CN117375803A - Key derivation interface registration method, calling method, related equipment and storage medium - Google Patents
Key derivation interface registration method, calling method, related equipment and storage medium Download PDFInfo
- Publication number
- CN117375803A CN117375803A CN202311649183.5A CN202311649183A CN117375803A CN 117375803 A CN117375803 A CN 117375803A CN 202311649183 A CN202311649183 A CN 202311649183A CN 117375803 A CN117375803 A CN 117375803A
- Authority
- CN
- China
- Prior art keywords
- interface
- key
- key derivation
- huk
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000009795 derivation Methods 0.000 title claims abstract description 330
- 238000000034 method Methods 0.000 title claims abstract description 176
- 150000003839 salts Chemical class 0.000 claims description 66
- 230000008569 process Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004422 calculation algorithm Methods 0.000 description 37
- 230000004048 modification Effects 0.000 description 8
- 238000012986 modification Methods 0.000 description 8
- 230000008878 coupling Effects 0.000 description 5
- 238000010168 coupling process Methods 0.000 description 5
- 238000005859 coupling reaction Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a key derivation interface registration method, a calling method, related equipment and a storage medium, which are applied to the technical field of computers.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a key derivation interface registration method, a call method, a related device, and a storage medium.
Background
The cryptographic application is a core support technology for ensuring the safety and credibility of an operating environment in the field of computers, computer equipment generates a key through various key derivation methods, and further encrypts/decrypts files or information by using the obtained key, so that the safe transmission of data is realized.
In the existing application, the key derivation method usually exists as a part of an upper program, wherein the upper program can be a main program with encryption/decryption requirements, and also can be a key management system, and a strong coupling relationship exists between the key derivation method and the upper program, so that when any key derivation method is updated or replaced by a new key derivation method, the upper program needs to be adjusted in a large range, the portability of the key derivation method is poor, and the popularization and application of the key derivation method are greatly limited.
Disclosure of Invention
In view of this, the present application aims to provide a key derivation interface registration method, a calling method, a related device, and a storage medium, where the key derivation method is associated with an upper layer program through a key derivation interface and a service interface pool, so as to greatly reduce the coupling degree between the key derivation method and a main program or a key management system, improve portability of the key derivation method, and facilitate popularization and application of the key derivation method.
In a first aspect, the present application provides a key derivation interface registration method, including: creating a service interface pool; encapsulating a corresponding key derivation interface for a key derivation module, wherein the key derivation interface is used for calling the key derivation module, and the key derivation module is used for generating a key; determining an interface index identifier corresponding to the key derivation interface, wherein the interface index identifier is used for indicating the key derivation interface; and recording the corresponding relation between the interface index identifier and the key derivation interface in the service interface pool so as to register the key derivation interface in the service interface pool.
In one possible implementation, the method is applied to a security chip supporting a trusted execution environment, wherein the trusted execution environment comprises a kernel state space; the creating a service interface pool includes: a service interface pool is created in the kernel mode space.
In a possible implementation manner, the kernel space comprises a cryptographic engine with a hardware unique key HUK access right, and the cryptographic engine is configured with a HUK key derivation module based on the HUK derived key, and the HUK uniquely corresponds to the security chip; the key derivation module includes the HUK key derivation module.
In one possible implementation, the trusted execution environment further includes a user-state space, the user-state space including a trusted application; the process of calling the key derivation module to generate the key comprises the following steps: a private key is generated based on a salt value provided by the trusted application, and a public key is generated based on the private key.
In one possible implementation manner, the generating a private key based on the salt value includes: using the HUK and the salt value, obtaining a HUK derivative subkey based on HMAC operation or symmetric key operation; and generating a private key based on the HUK derivative subkey.
In one possible implementation, generating a private key based on the HUK derivative subkey includes: judging whether the HUK derivative subkey reaches a preset key length or not; if the HUK derivative subkey does not reach the preset key length, expanding the HUK subkey according to the preset key length to obtain a private key; and if the HUK derivative subkey reaches the preset key length, determining the HUK derivative subkey as a private key.
In a possible implementation manner, the key derivation interface registration method provided in the first aspect of the present application further includes: creating a service interface of a target key derivation interface, wherein the target key derivation interface is any key derivation interface; and solidifying the interface index identification of the target key derivative interface in the interface parameters of the service interface so as to acquire the target key derivative interface through the service interface.
In a second aspect, the present application provides a key derivation interface calling method, including: acquiring a target interface index identifier and a preset service interface pool, wherein the service interface pool records the corresponding relation between at least one group of interface index identifiers and key derivation interfaces; determining a key derivation interface corresponding to the target interface index identifier in the service interface pool as a target key derivation interface; and calling the target key derivation interface to call a key derivation module corresponding to the target key derivation interface.
In a possible implementation manner, the obtaining the target interface index identifier includes: acquiring a target service interface, wherein the target service interface is used for acquiring the target key derivation interface; and extracting the index identifier of the target interface recorded in the target service interface.
In one possible implementation, the method is applied to a security chip supporting a trusted execution environment, wherein the trusted execution environment comprises a user-mode space and a kernel-mode space, and the kernel-mode space is configured with a plurality of service interfaces; the obtaining the target service interface includes: responding to a system call request initiated by a trusted application in the user state space, and acquiring target information for key derivation, wherein the target information comprises a key type; and determining the target service interface corresponding to the key type.
In one possible embodiment, the target information further includes a salt value; a process for invoking the key derivation module to generate a key, comprising: a private key is generated based on the salt value and a public key is generated based on the private key.
In one possible implementation, generating a private key based on the salt value includes: using a hardware unique key HUK of the security chip and the salt value, and obtaining a HUK derivative subkey based on HMAC operation or symmetric key operation, wherein the HUK is uniquely corresponding to the security chip; and generating a private key based on the HUK derivative subkey.
In a third aspect, the present application provides a security chip configured to perform the key derivation interface registration method according to any one of the first aspects of the present application, or to perform the key derivation interface invocation method according to any one of the second aspects of the present application.
In a fourth aspect, the present application provides a system on a chip comprising a security chip as described in the third aspect of the present application.
In a fifth aspect, the present application provides a computing device comprising a system on a chip as described in the fourth aspect of the present application.
In a sixth aspect, the present application provides a computer readable storage medium storing a computer program which when executed implements the key derivation interface registration method according to any one of the first aspects of the present application, or implements the key derivation interface invocation method according to any one of the second aspects of the present application.
Based on the above, in the key derivation interface registration method provided in the present application, firstly, a service interface pool is created and a corresponding key derivation interface is encapsulated for the key derivation method, further, an interface index identifier corresponding to the key derivation interface is determined, and a correspondence between the interface index identifier and the key derivation interface is recorded in the service interface pool, so that registration of the key derivation interface in the service interface pool is completed.
The method encapsulates the key derivation interfaces for the key derivation method, uniformly registers each key derivation interface through the service interface pool, and the upper layer application can call any key derivation interface through registration information recorded in the service interface pool, so as to execute the corresponding key derivation method.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a key derivation interface registration method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a service interface pool according to an embodiment of the present invention.
Fig. 3 is a flowchart of a key derivation interface calling method according to an embodiment of the present invention.
Fig. 4 is a schematic flow chart of a key derivation method according to an embodiment of the present invention.
Fig. 5 is a flow chart of another key derivation method according to an embodiment of the present invention.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
As mentioned above, cryptographic application is a core support technology for ensuring the security and credibility of an operating environment in the computer field, and the computer device generates a key through various key derivation methods and further encrypts/decrypts a file or information by using the obtained key, thereby realizing the secure transmission of data.
The key derivation method generally provides a key derivation service for an upper layer application, where the upper layer program may be a main program with encryption/decryption requirements, such as an application program of a banking system, an application program with an online payment function, and the like, and of course, the upper layer program may also be a key management system in a computer device, which is used separately to implement key management.
In the existing application, a strong coupling relation exists between the key derivation method and the upper program, the key derivation method usually exists as a part of the upper program, when any key derivation method is updated or replaces a new key derivation method, the upper program needs to be adjusted in a large scale, a large amount of manpower and material resources are consumed, portability of the key derivation method is poor, and popularization and application of the key derivation method are greatly limited.
In order to solve the above problems, the present application provides a key derivation interface registration method, which is applied to a security chip, and the method firstly creates a service interface pool and encapsulates a corresponding key derivation interface for the key derivation method, then determines an interface index identifier corresponding to the key derivation interface, and records a correspondence between the interface index identifier and the key derivation interface in the service interface pool, thereby completing registration of the key derivation interface in the service interface pool. The method encapsulates the key derivation interfaces for the key derivation method, uniformly registers each key derivation interface through the service interface pool, and the upper layer application can call any key derivation interface through registration information recorded in the service interface pool, so as to execute the corresponding key derivation method.
Based on the above, the key derivation interface registration method provided in the present application includes the following steps as shown in fig. 1.
S100, creating a service interface pool.
Firstly, a service interface pool is created, the service interface pool is mainly used for recording the corresponding relation between interface index identifiers and key derivation interfaces which are described in subsequent contents, meanwhile, in the key derivation process, the service interface pool can also be used for key derivation services, and the key derivation services realized based on the service interface pool are specifically developed in the subsequent contents and are not described in detail herein.
In practical applications, the service interface pool has a plurality of specific implementation manners, for example, the service interface pool may be in a form of a set or an array, and of course, other forms may also be adopted, which are not listed here, and all the implementation manners of the service interface pool fall within the scope of protection of the present invention under the condition that the scope of the core concept of the present invention is not exceeded.
In an alternative embodiment, the secure chip supports a trusted execution environment, and the trusted execution environment includes a user state space and a kernel state space, and a trusted application is configured in the user state space, where the trusted application mainly refers to an application with a key use requirement. Under the condition, the service interface pool can be created in the kernel-state space of the trusted execution environment, the feasible execution environment and the high security of the kernel-state space are fully utilized, the access limit of the service interface pool is improved, and the security of the service interface pool is further improved.
S110, packaging a corresponding key derivation interface for the key derivation module.
The key derivation module mentioned in this step is used for generating a key and is mainly used for deriving an asymmetric key, and of course, in practical application, the key derivation module used for generating a symmetric key may also be included. It should be noted that, the key derivation module in the present invention is essentially a key derivation method for generating a key, and different steps in the corresponding key derivation method can be executed by calling the key derivation module until the key is generated. For a specific implementation procedure of the key derivation method corresponding to the key derivation module, the following embodiment of the present invention will be described in detail, which will not be described in detail herein.
The trusted execution environment kernel encapsulates a corresponding key derivation interface for the key derivation module, and the corresponding key derivation module can be called through the key derivation interface. It can be understood that, for the upper layer application, when obtaining the key derivation service, only the key derivation interface is visible, the upper layer application does not need to know the specific implementation process of the key derivation module, and only needs to initiate a call to the key derivation interface according to the call rule of the key derivation interface, so that the key provided by the corresponding key derivation module can be obtained, which not only can simplify the process of obtaining the key by the upper layer application, but also can enable decoupling between the key derivation module and the upper layer application. In practical application, the specific implementation mode and the calling mode of the key derivation interface can be realized by referring to the technology, and the invention is not limited to the specific implementation mode and the calling mode.
In one possible implementation manner, the kernel mode space of the trusted execution environment includes a cryptographic engine with access rights of a HUK (Hardware Unique Key ), and the HUK is uniquely corresponding to the security chip, and the cryptographic engine is configured with a HUK key derivation module based on a HUK derivation key, and the key derivation module described in this embodiment also includes the HUK key derivation module, through which a private key can be generated based on a salt value provided by the foregoing trusted application, and a public key is generated based on the private key, and for a specific implementation procedure of the HUK key derivation module, which will be described in detail herein below, will be expanded.
S120, determining an interface index identifier corresponding to the key derivation interface.
The interface index corresponding to the key derivation interface is predefined through enumeration variables, the key derivation interface and the interface index are in one-to-one correspondence, in practical application, the name of the interface index can be defined according to the requirement, namely, the interface index identification of the interface index is determined, and the corresponding key derivation interface is indicated through the interface index identification.
It can be understood that a naming rule of the interface index identifier can be defined in practical application, and the interface index identifier of the interface index corresponding to each key derivative interface is defined according to the naming rule, so that not only can naming of the interface index identifier be standardized, but also the interface index identifier and management of the key derivative interface can be simplified, and the key derivative interface can be conveniently called in a subsequent process.
S130, recording the corresponding relation between the interface index identification and the key derivation interface in the service interface pool so as to register the key derivation interface in the service interface pool.
As described above, the key derivation interfaces and the interface indexes are in one-to-one correspondence, and the key derivation interfaces and the interface index identifiers are also in one-to-one correspondence under the condition that the interface index identifiers are unique, and based on the one-to-one correspondence, the corresponding relationship between the interface index identifiers and the key derivation interfaces is recorded in the service interface pool, that is, the registration of the key derivation interfaces in the service interface pool is completed.
As shown in fig. 2, the service interface pool includes at least one set of correspondence between interface index identifiers and key derivation interfaces, for example, interface index identifier huk_kdf_001 corresponds to a key derivation interface corresponding to a 001 key derivation module, and interface index identifier huk_kdf_002 corresponds to a key derivation interface corresponding to a 002 key derivation module. As previously mentioned, there are other alternative implementations of the service interface pool, which are not listed here.
In summary, the key derivation interface registration method provided in the embodiment of the present application encapsulates the key derivation interfaces for the key derivation module, and uniformly registers each key derivation interface through the service interface pool, so that the upper layer application may call any key derivation interface through the registration information recorded in the service interface pool, and further execute the corresponding key derivation module, so that the specific implementation of the key derivation module is invisible for the upper layer program, that is, the decoupling between the key derivation module and the upper layer program is implemented, the key derivation module makes any modification, and even does not need any adjustment for the upper layer program under the condition that the call relationship of the interfaces is not changed, thereby effectively improving the portability of the key derivation module, and being beneficial to popularization and application of the key derivation module.
Furthermore, by the key derivation interface registration method provided by the embodiment of the application, the user can package the key derivation interfaces for different key derivation modules, and provide the key derivation service for the upper-layer application by registering the key derivation interfaces. Even for the key derivation module depending on the hardware device driver, the registration can be completed by the registration method provided by the embodiment, the cryptographic engine used on each hardware platform may be different, the engine driver is different naturally, the unified access format can be provided for different hardware platforms by the key derivation interface registration method provided by the embodiment, the hardware difference of the lower layer can be shielded for the upper layer program, and the portability of the code between different hardware platforms is improved.
In an optional implementation manner, the method may further create a service interface of the target key derivation interface, where the target key derivation interface in this embodiment is any key derivation interface in the service interface pool, and the interface index identifier of the target key derivation interface is solidified in the interface parameter of the service interface, and the target key derivation interface can be obtained through the service interface. For the specific application of the service interface, the key derivation interface calling method provided in the subsequent embodiments will be developed, which will not be described in detail herein.
The above embodiment provides a method for registering key derivation interfaces, and performs unified registration on each key derivation interface through a service interface pool, which can be understood that, on the basis of the above content, the purpose of providing the service interface pool is also to facilitate the call of the key derivation interfaces, and better provide key derivation services for application programs. Based on this, the embodiment of the present application provides a key derivation interface calling method, and with reference to fig. 3, the flow of the key derivation interface calling method provided in this embodiment may include the following steps.
S200, acquiring a target interface index identifier and a preset service interface pool.
The service interface pool records the corresponding relation between at least one group of interface index identifiers and key derivation interfaces, and the specific creation process of the service interface pool can refer to the foregoing embodiments and will not be repeated here.
There are many implementations for obtaining the index identifier of the target interface.
In one possible implementation manner, a key derivation instruction sent by an application program may be obtained, where the instruction may carry an interface index identifier of a key derivation interface that needs to be called, that is, a target interface index identifier.
In another possible implementation manner, the secure chip supports a trusted execution environment, where the trusted execution environment includes a user-mode space and a kernel-mode space, the service interfaces are configured in the kernel-mode space, and in order to meet different key derivation requirements, there are usually multiple service interfaces, each service interface corresponds to different key derivation services, and key types output by each key derivation service are different, so that a one-to-one correspondence relationship between the service interfaces and the key types is realized. Under the premise, the trusted application running in the user state space can request the key derivation service through a system call mode, namely, the trusted application in the user state space initiates a system call request, the trusted execution environment kernel responds to the system call request and processes the system call request through a corresponding system call interface, specifically, the system call interface can acquire target information for key derivation, the target information comprises a key type, and further according to the corresponding relation between the key type and a service interface, the service interface corresponding to the key type included in the target information can be determined, namely, the target service interface is determined.
Further, the interface index identifier of the target key derivative interface is solidified in the interface parameters of the target service interface, and after the target service interface is determined, the target interface index identifier recorded in the target service interface can be extracted.
S210, determining a key derivation interface corresponding to the target interface index identifier in the service interface pool as a target key derivation interface.
As described above, the service interface pool records the correspondence between at least one group of interface index identifiers and key derivative interfaces, and after determining the target interface index identifier, the key derivative interface corresponding to the target interface index identifier, that is, the target key derivative interface, can be determined by querying the information recorded in the service interface pool.
S220, calling a target key derivation interface to call a key derivation module corresponding to the target key derivation interface.
The security chip calls the target key derivation interface through the target service interface, and then calls the key derivation module corresponding to the target key derivation interface, and executes each step of the key derivation method corresponding to the key derivation module, so as to complete the key derivation.
In summary, on the basis of creating a service interface pool according to the method provided in the embodiment shown in fig. 1, encapsulating a key derivation interface for a key derivation module, and registering the key derivation interface in the service interface pool, the embodiment provides a method for calling the key derivation interface, after obtaining the index identifier of the target interface, determining the target key derivation interface based on the preset service interface pool, and executing a corresponding key derivation module by calling the key derivation interface, thereby finally completing key derivation. According to the key derivation interface calling method, decoupling between the key derivation module and the upper program is achieved based on the service interface pool and the key derivation interface index, the key derivation module makes any modification, and even no adjustment is made to the upper program under the condition that the interface calling relation is not changed, portability of the key derivation module is effectively improved, and popularization and application of the key derivation module are facilitated.
Based on the above, the present application provides a key derivation interface registration method and a key derivation interface calling method, which can both implement decoupling between a key derivation method of a bottom layer and an upper layer application, and modification or replacement of any key derivation method will not bring any influence to the upper layer application. The inventor further researches and discovers that although various key derivation methods exist in the prior art, the existing key derivation methods generally randomly generate keys in the application process, namely, keys provided in the key derivation processes are different from each other, so that the derivation requirement of using the same key in practical application is difficult to meet.
In order to solve the problem, the present application provides a key derivation method (corresponding to the key derivation module described in the foregoing embodiment) applied to a security chip, where a trusted execution environment kernel in the security chip responds to a system call request initiated by a trusted application to obtain target information for key derivation, where the target information includes a salt value and a key type, determines a target service interface corresponding to the key type in each service interface, and invokes the target service interface, and further generates a private key based on the obtained salt value and generates a public key based on the private key. Furthermore, under the condition that the key needs to be replaced, the derivative of different keys can be realized by only updating the salt value, so that the method is convenient and quick.
As described above, the key derivation method provided in the embodiment of the present application is applied to a security chip, where a trusted execution environment is supported in the security chip, where the trusted execution environment includes a user state space and a kernel state space, where a trusted application is running in the user state space, and where the kernel state space is configured with a plurality of service interfaces for providing a key derivation service, and based on this, the key derivation method provided in the embodiment may include the following steps as shown in fig. 4.
S300, responding to a system call request initiated by a trusted application in the user state space, and acquiring target information for key derivation.
The trusted application in the user mode space has the key use requirement, but because the trusted application in the user mode space cannot directly access the kernel mode space, the trusted application needs to acquire the key derivation service in a system call mode.
In order to facilitate the trusted application to initiate a system call request, the embodiment provides a key generation interface, wherein the key generation interface is configured in a user state space, and when the trusted application needs to acquire a key, the system call request can be triggered by directly calling the key generation interface. Of course, when the trusted application invokes the key generation interface, the target information for key derivation needs to be written into the interface parameter of the key generation interface, in one possible manner, the target information written into the key generation interface by the trusted application is recorded in a preset storage space, and in a subsequent step, the security chip can access the preset storage space, so as to obtain the corresponding target information.
In the key derivation method provided in the embodiment of the present application, the foregoing target information includes at least a salt value and a key type, and on this basis, parameters such as a salt value length, a preset key length, a key structure supported by a trusted execution environment, and the like may also be included, however, according to different specific key derivation algorithms, other parameters, such as curves required by an ECC (Elliptic Curve Cryptography ) algorithm, and the like, and in practical application, specific contents of other parameters may be determined in combination with calculation requirements of a specific key algorithm, which is not listed here one by one.
The method comprises the steps that a salt value length is used for specifying the length of a salt value, in practical application, a trusted execution environment kernel determines an address range for storing the salt value according to the salt value length, namely, the stored salt value is acquired in a space range corresponding to the salt value length from a start address of a storage space for storing the salt value, a preset key length is used for specifying the length of a derived key, and in practical application, the specific value of the preset key length can be determined by combining with practical encryption requirements such as importance degree of data to be encrypted, equipment calculation force and the like, and the method is not limited. Furthermore, the key structure supported by the trusted execution environment can be used for storing part of parameters in the target information, meanwhile, the key output by the key derivation algorithm can be stored in the key structure supported by the trusted execution environment, and for parameters which cannot be stored in the key structure, the parameters are transmitted as other parameters.
In one possible implementation manner, the Tomcrypto algorithm library in the related art provides a key generation interface tee_generator, and this embodiment adds two parameters, namely a salt value and a salt value length, on the basis of the key generation interface tee_generator, so that the setting can not only avoid a newly increased amount of interface codes, but also simplify the overall implementation process of the key derivation algorithm. It should be noted that, in practical applications, the key structure supported by the trusted execution environment is generally different from the key structure supported by the Tomcrypto algorithm library, so that the key structure supported by the Tomcrypto algorithm library needs to be initialized by the information recorded in the key structure supported by the trusted execution environment, that is, the information recorded in the former is stored in the latter, and then the subsequent key derivation step can be performed based on the Tomcrypto algorithm library.
Along the previous examples, the Tomcrypto algorithm library provides key derivation frameworks for different asymmetric key derivation methods, respectively, which do not completely agree on the required target information, but all contain the key structure supported by the Tomcrypto algorithm library, PRNG (Pseudo Random Generator, pseudo-random number generator) descriptor index, and PRNG states. The role of the key structure supported by the Tomcrypto algorithm library is explained in the foregoing, and will not be repeated here. In the related art, the parameter value of the PRNG state is usually set to a null value, which means that this parameter does not participate in a specific key derivation process, and therefore, in the key derivation method provided by the embodiment of the present invention, the salt value is transferred through the parameter of the PRNG state, that is, the salt value is used as the parameter value of the PRNG state, and the trusted application only needs to assign the salt value to the parameter of the PRNG state when the key generation interface implemented based on tee_genekey is called. The specific role of the PRNG descriptor index will be expanded in the following and will not be described in detail here.
The method for obtaining other parameter values in the target information not illustrated in the above description may be implemented by referring to the related art, and will not be described in detail herein.
S310, determining a target service interface corresponding to the key type.
The kernel mode space of the trusted execution environment is configured with a plurality of service interfaces for providing key derivation services, each service interface provides keys with different key types, and after the key types in the target information are extracted, the target service interface corresponding to the key types is determined in the plurality of service interfaces.
In one possible implementation, a system call interface may be configured in kernel mode space, and the foregoing system call request is processed through the system call interface, and the corresponding target service interface is determined according to the key type in the target information.
S330, calling the target service interface to generate a private key based on the salt value and generate a public key based on the private key.
In the key derivation algorithm provided in the embodiment of the present application, the service interface belongs to an upper layer interface, and is mainly used to implement decoupling between the bottom layer key derivation method and the upper layer application, so that the target service interface is called, rather than directly calling the key derivation algorithm, the lower layer key derivation interface needs to be further called through the target service interface, so that the corresponding key derivation method is finally executed, that is, the private key is generated based on the salt value and the public key is generated based on the private key.
According to the key derivation interface registration method and the key derivation interface calling method provided by the foregoing embodiments, the target interface index identifier is recorded in the target service interface, when the target service interface is called, the target interface index identifier in the target service interface is first extracted, a preset service interface pool is obtained, according to the foregoing, a corresponding relationship between at least one group of interface index identifiers and the key derivation interface is recorded in the service interface pool, the service interface pool is traversed, and then the target key derivation interface corresponding to the target interface index identifier can be determined in at least one key derivation interface recorded in the service interface pool, and the target key derivation interface is called, so that the private key can be generated based on the salt value and the public key can be generated based on the private key. For a specific implementation procedure of calling the target service interface to execute the corresponding key derivation method, the key derivation interface calling method provided by the embodiment shown in fig. 3 may be referred to, and will not be repeated herein.
The following describes a specific implementation procedure for outputting an asymmetric key pair.
The HUK is uniquely corresponding to the security chip, can uniquely characterize the security chip, in practical application, the HUK is stored in an independent storage space, only the password engine and the security chip generally have access rights, and the HUK has an important role in improving the security of the secret key, based on the HUK and the salt value of the security chip, HUK derivative subsecret keys can be obtained based on HMAC (Hash-based Message Authentication Code, message authentication code based on a Hash algorithm) operation or symmetric key operation.
As mentioned above, the crypto engine has access rights to the HUK, based on which, in one possible implementation, the embodiment of the present application provides a preset HUK key derivation interface, the upper layer program invokes the HUK key derivation interface, and sends the salt value to the crypto engine through the interface, the crypto engine uses the HUK and the salt value to obtain the HUK derivative subkey based on HMAC operation or symmetric key operation, and feeds back the HUK derivative subkey obtained by calculation to the security chip. It should be noted that, the above-mentioned generation process of the HUK derivative subkey implemented by the crypto engine may be implemented by the above-mentioned security chip also having HUK access rights, and it is also within the scope of the present invention under the premise of not exceeding the scope of the core idea of the present invention. The specific operation procedures of the HMAC operation and the symmetric key operation can be implemented with reference to the related art, which is not limited in the present invention.
In the Tomcrypto algorithm library, PRNGs are essentially a set of random number operation interfaces, each PRNG corresponding to a PRNG descriptor index from which the PRNG corresponding to can be uniquely determined. The Tomcrypto algorithm library maintains all PRNG descriptor indexes in the algorithm library via a descriptor table.
In one possible implementation manner, in order to implement the key derivation service and reduce the coupling degree between the code of the newly added key derivation method and the related code in the Tomcrypto algorithm library, this embodiment creates a pseudo-random number generator for the HUK subkey derivation method, and adds the PRNG descriptor index corresponding to the pseudo-random number generator to the descriptor table. In actual use, the PRNG corresponding to the HUK derived subkey provided in the present application may be called by referring to the calling modes of other PRNGs in the Tomcrypto algorithm library.
In practical application, since the length of the operation result output by HMAC operation or symmetric key operation is often fixed, after obtaining the HUK derivative subkey, it needs to determine whether the HUK derivative subkey reaches the preset key length in the target information, if the derivative subkey does not reach the preset key length, the HUK derivative subkey is expanded according to the preset key length, for example, an HKDF (HMAC-based KDF (Key Derivation Function), an HMAC-based key derivation function) algorithm may be used to expand the HUK derivative subkey, and the final expansion result is used as a private key; conversely, if the obtained HUK derivative subkey reaches the preset key length, the HUK derivative subkey is determined to be the private key.
For a specific implementation process of generating the public key based on the private key, the method can be implemented by referring to related technologies, and the specific process of generating the public key is not limited by the method. It can be understood that, since the private key generated by the key derivation method provided in this embodiment is controllable, that is, the private key obtained under the condition of unchanged salt value is unchanged, and the private key is also changed under the condition of changed salt value, the public key generated based on the private key is also controllable, so as to ensure that the finally obtained asymmetric key pair meets the key derivation requirement in practical application.
As described above, the key structure supported by the Tomcrypto algorithm library is different from the key structure supported by the trusted execution environment, and when the asymmetric key pair is obtained by combining the key derivation method and the Tomcrypto algorithm library provided in this embodiment, the private key and the public key in the asymmetric key pair need to be further stored in the key structure matched with the trusted execution environment, so that the application in the trusted execution environment calls the obtained private key and public key, and of course, the obtained private key and public key need to be further fed back to the trusted application for encryption/decryption by the trusted application.
It may be understood that parameters such as a salt value required by key derivation by the target key derivation interface described in this embodiment may be obtained through a key generation interface tee_genekey in the Tomcrypto algorithm library, so as to implement association between the target key derivation interface provided in this embodiment and the key generation interface tee_genekey, create a target service interface for the target key derivation interface by using the key derivation interface registration method provided in the foregoing embodiment, further match the target service interface with the key generation interface tee_genekey, that is, the target service interface may be called by the key generation interface tee_genekey, and when the key generation interface tee_genekey is called by the trusted application, the target key derivation method indicated by the target service interface may be called by the target service interface associated therewith, which is equivalent to expanding the function of the key generation interface tee_genekey, so that the key generation interface tee_genekey may provide an asymmetric key pair service derivation for the trusted application, and not only satisfy the requirements of the trusted application, but also may avoid the manpower cost of redesign of the key generation interface tee_genekey.
In summary, the key derivation algorithm provided in this embodiment encapsulates the key derivation interfaces for the key derivation method, and uniformly registers each key derivation interface through the service interface pool, so that the upper layer application may call any key derivation interface through the registration information recorded in the service interface pool, and further execute the corresponding key derivation method, so that the specific implementation of the key derivation method is invisible for the upper layer program, that is, the decoupling between the key derivation method and the upper layer program is implemented, any modification is made to the key derivation method, and even no adjustment is made to the upper layer program under the condition that the call relationship of the interfaces is not changed, so that portability of the key derivation method is effectively improved, and popularization and application of the key derivation method are facilitated.
Furthermore, in the key derivation algorithm provided in the embodiment of the present application, the private key of the asymmetric key pair is obtained based on the HUK and the salt value, and under the condition that the salt value is unchanged, only one HUK is needed to flexibly adapt to the key requirements under a huge amount of application scenes, so that the system overhead of the key in the aspects of security injection, storage and the like is reduced. And HUK and security chip unique correspondence, use HUK to generate the secret key means that secret key and the security chip that HUK belonged to bind, adopt the asymmetric secret key pair that this method provided to encrypt data, leave the security chip that HUK belonged to and just can never decrypt, can show the security that improves data.
Still further, the key derivation algorithm provided by the embodiment of the present application is implemented on the basis of the existing key derivation framework in the Tomcrypto algorithm library, the public key may be generated by using the public key calculation method in the Tomcrypto algorithm library, and the obtained asymmetric key pair is subjected to corresponding compliance detection, and only a small number of codes need to be changed, so that the design cost of the method in the practical application process may be reduced, and meanwhile, the derived asymmetric key pair may be ensured to be available in compliance.
On the basis of the embodiment shown in fig. 4, the embodiment of the application provides another key derivation method, and as shown in fig. 5, the key derivation method provided in the embodiment of the application includes the following steps.
S400, acquiring interface parameters of the key generation interface.
In a possible implementation, S400 may be implemented with reference to the relevant content of S300 in the embodiment shown in fig. 3, which will not be repeated here.
S410, judging whether the interface parameters comprise salt values, if so, executing S420, and if not, executing S460.
As described above, the trusted application invokes the key generation interface to trigger a system invocation request, which ultimately triggers the generation of the asymmetric key pair, and at the same time, the trusted application also passes in the corresponding interface parameters when invoking the key generation interface. On this basis, the key derivation method provided in this embodiment determines whether the interface parameter includes a salt value, if the obtained interface parameter includes a salt value, S420 is executed, and if the obtained interface parameter does not include a salt value, S460 is executed.
Under the condition that the key generation interface is realized based on a TEE_Generator Key interface in a Tomcrypto algorithm library, a trusted application can be transmitted into an array when the TEE_Generator Key interface is called, each array element corresponds to an interface parameter, each interface parameter has an attribute identifier to represent the type of the interface parameter, and meanwhile, the memory address information where a salt value is located can be recorded through the interface parameter. In this step, the system call interface checks whether the interface parameter includes a salt value, if the salt value is extracted, it is determined that the key service required by the trusted application is to generate an asymmetric key pair, and S420 is continued, otherwise, if not, it is determined that the key service required by the trusted application is to generate a random key pair, and further S460 is required.
In one possible implementation manner, before judging whether the interface parameter includes the salt value, whether the interface parameter input by the trusted application has problems of lack, repetition, redundancy, compliance of the length of the parameter and the like can be checked according to the key algorithm description table. As described above, the interface parameters include key types, and the key derivation method used for generating the key of the key type can be determined according to the key types, based on this, a corresponding key algorithm description table can be configured for each key derivation method, the interface parameters required for the operation of the corresponding key derivation method are recorded through the key algorithm description table, after the interface parameters are obtained, by querying the key algorithm description table of the key derivation method corresponding to the key type in the interface parameters, whether each parameter in the interface parameters meets the requirements or not and whether the information deficiency, redundancy and other problems occur or not can be determined.
Furthermore, when the interface parameters are checked based on the key algorithm description table, the salt value belongs to the newly added parameters of the method, so that the salt value can not be checked, the key algorithm description table is prevented from being changed, the change of the original code is reduced, and the code coupling degree is reduced.
S420, obtaining target information for key derivation.
It will be appreciated that the target information for key derivation is derived from the interface parameters of the key generation interface, and the target information required for different key derivation methods may be different, so that the target information required for the key derivation method provided in the embodiment of the present application may be implemented with reference to the relevant content of S300 in the embodiment shown in fig. 4, which is not repeated herein.
S430, expanding the length of the salt value to obtain an expanded salt value.
The main effect of expanding the length of the salt value is two, namely, the salt value can carry more information, and the collision probability of a key generated based on the salt value can be reduced.
In this embodiment, the extended salt value includes a random field and an appointed field, where the random field is used to store an initial salt value, that is, a salt value transmitted through an interface parameter, and the random field can reduce collision probability of a key, and the appointed field is used to store extension information, where in practical application, the extension information is used to describe information such as a key type and a key usage, so as to meet key derivation requirements under different scenarios. In one possible implementation, the specified field may employ a UUID (Universally Unique Identifier, universal unique identifier) and a key type of the trusted application, and of course, the specified field may also increase information such as component identification of the initiating request, confidential computing environment security state identification, and the like, thereby increasing the difficulty of generating key collisions between different components and between different security states.
S440, determining a target service interface corresponding to the key type.
In an alternative implementation, S440 may be implemented with reference to the relevant content of S310 in the embodiment shown in fig. 3, which will not be repeated here.
S450, calling the target service interface to generate a private key based on the salt value and generate a public key based on the private key.
In an alternative implementation, S450 may be implemented with reference to the relevant content of S320 in the embodiment shown in fig. 3, which will not be repeated here.
S460, executing a preset random key generation method.
If it is determined in S410 that the salt value is not included in the interface parameters of the key generation interface, the step is performed, a preset random key generation method is performed, and the random key is fed back for the trusted application. As for the specific implementation procedure of the random key generation method, it can be implemented with reference to the related art, which is not limited in the present invention.
In summary, on the basis of the foregoing embodiment, after the key derivation algorithm provided in this embodiment obtains the interface parameter of the key generation interface, it is determined whether the interface parameter includes a salt value, so as to determine the key usage requirement of the trusted application.
Further, the salt value used for generating the secret key is expanded, so that the salt value can carry more information, and meanwhile, the collision probability of the obtained secret key is reduced, and the secret key security is improved.
The present application also provides a secure chip configured to perform the key derivation interface registration method provided in the above embodiment, or perform the key derivation interface calling method provided in the above embodiment, or perform the key derivation method provided in the above embodiment.
The application also provides a system on a chip, which comprises the security chip provided by any embodiment.
The application also provides a computing device comprising the system-on-chip provided by the embodiment.
In some embodiments, the present embodiment further provides a computer readable storage medium, such as a floppy disk, an optical disk, a hard disk, a flash memory, a usb disk, an SD (Secure Digital Memory Card, secure digital Card) Card, an MMC (Multimedia Card) Card, or the like, in which one or more instructions for implementing the foregoing steps are stored, where the one or more instructions are executed by one or more processors, and cause the processors to perform the key derivation interface registration method, the key derivation interface invoking method, or the key derivation method described above. For a related implementation, refer to the foregoing description, which is not repeated herein.
In addition to the methods and apparatus described above, embodiments of the present application may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of the key derivation interface registration method, or the key derivation interface invocation method, or the key derivation method described in the above description of the various embodiments of the present application.
The computer program product may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Those skilled in the art will appreciate that various modifications and improvements can be made to the disclosure. For example, the various devices or components described above may be implemented in hardware, or may be implemented in software, firmware, or a combination of some or all of the three.
Further, while the present disclosure makes various references to certain elements in a system according to embodiments of the present disclosure, any number of different elements may be used and run on a client and/or server. The units are merely illustrative and different aspects of the systems and methods may use different units.
A flowchart is used in this disclosure to describe the steps of a method according to an embodiment of the present disclosure. It should be understood that the steps that follow or before do not have to be performed in exact order. Rather, the various steps may be processed in reverse order or simultaneously. Also, other operations may be added to these processes.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the methods described above may be performed by a computer program that instructs associated hardware, and that the program may be stored on a computer readable storage medium, such as a read only memory, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits. Accordingly, each module/unit in the above embodiment may be implemented in the form of hardware, or may be implemented in the form of a software functional module. The present disclosure is not limited to any specific form of combination of hardware and software.
Unless defined otherwise, all terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure pertains. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The foregoing is illustrative of the present disclosure and is not to be construed as limiting thereof. Although a few exemplary embodiments of this disclosure have been described, those skilled in the art will readily appreciate that many modifications are possible in the exemplary embodiments without materially departing from the novel teachings and advantages of this disclosure. Accordingly, all such modifications are intended to be included within the scope of this disclosure as defined in the claims. It is to be understood that the foregoing is illustrative of the present disclosure and is not to be construed as limited to the specific embodiments disclosed, and that modifications to the disclosed embodiments, as well as other embodiments, are intended to be included within the scope of the appended claims. The disclosure is defined by the claims and their equivalents.
Claims (16)
1. A key derivation interface registration method, comprising:
Creating a service interface pool;
encapsulating a corresponding key derivation interface for a key derivation module, wherein the key derivation interface is used for calling the key derivation module, and the key derivation module is used for generating a key;
determining an interface index identifier corresponding to the key derivation interface, wherein the interface index identifier is used for indicating the key derivation interface;
and recording the corresponding relation between the interface index identifier and the key derivation interface in the service interface pool so as to register the key derivation interface in the service interface pool.
2. The key derivation interface registration method of claim 1, applied to a security chip that supports a trusted execution environment that includes a kernel-state space;
the creating a service interface pool includes:
a service interface pool is created in the kernel mode space.
3. The key derivation interface registration method of claim 2, wherein the kernel-mode space comprises a cryptographic engine with hardware unique key, HUK, access rights, the cryptographic engine configured with a HUK key derivation module based on the HUK derivation key, the HUK uniquely corresponding to the security chip;
The key derivation module includes the HUK key derivation module.
4. The key derivation interface registration method of claim 3, wherein the trusted execution environment further comprises a user-state space that comprises a trusted application;
the process of calling the key derivation module to generate the key comprises the following steps:
a private key is generated based on a salt value provided by the trusted application, and a public key is generated based on the private key.
5. The key derivation interface registration method of claim 4, wherein the generating a private key based on a salt value comprises:
using the HUK and the salt value, obtaining a HUK derivative subkey based on HMAC operation or symmetric key operation;
and generating a private key based on the HUK derivative subkey.
6. The key derivation interface registration method of claim 5, wherein generating a private key based on the HUK derivation subkey comprises:
judging whether the HUK derivative subkey reaches a preset key length or not;
if the HUK derivative subkey does not reach the preset key length, expanding the HUK subkey according to the preset key length to obtain a private key;
and if the HUK derivative subkey reaches the preset key length, determining the HUK derivative subkey as a private key.
7. The key derivation interface registration method of any one of claims 1 to 6, further comprising:
creating a service interface of a target key derivation interface, wherein the target key derivation interface is any key derivation interface;
and solidifying the interface index identification of the target key derivative interface in the interface parameters of the service interface so as to acquire the target key derivative interface through the service interface.
8. A key derivation interface invoking method, comprising:
acquiring a target interface index identifier and a preset service interface pool, wherein the service interface pool records the corresponding relation between at least one group of interface index identifiers and key derivation interfaces;
determining a key derivation interface corresponding to the target interface index identifier in the service interface pool as a target key derivation interface;
and calling the target key derivation interface to call a key derivation module corresponding to the target key derivation interface.
9. The key derivation interface invocation method of claim 8, wherein the obtaining the destination interface index identifier comprises:
acquiring a target service interface, wherein the target service interface is used for acquiring the target key derivation interface;
And extracting the index identifier of the target interface recorded in the target service interface.
10. The key derivation interface invoking method of claim 9, applied to a security chip supporting a trusted execution environment comprising a user-mode space and a kernel-mode space, the kernel-mode space configured with a plurality of service interfaces;
the obtaining the target service interface includes:
responding to a system call request initiated by a trusted application in the user state space, and acquiring target information for key derivation, wherein the target information comprises a key type;
and determining the target service interface corresponding to the key type.
11. The key derivation interface invocation method of claim 10, wherein the target information further comprises a salt value;
a process for invoking the key derivation module to generate a key, comprising:
a private key is generated based on the salt value and a public key is generated based on the private key.
12. The key derivation interface invocation method of claim 11, wherein generating a private key based on the salt value comprises:
using a hardware unique key HUK of the security chip and the salt value, and obtaining a HUK derivative subkey based on HMAC operation or symmetric key operation, wherein the HUK is uniquely corresponding to the security chip;
And generating a private key based on the HUK derivative subkey.
13. A security chip configured to perform the key derivation interface registration method of any one of claims 1 to 7, or to perform the key derivation interface invocation method of any one of claims 8 to 12.
14. A system on a chip comprising the security chip of claim 13.
15. A computing device comprising the system-on-chip of claim 14.
16. A computer-readable storage medium, characterized in that a computer program is stored, which when executed implements the key derivation interface registration method according to any one of claims 1 to 7, or implements the key derivation interface calling method according to any one of claims 8 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311649183.5A CN117375803B (en) | 2023-12-05 | 2023-12-05 | Key derivation interface registration method, calling method, related equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311649183.5A CN117375803B (en) | 2023-12-05 | 2023-12-05 | Key derivation interface registration method, calling method, related equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117375803A true CN117375803A (en) | 2024-01-09 |
| CN117375803B CN117375803B (en) | 2024-02-06 |
Family
ID=89389575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311649183.5A Active CN117375803B (en) | 2023-12-05 | 2023-12-05 | Key derivation interface registration method, calling method, related equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117375803B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130061036A1 (en) * | 2011-08-30 | 2013-03-07 | Nokia Corporation | Method and apparatus for providing a structured and partially regenerable identifier |
| CN103810072A (en) * | 2012-11-09 | 2014-05-21 | 上海飞田通信技术有限公司 | Device and method for guaranteeing order execution of multithread tasks |
| CN104572112A (en) * | 2015-01-21 | 2015-04-29 | 成都卫士通信息安全技术有限公司 | Inter-program function dynamic multiplexing system and method based on Android system |
| CN109582472A (en) * | 2018-10-19 | 2019-04-05 | 华为技术有限公司 | A kind of micro services processing method and equipment |
| CN112580061A (en) * | 2019-09-27 | 2021-03-30 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| WO2021078192A1 (en) * | 2019-10-22 | 2021-04-29 | 中兴通讯股份有限公司 | Cloud service management method, cloud service management apparatus and readable storage medium |
| WO2023279770A1 (en) * | 2021-07-08 | 2023-01-12 | 华为云计算技术有限公司 | Data storage method, apparatus and system, storage medium, and program product |
| WO2023142911A1 (en) * | 2022-01-26 | 2023-08-03 | 京东方科技集团股份有限公司 | Service processing method and device |
-
2023
- 2023-12-05 CN CN202311649183.5A patent/CN117375803B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130061036A1 (en) * | 2011-08-30 | 2013-03-07 | Nokia Corporation | Method and apparatus for providing a structured and partially regenerable identifier |
| CN103810072A (en) * | 2012-11-09 | 2014-05-21 | 上海飞田通信技术有限公司 | Device and method for guaranteeing order execution of multithread tasks |
| CN104572112A (en) * | 2015-01-21 | 2015-04-29 | 成都卫士通信息安全技术有限公司 | Inter-program function dynamic multiplexing system and method based on Android system |
| CN109582472A (en) * | 2018-10-19 | 2019-04-05 | 华为技术有限公司 | A kind of micro services processing method and equipment |
| CN112580061A (en) * | 2019-09-27 | 2021-03-30 | 科大国盾量子技术股份有限公司 | Calling method of quantum encryption and decryption application interface and related equipment |
| WO2021078192A1 (en) * | 2019-10-22 | 2021-04-29 | 中兴通讯股份有限公司 | Cloud service management method, cloud service management apparatus and readable storage medium |
| WO2023279770A1 (en) * | 2021-07-08 | 2023-01-12 | 华为云计算技术有限公司 | Data storage method, apparatus and system, storage medium, and program product |
| WO2023142911A1 (en) * | 2022-01-26 | 2023-08-03 | 京东方科技集团股份有限公司 | Service processing method and device |
Non-Patent Citations (2)
| Title |
|---|
| REEM MELKI: "Efficient and secure multi-homed systems based on binary random linear network coding", 《 COMPUTERS AND ELECTRICAL ENGINEERING》, 1 January 2020 (2020-01-01) * |
| 陈思源: "基于密钥派生算法的区块链安全通信技术的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》, 15 January 2022 (2022-01-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117375803B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109858265B (en) | Encryption method, device and related equipment | |
| CN110245506B (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| CN111475849B (en) | Private data query method and device based on blockchain account | |
| CN109936626B (en) | Method, node and storage medium for implementing privacy protection in block chain | |
| CN110032885B (en) | Method, node and storage medium for implementing privacy protection in block chain | |
| US8447983B1 (en) | Token exchange | |
| CN110580412B (en) | Permission query configuration method and device based on chain codes | |
| CN113438289A (en) | Block chain data processing method and device based on cloud computing | |
| CN109067528B (en) | Password operation method, work key creation method, password service platform and equipment | |
| CN110020549B (en) | Method, node and storage medium for implementing privacy protection in block chain | |
| CN111475829A (en) | Private data query method and device based on block chain account | |
| CN110060054B (en) | Method, node, system and storage medium for implementing privacy protection in block chain | |
| WO2020233615A1 (en) | Receipt storage method combining user type and event function type and node | |
| CN109347625B (en) | Password operation method, work key creation method, password service platform and equipment | |
| US20180295115A1 (en) | Management of and persistent storage for nodes in a secure cluster | |
| CN110033265B (en) | Method, node and storage medium for implementing privacy protection in block chain | |
| US11714912B2 (en) | Enclave fork support | |
| CN115442032A (en) | Data processing method, system on chip and readable storage medium | |
| US20210248245A1 (en) | Calculation device, calculation method, calculation program and calculation system | |
| CN117375803B (en) | Key derivation interface registration method, calling method, related equipment and storage medium | |
| CN117375804B (en) | Key derivation method, related equipment and storage medium | |
| CN111368322A (en) | File decryption method and device, electronic equipment and storage medium | |
| CN116094793A (en) | Method and system for establishing connection between operation center and security equipment based on data certificate | |
| CN112416526B (en) | Direct storage access method, device and related equipment | |
| US20140033318A1 (en) | Apparatus and method for managing usim data using mobile trusted module |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |