public key in the first data to be signed.
9. The method of claim 1, wherein after step 7, the method further comprises:
step 8, the terminal equipment sends the terminal equipment merchant number, the terminal equipment terminal number and the batch number to the server;
step 9, after judging that the terminal equipment merchant number and the terminal equipment terminal number are legal, the server searches an application master key corresponding to the terminal equipment according to the terminal equipment merchant number and the terminal equipment terminal number, generates a transaction key according to the terminal equipment merchant number, the terminal equipment terminal number and the batch number, encrypts the transaction key by using the application master key to obtain a transaction key ciphertext, and sends the terminal equipment merchant number, the terminal equipment terminal number, the batch number and the transaction key ciphertext to the terminal equipment;
And step 10, after judging that the terminal equipment merchant number, the terminal equipment terminal number and the batch number are legal, the terminal equipment searches a corresponding application master key index according to the terminal equipment merchant number, finds a corresponding application master key in the terminal equipment according to the application master key index, decrypts the transaction key ciphertext by using the corresponding application master key to obtain the transaction key, and stores the transaction key in the terminal equipment.
10. The method according to claim 9, wherein the step 9 is specifically: after judging that the terminal equipment merchant number and the terminal equipment terminal number are legal, the server searches an application master key corresponding to the terminal equipment according to the terminal equipment merchant number and the terminal equipment terminal number, generates a transaction key according to the terminal equipment merchant number, the terminal equipment terminal number and the batch number, calculates a first transaction key check value, encrypts the transaction key by using the application master key to obtain a transaction key ciphertext, and sends the terminal equipment merchant number, the terminal equipment terminal number, the batch number, the transaction key ciphertext and the first transaction key check value to the terminal equipment;
In the step 10, the obtaining the transaction key, and storing the transaction key in the terminal device specifically includes: obtaining a transaction key, calculating a second transaction key check value, judging whether the first transaction key check value is consistent with the second transaction key check value, if so, storing the transaction key into the terminal equipment, and if not, prompting an error by the terminal equipment, and ending.
11. The method of claim 1, wherein the generating the first data to be signed according to the server session identifier and the terminal session identifier is specifically: and taking the splicing result of the server session identifier and the terminal session identifier as first data to be signed.
12. The method of claim 1, wherein,
the step 1 specifically comprises the following steps: the terminal equipment sends the terminal session identifier and the terminal equipment certificate to a server;
the step 2 specifically comprises the following steps: after verifying that the terminal equipment certificate is legal according to a preset root certificate, the server sends a server session identifier and a server certificate to the terminal equipment;
step 3, step 4 and step 5 are replaced with: after verifying that the server certificate is legal according to a preset root certificate, the terminal equipment calculates according to the server session identifier and the terminal session identifier to obtain a terminal verification session identifier, signs terminal equipment information by using a terminal equipment certificate private key in the terminal equipment certificate to obtain a terminal equipment signature result, and sends the terminal verification session identifier, the terminal equipment information and the terminal equipment signature result to the server;
The step 6 specifically comprises the following steps: the server generates a server verification session identifier according to the terminal session identifier and the server session identifier, verifies that the terminal verification session identifier is successful according to the server verification session identifier, then the server signs the terminal equipment signature result according to the terminal equipment information by using a terminal equipment certificate public key in the terminal equipment certificate, after the signature verification is successful, the server generates a protection key according to the terminal equipment information, the server generates an application master key, encrypts the application master key by using the protection key to obtain an application master key ciphertext, encrypts the protection key by using the terminal equipment certificate public key to obtain a server encryption result, signs spliced data of the server encryption result and the application master key ciphertext by using a preset server private key to obtain a server signature result, and sends the server encryption result, the server signature result and the application master key ciphertext to the terminal equipment;
the step 7 specifically comprises the following steps: and the terminal equipment uses a server public key in the server certificate to successfully check the server signature result according to the application master key ciphertext, uses the terminal equipment certificate private key to decrypt the server encryption result to obtain the protection key, and uses the protection key to decrypt the application master key ciphertext to obtain the application master key.
13. The method of claim 1, wherein,
the step 1 specifically comprises the following steps: the terminal equipment generates a terminal equipment random number and a key set, and sends the terminal equipment random number and the key set to a server;
the step 2 specifically comprises the following steps: the server sends a server random number generated by the server to the terminal equipment, sends a server encryption certificate and a server signature certificate in a format corresponding to an ECC algorithm identifier in the key suite to the terminal equipment, signs data obtained after the terminal equipment random number, the server random number and the server encryption certificate are spliced by using a preset server private key to obtain a server signature result, sends the server signature result to the terminal equipment, sends a terminal equipment certificate request instruction to the terminal equipment, and sends an end operation instruction to the terminal equipment;
the steps 3 to 7 are replaced with: the terminal equipment sends a terminal equipment certificate to the server, generates a protection key according to the server random number, the terminal equipment random number and the terminal equipment information, encrypts the protection key by using a public key of the server encryption certificate to generate a protection key ciphertext, sends the protection key ciphertext to the server, sends the terminal equipment random number, the key suite, the server signature certificate, the server signature result, the terminal equipment certificate request instruction, the end operation instruction, the terminal equipment certificate and the protection key ciphertext to obtain terminal equipment splicing data after splicing, carries out hash operation on the terminal equipment splicing data according to a verification algorithm in the key suite to obtain a terminal equipment hash value, signs the terminal equipment hash value by using a terminal equipment certificate private key according to a signature algorithm in the key suite to obtain a terminal equipment signature result, sends the terminal equipment signature result to the server, and sends an encryption operation prompting instruction to the server to generate a main key according to the server random number, the terminal equipment random number and the protection key.
14. A system for distributing keys between a server and a terminal device, characterized in that the system comprises a terminal device and a server, wherein,
the terminal device includes: the first generation and transmission module is used for generating a terminal session identifier, signing the terminal session identifier by using a terminal device preset private key to obtain a terminal device first signature result, and transmitting a terminal device certificate, the terminal session identifier and the terminal device first signature result to the server;
the judgment and signing verification module is used for judging that the server certificate is legal according to a preset root certificate and triggering the second generation and transmission module after the first signature result of the server is successfully signed by using a server certificate public key in the server certificate;
the second generating and sending module is configured to generate a terminal equipment key pair, form terminal equipment second to-be-signed data according to first to-be-signed data, a terminal equipment hardware serial number and a terminal equipment key pair public key, obtain a terminal equipment second signature result after signing the terminal equipment second to-be-signed data by using the terminal equipment preset private key, and send the terminal equipment hardware serial number, the terminal equipment key pair public key and the terminal equipment second signature result to a server;
The signature verification judging module is used for successfully verifying the second signature result of the server by using the public key of the server certificate, and triggering the third generation and transmission module when judging that the server code in the second data to be signed of the server is consistent with the server code in the server certificate;
the third generation and sending module is configured to generate an intermediate key according to a preset elliptic curve parameter value, a terminal equipment key pair private key and a server key pair public key, generate a terminal equipment protection key according to the intermediate key, the terminal equipment hardware serial number and the server code, store the terminal equipment protection key, generate terminal equipment third to-be-signed data according to the terminal equipment hardware serial number, the terminal equipment merchant number and the terminal equipment terminal number, use the terminal equipment preset private key to sign the terminal equipment third to-be-signed data to obtain a terminal equipment third signature result, and send the terminal equipment third to-be-signed data and the terminal equipment third signature result to the server;
the decryption storage module is used for decrypting the application master key ciphertext by using the stored terminal equipment protection key to obtain an application master key, and correspondingly storing an application master key index, the terminal equipment merchant number and the application master key;
The server includes: the first verification and approval module is used for verifying that the terminal equipment certificate is legal according to a preset root certificate and triggering a fourth generation and transmission module after the terminal equipment first signature result is successfully verified and signed by using a terminal equipment certificate public key in the terminal equipment certificate;
the fourth generation and transmission module is configured to generate a server session identifier, generate first data to be signed according to the server session identifier and the terminal session identifier, sign the first data to be signed by using a preset server private key, generate a server first signature result, and transmit the first data to be signed and the server first signature result to the terminal device;
the second verification and approval module is used for successfully verifying the second signature result of the terminal equipment by using the public key of the terminal equipment certificate, and triggering a fifth generation and transmission module after verifying that the received hardware serial number of the terminal equipment is consistent with the hardware serial number of the terminal equipment in the terminal equipment certificate;
the fifth generation and sending module is configured to generate a server key pair, generate the server second to-be-signed data according to the server code and the server key pair public key, obtain a server second signature result after signing the server second to-be-signed data by using the preset server private key, and send the server second to-be-signed data and the server second signature result to the terminal device;
The third verification and signature verification module is used for using the public key of the terminal equipment certificate to successfully verify the third signature result of the terminal equipment, and triggering a sixth generation and transmission module after verifying that the hardware serial number of the terminal equipment, the merchant number of the terminal equipment and the terminal number of the terminal equipment in the third data to be signed of the terminal equipment are legal;
the sixth generation and transmission module is configured to generate an intermediate key according to the preset elliptic curve parameter value, a server key pair private key and the terminal device key pair public key, generate a server protection key according to the intermediate key, the terminal device hardware serial number and the server code, generate an application master key according to the terminal device hardware serial number, the terminal device merchant number and the terminal device terminal number, store a preset application master key index in correspondence with the application master key, encrypt the application master key by using the server protection key to obtain an application master key ciphertext, and transmit the application master key index and the application master key ciphertext to the terminal device.
15. An apparatus for distributing keys between a server and a terminal device, the apparatus comprising at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to implement the method of any one of claims 1 to 13.
CN202311146028.1A 2023-09-07 2023-09-07 Method, system and equipment for distributing secret key between server and terminal equipment Active CN116886317B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311146028.1A CN116886317B (en) 2023-09-07 2023-09-07 Method, system and equipment for distributing secret key between server and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311146028.1A CN116886317B (en) 2023-09-07 2023-09-07 Method, system and equipment for distributing secret key between server and terminal equipment

Publications (2)

Publication Number Publication Date
CN116886317A CN116886317A (en) 2023-10-13
CN116886317B true CN116886317B (en) 2023-11-07

Family

ID=88272083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311146028.1A Active CN116886317B (en) 2023-09-07 2023-09-07 Method, system and equipment for distributing secret key between server and terminal equipment

Country Status (1)

Country Link
CN (1) CN116886317B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716168A (en) * 2013-03-15 2014-04-09 福建联迪商用设备有限公司 Secret key management method and system
WO2014139344A1 (en) * 2013-03-15 2014-09-18 福建联迪商用设备有限公司 Key download method, management method, download management method and device, and system
CN107153778A (en) * 2017-03-24 2017-09-12 捷开通讯(深圳)有限公司 A kind of method and system for injecting key data
CN108513704A (en) * 2018-04-17 2018-09-07 福建联迪商用设备有限公司 The remote distribution method and its system of terminal master key
CN110048831A (en) * 2018-12-29 2019-07-23 中国银联股份有限公司 The distribution method and diostribution device of POS terminal master key
CN111884804A (en) * 2020-06-15 2020-11-03 上海祥承通讯技术有限公司 Remote key management method
CN112769574A (en) * 2020-12-28 2021-05-07 云从科技集团股份有限公司 Key injection method and system, key management system, device and machine readable medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103716168A (en) * 2013-03-15 2014-04-09 福建联迪商用设备有限公司 Secret key management method and system
WO2014139344A1 (en) * 2013-03-15 2014-09-18 福建联迪商用设备有限公司 Key download method, management method, download management method and device, and system
CN107153778A (en) * 2017-03-24 2017-09-12 捷开通讯(深圳)有限公司 A kind of method and system for injecting key data
CN108513704A (en) * 2018-04-17 2018-09-07 福建联迪商用设备有限公司 The remote distribution method and its system of terminal master key
CN110048831A (en) * 2018-12-29 2019-07-23 中国银联股份有限公司 The distribution method and diostribution device of POS terminal master key
CN111884804A (en) * 2020-06-15 2020-11-03 上海祥承通讯技术有限公司 Remote key management method
CN112769574A (en) * 2020-12-28 2021-05-07 云从科技集团股份有限公司 Key injection method and system, key management system, device and machine readable medium

Also Published As

Publication number Publication date
CN116886317A (en) 2023-10-13

Similar Documents

Publication Publication Date Title
US9847880B2 (en) Techniques for ensuring authentication and integrity of communications
CN103067401B (en) Method and system for key protection
CN107124274B (en) Digital signature method and device based on SM2
US8130961B2 (en) Method and system for client-server mutual authentication using event-based OTP
CN107743067B (en) Method, system, terminal and storage medium for issuing digital certificate
CN110943976B (en) Password-based user signature private key management method
CN109039657B (en) Key agreement method, device, terminal, storage medium and system
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN103095456A (en) Method and system for processing transaction messages
WO2020248686A1 (en) Secure signature implementation method and device
CN114692218A (en) Electronic signature method, equipment and system for individual user
CN113612852A (en) Communication method, device, equipment and storage medium based on vehicle-mounted terminal
CN109302286B (en) Fido equipment key index generation method
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN116886317B (en) Method, system and equipment for distributing secret key between server and terminal equipment
CN107343276B (en) Method and system for protecting SIM card locking data of terminal
JP5393594B2 (en) Efficient mutual authentication method, program, and apparatus
CN113792314A (en) Secure access method, device and system
CN109784032B (en) Test equipment verification method, test equipment, verification equipment and storage device
CN115776675A (en) Data transmission method and device for vehicle-road cooperation
CN112925535A (en) Method and device for installing embedded application of password chip
CN109104393B (en) Identity authentication method, device and system
CN114726539B (en) Trusted Cryptography Module (TCM) -based offline upgrading method
CN113612789B (en) Block chaining evidence storage method and device based on witness and shared public key
CN112995213B (en) Security authentication method and application device thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant