CN117375825A - Key negotiation method and device, electronic equipment and storage medium - Google Patents

Key negotiation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117375825A
CN117375825A CN202311434974.6A CN202311434974A CN117375825A CN 117375825 A CN117375825 A CN 117375825A CN 202311434974 A CN202311434974 A CN 202311434974A CN 117375825 A CN117375825 A CN 117375825A
Authority
CN
China
Prior art keywords
key
random factor
encrypted data
indication information
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311434974.6A
Other languages
Chinese (zh)
Inventor
姜新利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202311434974.6A priority Critical patent/CN117375825A/en
Publication of CN117375825A publication Critical patent/CN117375825A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a key negotiation method, a device, electronic equipment and a storage medium, which are used for realizing key negotiation between first equipment and second equipment; the method comprises the following steps: generating a first random factor; generating a first key based on a first key generation scheme randomly selected from a key rule base; encrypting the first random factor by using the first key to obtain first encrypted data; transmitting first encrypted data carrying first indication information to a second device; the first indication information indicates a decryption method for acquiring first encrypted data; acquiring a second random factor generated by second equipment; a session key is generated using the first random factor and the second random factor, the session key being used for encrypted communications between the first device and the second device. The random factor and the first key are regenerated each time of the session, so that each time of the session is different in key, and the confidentiality of the session is improved through multiple randomness.

Description

Key negotiation method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a key negotiation method, a device, an electronic device, and a storage medium.
Background
Currently, in order to ensure communication security, both communication parties generate keys known to both parties through key agreement. And then in the communication process, the communication data are encrypted by utilizing the respective keys, so that the communication data are transmitted on the network in the form of ciphertext. However, in the related art, if there is an lawbreaker intercepting a key transmitted in a network in the key negotiation stage, there is a risk that communication data is compromised. Therefore, how to improve the confidentiality of the key negotiation stage is a technical problem to be solved in the art.
Disclosure of Invention
An embodiment of the application aims to provide a key negotiation method, a device, electronic equipment and a storage medium, which are used for achieving the technical effect of improving confidentiality of a key negotiation stage.
The first aspect of the embodiments of the present application provides a key negotiation method, configured to implement key negotiation between a first device and a second device; the method is applied to first equipment, and the first equipment is carried with a key rule base comprising a plurality of key generation schemes; the method comprises the following steps:
generating a first random factor;
generating a first key based on a first key generation scheme randomly selected from the key rule base;
Encrypting the first random factor by using the first key to obtain first encrypted data;
transmitting first encrypted data carrying first indication information to the second device; the first indication information indicates a decryption method for acquiring first encrypted data;
acquiring a second random factor generated by the second equipment;
and generating a session key by utilizing the first random factor and the second random factor, wherein the session key is used for encrypted communication between the first device and the second device.
In the implementation process, the random factor is regenerated each time a session is performed, so that the session key of each session is different. And the first key used to encrypt the first random factor is re-randomly generated in each session such that the first key used in each key agreement is different. Thereby improving confidentiality of the session through multiple randomness.
Further, the first device and the second device are loaded with the same key rule base;
the first indication information comprises a first pattern identifier of the first key generation scheme in the key rule base, so that the second device obtains the first key generation scheme from the key rule base according to the first pattern identifier, generates a first key based on the first key generation scheme, and decrypts the first encrypted data by using the first key to obtain the first random factor.
In the implementation process, the first key decrypts the first encrypted data to obtain the first random factor. In the whole process, the first secret key is not transmitted through the network, but the second equipment generates the same first secret key locally through the same secret key rule base and the first scheme identification, so that the risk of secret leakage of the first secret key in the transmission process is avoided.
Further, the first device and the second device further comprise the same set of encryption algorithms;
the encrypting the first random factor using the first key includes: encrypting the first random factor with the first key based on a first encryption algorithm randomly selected from the set of encryption algorithms;
the first indication information further comprises a first algorithm identification of the first encryption algorithm in the encryption algorithm set, so that the second device obtains the first encryption algorithm from the encryption algorithm set according to the first algorithm identification, and decrypts the first encryption data by using the first key based on the first encryption algorithm.
In the implementation process, the first random factor used for generating the session key, the first key used for encrypting the first random factor and the first encryption algorithm to the first random factor are randomly selected, so that the randomness of the whole key negotiation process is higher, the key cracking difficulty is increased through multiple randomness, and the confidentiality of the key negotiation process is improved.
Further, the first device and the second device comprise the same key material set, and the generation process of the first key comprises the following steps:
obtaining target key material from the key material set;
a first key is generated based on the first key generation scheme and the target key material.
In the implementation process, the first key is generated through the target key material and the first key generation scheme, and the first key is randomly generated again in each session, so that the first keys used in each key negotiation are different. This increases the confidentiality of the session through multiple randomness.
Further, the second device pre-stores a deformation rule of the key; the first indication information comprises deformation of the first key, so that the second device restores the deformation of the first key to the first key according to the deformation rule, and decrypts the first encrypted data by using the first key to obtain the first random factor.
In the implementation process, since the first key can be deformed into character strings with various formats, the deformed first key has confusion, and lawbreakers cannot know the true meaning of the deformation. And under the condition of no deformation rule, the first key cannot be restored, so that high confidentiality of key negotiation is ensured.
Further, the obtaining the second random factor generated by the second device includes:
receiving second encrypted data carrying second indication information sent by the second equipment; the second indication information indicates a decryption method for obtaining second encrypted data;
and decrypting the second encrypted data according to the second indication information to obtain a second random factor.
In the implementation process, the first random factor and the second random factor for generating the session key are exchanged after encryption, so that the risk of disclosure caused by plaintext transmission is avoided. The first key and the second key are not transmitted through the network in the whole key negotiation process, so that confidentiality of the key negotiation process is ensured.
Further, the method further comprises:
updating the key generation scheme in the key rule base.
In the implementation process, the randomness of the key generation scheme can be ensured as much as possible by periodically updating the key rule base.
Further, the method is applied to a vehicle OTA upgrade scenario; the first equipment is one of a vehicle and an OTA server; the second device is the other of the vehicle and the OTA server.
In the implementation process, by applying the key negotiation method in the OTA upgrading scene, the communication between the vehicle and the OTA server has high confidentiality, and the security of OTA upgrading is ensured.
A second aspect of the embodiments of the present application provides a key negotiation apparatus, configured to implement key negotiation between a first device and a second device; the device is applied to first equipment, and the first equipment is carried with a key rule base comprising a plurality of key generation schemes; the device comprises:
the random factor module is used for generating a first random factor;
a first key module for generating a first key based on a first key generation scheme randomly selected from the key rule base;
the encryption module is used for encrypting the first random factor by using the first key to obtain first encrypted data;
the sending module is used for sending first encrypted data carrying first indication information to the second equipment; the first indication information indicates a decryption method for acquiring first encrypted data;
the acquisition module is used for acquiring a second random factor generated by the second equipment;
and the session key module is used for generating a session key by utilizing the first random factor and the second random factor, wherein the session key is used for encrypted communication between the first device and the second device.
A third aspect of embodiments of the present application provides an electronic device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor, when invoking the executable instructions, performs the operations of the method of any of the first aspects.
A fourth aspect of the embodiments provides a computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of any of the methods of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario of a key negotiation method provided in an embodiment of the present application;
fig. 1 is a flow chart of a key negotiation method provided in an embodiment of the present application;
fig. 2 is a flow chart of another key negotiation method according to an embodiment of the present application;
Fig. 3 is a flow chart of another key negotiation method according to an embodiment of the present application;
fig. 4 is a flowchart of another key negotiation method according to an embodiment of the present application;
fig. 5 is a flowchart of another key negotiation method according to an embodiment of the present application;
fig. 6 is a block diagram of a key negotiation device according to an embodiment of the present application;
fig. 7 is a hardware configuration diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
In the phase of key agreement by both parties, the key is transmitted to the communication partner in the network. If the lawless person intercepts the key transmitted in the network, the communication data which are encrypted by the key by the two communication parties later are leaked.
For example, in an OTA (Over-the-Air Technology) upgrade scenario, a vehicle may perform software upgrades and vulnerability security repairs through OTA Technology. If the key negotiated between the vehicle and the OTA server is intercepted by lawless persons during network transmission in the OTA upgrading process, the OTA encrypted content can be cracked, so that serious potential safety hazard is caused. Therefore, the security of vehicle interaction with OTA servers is a focus problem to be solved.
To this end, the present application provides a key agreement method. Fig. 1 shows an application scenario of the key agreement method. As shown in fig. 1, the first device 110 is communicatively coupled to the second device 120. Illustratively, the first device 110 and the second device 120 may communicate over a network.
The key negotiation method provided by the application can be used for realizing key negotiation between the first device 110 and the second device 120. Wherein the method may be applied to the first device 110. The first device 110 may be piggybacked with a key rule base, wherein the key rule base includes a plurality of key generation schemes. As shown in fig. 2, a key agreement method includes steps 210-260.
Step 210: generating a first random factor;
Illustratively, the first random factor may include a combination of one or more of the following data. The data may include, but is not limited to: random numbers, time stamps, UUIDs (Universally Unique Identifier, universally unique identification codes), device hardware information, etc.
Wherein, such as random number, timestamp, UUID is a non-fixed value, i.e. the values generated each time are different.
The device hardware information may be hardware information for uniquely identifying the device, or may be unique identification information of hardware and/or software included in the device. In the first device 110, the device hardware information is hardware information of the first device 110. Taking a vehicle as an example, the device hardware information of the vehicle may include, but is not limited to, a frame number VIN (Vehicle Identification Number, vehicle identification code), an integrated circuit card identification code ICCID (Integrate Circuit Card Identity) of the vehicle, a TBOX (telematics box) hardware serial number of the vehicle, a TBOX hardware version number, and the like. The device hardware information is known to be a fixed value.
Alternatively, the first random factor may be a non-fixed value, or a combination of a plurality of non-fixed values. Such as a combination of a random number and a timestamp, a combination of a random number and a UUID.
Alternatively, the first random factor may be a combination of a non-fixed value and a fixed value. Such as a combination of a timestamp and device hardware information, a combination of a random number and device hardware information, etc.
By setting the data and the combination of the diversity to the first random factors, the randomness is achieved as much as possible, and the first random factors generated each time are ensured to be different values.
Step 220: generating a first key based on a first key generation scheme randomly selected from the key rule base;
the first device 110 is mounted with a key rule base including a plurality of key generation schemes. Each key generation scheme corresponds to a specific key generation algorithm. Different key generation schemes correspond to different key generation algorithms to generate different keys. In step 220, the first device 110 may randomly select a key generation scheme from the key rule base as the first key generation scheme. And generates a first key based on the first key generation scheme.
Illustratively, a key generation scheme may be used to generate symmetric keys. As such, the first key may be a symmetric key.
Step 230: encrypting the first random factor by using the first key to obtain first encrypted data;
After the first random factor is generated and the first key is generated through the first key generation scheme, the first random factor may be encrypted using the first key, thereby obtaining first encrypted data.
Illustratively, if the first key is a symmetric key, the first random factor may be encrypted using the first key based on a symmetric encryption algorithm.
Step 240: transmitting first encrypted data carrying first indication information to the second device;
the first indication information indicates a decryption method for acquiring first encrypted data;
after the first encrypted data is obtained, the first indication information may be carried in the first encrypted data and sent to the second device 120.
The first indication information is used to indicate a decryption method how to obtain the first encrypted data, and the second device 120 may decrypt the first encrypted data based on the first indication information to obtain the first random factor. Specifically, the second device 120 may acquire the decryption method of the first encrypted data based on the first indication information after receiving the first encrypted data carrying the first indication information. And decrypts the first encrypted data based on the decryption method, thereby obtaining the first random factor generated by the first device 110. The process by which the second device 120 obtains the first random factor generated by the first device 110 is thus completed.
Step 250: acquiring a second random factor generated by the second equipment;
the second device 120 may generate a second random factor. Similarly, the second random factor may include a combination of one or more of the following data. The data may include, but is not limited to: random numbers, time stamps, UUIDs, device hardware information, etc. In the second device 120, the device hardware information is hardware information of the second device 120.
Alternatively, the second random factor may be a non-fixed value, or a combination of a plurality of non-fixed values. Such as a combination of a random number and a timestamp, a combination of a random number and a UUID.
Alternatively, the second random factor may be a combination of a non-fixed value and a fixed value. Such as a combination of a timestamp and device hardware information, a combination of a random number and device hardware information, etc.
The second device 120 may send the generated second random factor to the first device 110 so that the first device 110 may obtain the second random factor.
Step 260: generating a session key using the first random factor and the second random factor,
wherein the session key is used for encrypted communication between the first device and the second device.
The first device 110, upon acquiring the second random factor generated by the second device 120, may generate a session key using the first random factor and the second random factor.
Likewise, the second device 120, upon obtaining the first random factor generated by the first device 110, may generate the same session key using the first random factor and the second random factor. In this way, the first device 110 and the second device 120 generate the same session key, completing the key negotiation process. The finally generated session key may be used for encrypted communications between the first device 1101 and the second device 120. For example, the message sender, i.e., one of the first device 110 and the second device 120, may symmetrically encrypt the communication data using the session key to obtain the communication ciphertext. The message receiver, i.e. the other of the first device 110 and the second device 120, may decrypt the communication ciphertext using the session key to recover the communication data.
Illustratively, the first device 110 and the second device 120 may re-negotiate the session key through the key negotiation method described above each time a communication interaction is required. I.e. in each session the session key is renegotiated so that a different session key is used in a different session.
It can be seen that, in the key negotiation method provided by the present application, the first device and the second device exchange the random factors generated by each other, and generate the session key by using the two random factors. The first random factor is transmitted to the second device through encryption, so that the risk of disclosure brought by plaintext transmission is avoided. In addition, the random factor is regenerated each time a session is performed, so that the session key of each session is different. And the first key used to encrypt the first random factor is re-randomly generated in each session such that the first key used in each key agreement is different. This increases the confidentiality of the session through multiple randomness. Even if the lawless person breaks the first key or the random factor of a certain session, the lawless person cannot influence other sessions, so that each session has high confidentiality.
Based on the above embodiments, in some embodiments, the first device 110 and the second device 120 may be equipped with the same key rule base. The same key rule base means that the key rule bases carried by two devices comprise the same key generation scheme; another aspect is that the scheme identities of the respective key generation schemes in the two key rule bases are identical.
In this way, the first indication information carried by the first encrypted data may include a first scheme identifier of the first key generation scheme in the key rule base.
The scheme identification may be used to uniquely identify the corresponding key generation scheme. The first scheme identification may thus uniquely identify the first key generation scheme in the key rule base. Illustratively, the schema identification may include, but is not limited to, a number, an identification character, a name, and the like.
The first indication information indicates a decryption method for obtaining the first encrypted data through the first scheme identifier, specifically, the first scheme identifier may indicate which key production scheme in the key rule base is the first key generation scheme, so that the second device 120 may obtain the first key generation scheme from the key rule base according to the first scheme identifier. Since the key generation schemes are identical, the keys generated using the same key generation scheme are also identical, i.e., the second device 120 can generate the same first key using the first key generation scheme. The second device 120 may then decrypt the first encrypted data using the generated first key, resulting in a first random factor.
It can be seen that, in this embodiment, by installing the same key rule base in the first device and the second device, the second device may be informed by the first scheme identifier which key generation scheme should be obtained from the key rule base to generate the same first key, and then the first encrypted data may be decrypted by using the first key, to obtain the first random factor. In the whole process, the first secret key is not transmitted through the network, but the second equipment generates the same first secret key locally through the same secret key rule base and the first scheme identification, so that the risk of secret leakage of the first secret key in the transmission process is avoided. It can be known that the lawbreaker needs to obtain the key rule base which is completely the same as the first device and the second device, and crack the identifiers of the key generation algorithms in the rule base to crack the first key, which obviously greatly increases the cracking difficulty of the first key. Thus, the first key is used to encrypt the communication in the key negotiation process, so that high confidentiality of the key negotiation process can be ensured.
Regarding the process of encrypting the first random factor with the first key, in some embodiments, step 230 may include: and encrypting the first random factor by using the first key based on a preset encryption algorithm.
That is, the encryption algorithm for the first random factor is preset. The first random factor is encrypted using the same encryption algorithm in key negotiations for different sessions. And the preset encryption algorithm is also preset in the second device 120. In this way, the second device 120 decrypts the first encrypted data using the first key according to the preset encryption algorithm after generating the first key according to the first indication information.
Illustratively, in the case where the first key is a symmetric key, the preset encryption algorithm is a preset symmetric encryption algorithm, for example, including but not limited to the international AES (Advanced Encryption Standard ) algorithm, the national encryption SM4 algorithm, and the like.
Regarding the process of encrypting the first random factor with the first key, in other embodiments, the first device 110 and the second device 120 may include the same set of encryption algorithms in addition to having the same key rule base. Wherein the set of encryption algorithms comprises a plurality of encryption algorithms. Illustratively, the set of encryption algorithms may include a variety of symmetric encryption algorithms. For example, the set of encryption algorithms may include, but is not limited to, the international AES algorithm, the national cipher SM4 algorithm, and so on.
By the same set of encryption algorithms, on the one hand, it is meant that the sets of encryption algorithms in both devices comprise the same encryption algorithm; another aspect is that the algorithm identities of the respective encryption algorithms in the two sets of encryption algorithms are identical.
The algorithm identification may be used to uniquely identify the corresponding encryption algorithm. Illustratively, the algorithm identification may include, but is not limited to, a number, an identification character, a name, and the like.
Thus, encrypting the first random factor with the first key in step 230 may include:
encrypting the first random factor with the first key based on a first encryption algorithm randomly selected from the set of encryption algorithms.
The first device 110 may randomly select one encryption algorithm from the set of encryption algorithms as the first encryption algorithm and encrypt the first random factor according to the first encryption algorithm using the first key.
Since decryption of the first encrypted data is the inverse of encryption, it is necessary to know what encryption algorithm is specifically used to decrypt the first encrypted data. Thus, the first indication information may comprise, in addition to the first pattern identification, a first algorithm identification of the first encryption algorithm in the set of encryption algorithms. The first algorithm identification indicates which encryption algorithm of the set of encryption algorithms is the first encryption algorithm, such that the second device 120 may obtain the first encryption algorithm from the set of encryption algorithms based on the first algorithm identification. The second device 120 may then decrypt the first encrypted data using the first key based on the first encryption algorithm to obtain the first random factor.
That is, in the present embodiment, the first instruction information instructs the decryption method of acquiring the first encrypted data by the first scheme identification and the first algorithm identification. Specifically, the first key generation scheme is acquired through the first scheme identification by the second device 120, and the first key required for decryption is generated. And obtaining the first encryption algorithm through the first algorithm identification, so that the first encryption data is decrypted by using the first key based on the first encryption algorithm.
It can be seen that, in this embodiment, the encryption algorithm of the first random factor is obtained by random selection, so that it is possible to encrypt the first random factor by a different encryption algorithm in each session. In this embodiment, the first encryption algorithm from the first random factor used to generate the session key, the first key used to encrypt the first random factor, to the first random factor is randomly selected. The first random factor, the first key and the first encryption algorithm which are different are used in each session, so that the randomness of the whole key negotiation process is higher, the key cracking difficulty is increased through multiple randomness, and the confidentiality of the key negotiation process is improved.
On the basis of any of the above embodiments, regarding the process of generating the first key based on the first key generation scheme, in some embodiments, the first device 110 and the second device 120 may include the same set of key material. Wherein the set of keying material comprises a plurality of keying materials. The keying material is used to generate a first key. As such, the first key generation process may specifically include steps 310-320 as shown in fig. 3.
Step 310: obtaining target key material from the key material set;
step 320: a first key is generated based on the first key generation scheme and the target key material.
Wherein the target key material may include one or more. Taking the example that the target key material includes two (a first key material and a second key material), how to generate the first key based on the first key generation scheme and the target key material is described below.
For example, the key rule base may include three key generation schemes. In the first key generation scheme, the first key material is used as an encryption key, and the second key material is encrypted by using a symmetric encryption algorithm to obtain an encryption result. And processing the encryption result by using a hash function, wherein the obtained hash value is used as a generated key.
If the first key generation scheme is the first key generation scheme, the first key material and the second key material are processed according to the first key generation scheme, and then the first key can be obtained.
In the second key generation scheme, the first key material is processed using a Hash function, the resulting Hash value is used as a key in an HMAC (Hash-based Message Authentication Code, hash message authentication code) algorithm, and the second key material is used as a message in the HMAC algorithm. I.e. according to the HMAC algorithm, the MAC (Message Authentication Code ) value of the second key material is calculated using the hash value of the first key material. The obtained MAC value is processed by using a hash function, and the obtained hash value is used as a generated key.
If the second key generation scheme is the first key generation scheme, the first key material and the second key material are processed according to the second key generation scheme, so that the first key can be obtained.
In the third key generation scheme, the first key material and the second key material are spliced to obtain a spliced character string. The second keying material is then used as a key in the HMAC algorithm and the concatenated string is used as a message in the HMAC algorithm. I.e. according to the HMAC algorithm, the MAC value of the concatenated string is calculated using the second key material. The obtained MAC value is processed by using a hash function, and the obtained hash value is used as a generated key.
If the third key generation scheme is the first key generation scheme, the first key material and the second key material are processed according to the third key generation scheme, so that the first key can be obtained.
Of course, the above examples are only illustrative examples of how the first key may be generated based on the first key generation scheme and the target key material. The data amount of the key generation scheme in the key rule base, and the specific scheme of the key generation scheme are not limited to the above examples. In addition, the number of the target key materials is not limited to 2, and may be any number, and the data amount of the target key materials is only required to match the number of key materials required for using the first key generation scheme. And the number of the key materials included in the key material set is equal to or greater than the target number of the key materials.
With respect to the target keying material, the target keying material may alternatively be a preset keying material in a set of keying materials. That is, the target key material is set in advance. In this manner, the step 310 may specifically include: and acquiring a preset target key material from the key material set.
It is known that the same target key material is used to generate the first key in the key agreement of different sessions. And the preset target key material is also preset in the second device 120. I.e. the second device 120 is also aware of which key material or key materials in the set of key materials are the target key materials. Thus, in different key negotiations, different first keys are generated due to the use of different key generation schemes.
Further, the target keying material may alternatively be a keying material randomly selected from a set of keying materials. That is, the target key material is not preset, but is randomly selected at each key negotiation. In this manner, the step 310 may specifically include: a target key material is randomly selected from the set of key materials.
As such, each keying material may also have a corresponding material identification in the set of keying materials. The material identification is used to uniquely identify the corresponding key material. Illustratively, the material identification may include, but is not limited to, a number, an identification character, a name, and the like.
As such, in some embodiments, the first indication information may include a first pattern identification and a target material identification. The target material identification is used to indicate target keying material in the set of keying material. As such, the second device 120 may obtain the first key generation scheme according to the first scheme identification and obtain the target key material from the set of key materials according to the target material identification. And then generating a first key based on the first key generation scheme and the target key material, and decrypting the first encrypted data by using the first key according to a preset encryption algorithm.
In some embodiments, the first indication information may include a first pattern identification, a first algorithm identification, and a target material identification. In this manner, the second device 120 may obtain the first key generation scheme according to the first scheme identification, obtain the target key material from the set of key materials according to the target material identification, and generate the first key based on the first key generation scheme and the target key material. And then acquiring a first encryption algorithm from the encryption algorithm set according to the first algorithm identification, and decrypting the first encrypted data by using the first key according to the first encryption algorithm.
Illustratively, the keying material is generated locally by the first device 110 and the second device 120 without interaction via network transmissions. For example, the keying material may include, but is not limited to, an IP address of the first device or the second device, an access domain name, device hardware information, and so on.
It can be seen that in this embodiment, the first key is generated by the target key material and the first key generation scheme, and the first key is generated randomly again in each session, so that the first key used in each key negotiation is different. This increases the confidentiality of the session through multiple randomness.
Regarding the first indication information, on the basis of the embodiment shown in fig. 1, in some embodiments the first indication information may comprise a variation of the first key. Whereas the second device 120 has pre-stored therein the deformation rules of the key.
The modification of the first key means that the first key is mapped into character strings of other formats according to a modification rule. For example, variations of the first key may include, but are not limited to, IP address format. I.e. the first key is mapped to an IP address according to the deformation rule.
The first indication information indicates a decryption method for obtaining the first encrypted data through deformation of the first key, specifically, after receiving the first encrypted data carrying the first indication information, the second device 120 may restore the deformation of the first key in the first indication information to the first key according to a pre-stored deformation rule. The second device 120 may then decrypt the first encrypted data using the restored first key to obtain a first random factor.
It can be seen that, in this embodiment, after the first key is deformed, the first key is carried as the first indication information in the first encrypted data and is sent to the second device, and since the first key can be deformed into character strings with various formats, the deformed first key has confusion, and the lawbreaker cannot know the true meaning of the deformation. And the first key cannot be restored without the deformation rule. Taking the IP address format as an example, the first encrypted data carries an IP address from the surface, and the IP address cannot be restored to the first key without knowing that the IP address is a variant of the first key.
With respect to step 250, the second random factor is obtained, and in some embodiments, step 250 may include steps 251-252 as shown in FIG. 4.
Step 251: receiving second encrypted data carrying second indication information sent by the second equipment;
the second indication information indicates a decryption method for obtaining second encrypted data;
step 252: and decrypting the second encrypted data according to the second indication information to obtain a second random factor.
Illustratively, the second encrypted data is the result of the second device 120 encrypting the second random factor using the second key.
Illustratively, the second device 120 may randomly select the second key generation scheme from the key rule base to generate the second key. And encrypting the second random factor by using the second key to obtain second encrypted data. The second indication information may then be carried with the second encrypted data and sent to the first device 110.
The second indication information is used to indicate how to obtain the decryption method of the second encrypted data, and the first device 110 may decrypt the second encrypted data based on the second indication information to obtain the second random factor. Specifically, after receiving the second encrypted data carrying the second instruction information, the first device 110 may acquire a decryption method of the second encrypted data based on the second instruction information. And decrypts the second encrypted data based on the decryption method to obtain the second random factor generated by the second device 120.
The second key generation scheme may be the same key generation scheme as the first key generation scheme, or may be a different key generation scheme.
In some embodiments, if the first device 110 and the second device 120 are piggybacked with the same key rule base, the second indication information may include a second scheme identification of the second key generation scheme in the key rule base. As such, the first device 110 may obtain the second key generation scheme from the key rule base according to the second scheme identification and generate the same second key based on the second key generation scheme. The first device 110 may then decrypt the second encrypted data using the generated second key to obtain a second random factor.
In some embodiments, with respect to the process of encrypting the second random factor with the second key, the second device 120 may encrypt the second random factor with the second key based on a preset encryption algorithm. In this way, after generating the second key according to the second indication information, the first device 110 may decrypt the second encrypted data using the second key according to a preset encryption algorithm.
In some embodiments, regarding the process of encrypting the second random factor with the second key, if the first device 110 and the second device 120 are loaded with the same key rule base and include the same encryption algorithm set, the second device 120 may randomly select one encryption algorithm from the encryption algorithm set as the second encryption algorithm, and encrypt the second random factor according to the second encryption algorithm using the second key. The first encryption algorithm and the second encryption algorithm may be the same encryption algorithm or different encryption algorithms.
As such, the second indication information may include a second scheme identification, and a second algorithm identification of the second encryption algorithm in the set of encryption algorithms. Such that the first device 110 may obtain a second encryption algorithm from the set of encryption algorithms based on the second algorithm identification. The first device 110 may then decrypt the second encrypted data using the second key based on the second encryption algorithm to obtain a second random factor.
Regarding the process of generating the second key based on the second key generation scheme, in some embodiments, if the first device 110 and the second device 120 include the same set of key material, the second device 120 may obtain the target key material from the set of key material and generate the second key based on the second key generation scheme and the target key material.
Alternatively, the target key material may be a preset key material in the key material set. In this manner, the second device 120 may obtain the preset target key material from the set of key materials and generate the second key based on the second key generation scheme and the preset target key material. After the first device 110 obtains the first key generating scheme, a preset target key material may also be obtained from the set of key materials, and the same second key may be generated based on the second key generating scheme and the preset target key material, so as to decrypt the second encrypted data.
Alternatively, the target keying material may be a keying material randomly selected from a set of keying materials. As such, the second device 120 may randomly select the target key material from the set of key materials and generate the second key based on the second key generation scheme and the randomly selected target key material. As one example, the second indication information may include a second scenario identification and a target material identification. The target material identification is used to indicate target keying material in the set of keying material. As such, the first device 110 may obtain the second key generation scheme based on the second scheme identification and obtain the target key material from the set of key materials based on the target material identification. And then generating a second key based on the second key generation scheme and the target key material, and decrypting the second encrypted data by using the second key according to a preset encryption algorithm. As another example, the second indication information may include a second scheme identification, a second algorithm identification, and a target material identification. In this manner, the first device 110 may obtain the second key generation scheme according to the second scheme identification, obtain the target key material from the set of key materials according to the target material identification, and generate the second key based on the second key generation scheme and the target key material. And then acquiring a second encryption algorithm from the encryption algorithm set according to the second algorithm identification, and decrypting the second encrypted data by using the second key according to the second encryption algorithm.
Regarding the second indication information, in some embodiments, the second indication information may include a deformation of the second key, and the deformation rule of the key is pre-stored in the first device 110. In this way, after receiving the second encrypted data carrying the second instruction information, the first device 110 may restore the deformation of the second key in the second instruction information to the second key according to the pre-stored deformation rule. The first device 110 may then decrypt the second encrypted data using the restored second key to obtain a second random factor.
Specific implementations of the foregoing embodiments regarding the second key generation process, the second random factor encryption process, the second encrypted data decryption process, etc. may refer to the foregoing embodiments regarding the first key generation process, the first random factor encryption process, the first encrypted data decryption process, etc. which are not described herein.
It can be known that in this embodiment, the first random factor and the second random factor for generating the session key are exchanged after encryption, so as to avoid the risk of disclosure caused by plaintext transmission. The first key and the second key are not transmitted through the network in the whole key negotiation process, so that confidentiality of the key negotiation process is ensured.
With respect to generating the session key using the first random factor and the second random factor in step 260, in some embodiments, the session key may be generated using the first random factor and the second random factor based on the first key generation scheme.
In this manner, the first device 110 and the second device 120 locally generate session keys using the first random factor and the second random factor, respectively, based on the first key generation scheme.
In addition, in some embodiments, the session key may also be generated using the first random factor and the second random factor based on the second key generation scheme.
In this manner, the first device 110 and the second device 120 locally generate session keys using the first random factor and the second random factor, respectively, based on the second key generation scheme.
Based on any of the above embodiments, the key negotiation method may further include the steps of:
updating the key generation scheme in the key rule base.
For example, an update period of the key rule base may be set. In response to reaching the update period, the key generation scheme in the key rule base is updated, including synchronously updating the key rule bases in the first device 110 and the second device 120.
It is known that the randomness of the key generation scheme can be ensured as much as possible by periodically updating the key rule base.
In some embodiments, after the session key is generated, a certificate check may also be performed between the first device 110 and the second device 120 using the session key.
Specifically, the first device 110 may encrypt the home certificate using the session key to obtain third encrypted data, and send the third encrypted data to the second device 120.
Alternatively, the first device 110 may encrypt the home certificate using the session key based on the first encryption algorithm. Alternatively, the first device 110 may encrypt the home certificate using the session key based on the second encryption algorithm.
The second device 120 may then decrypt the third encrypted data using the session key to obtain the certificate of the first device, and verify the certificate of the first device using the CA (Certificate Authority ) to obtain a certificate verification result.
Subsequently, the second device 120 encrypts the certificate verification result using the session key, resulting in fourth encrypted data. And returns the fourth encrypted data to the first device 110.
After receiving the fourth encrypted data sent by the second device 120, the first device 110 may decrypt the fourth encrypted data using the session key to obtain a certificate verification result. If the certificate verification result indicates that the verification passes, the first device 110 and the second device 120 will conduct encrypted communication of the session using the session key. If the certificate verification result indicates that the verification is not passed, the first device 110 disconnects the session with the second device 120.
In addition, regarding the application scenario of the present application, in some embodiments, the key negotiation method described above may be applied in an OTA upgrade scenario of a vehicle. As such, the first device 110 may be one of a vehicle and an OTA server and the second device 120 may be the other of a vehicle and an OTA server. That is, the first device 110 may be a vehicle and the second device 120 may be an OTA server. Still alternatively, the first device 110 may be an OTA server and the second device 120 may be a vehicle. The vehicle is provided with a TBOX for communication interaction with an OTA server.
Of course, besides the OTA upgrade scenario, the key negotiation method provided by the application can be applied to other scenarios requiring key negotiation, and is not limited to the OTA upgrade scenario.
In this embodiment, by applying the key negotiation method in the OTA upgrade scenario, the communication between the vehicle and the OTA server has high confidentiality, and the security of OTA upgrade is ensured.
In addition, the application also provides a key negotiation method which is applied to the OTA upgrading scene. Illustratively, the vehicle on which the TBOX is mounted is the first device 110, and the ota server is the second device 120. The vehicle and the OTA server are provided with the same key rule base and encryption algorithm set. The vehicle is communicatively coupled to the OTA server via the TBOX. As shown in fig. 5, when the vehicle needs to use the OTA upgrade service, the TBOX of the vehicle first generates a first random factor (step 501), then randomly selects an encryption scheme from the key rule base as a first key generation scheme, and generates a first key according to the first key generation scheme (step 502).
Specifically, the key rule base includes a plurality of key generation schemes for generating symmetric keys. When generating the first key, a target key material required by a first key generation scheme may be input, and the first key generation scheme performs a series of calculations on the input target key material, so that the first key may be obtained.
Illustratively, the target keying material may comprise a first keying material and a second keying material. The target key material is only generated locally between the vehicle and the OTA server and is not transmitted through the network. The target key material may be a value agreed in advance by the vehicle and the OTA server. For example, the first keying material may be a domain name of an OTA server, the second keying material may be a vehicle VIN number, and so on.
The key rule base can be updated periodically through the key management platform, so that the randomness of the key generation scheme is ensured as much as possible.
After obtaining the first key, the first random factor may be encrypted using the first key to obtain first encrypted data (step 503). Specifically, one symmetric encryption algorithm may be randomly selected from the set of encryption algorithms as the first encryption algorithm. The first random factor is then encrypted using the first key according to a first encryption algorithm to obtain first encrypted data.
The vehicle-side TBOX may then send the first encrypted data carrying the first indication information to the OTA server (step 504). The first indication information comprises a first scheme identifier of the first encryption scheme in the key rule base and a first algorithm identifier of the first encryption algorithm in the encryption algorithm set.
After receiving the first encrypted data, the OTA server may call a first key generation scheme corresponding to the first pattern identifier from the key rule base according to the first pattern identifier in the first indication information, and generate a first key (step 505).
The OTA server then decrypts the first encrypted data using the first key to obtain the first random factor (step 506). Specifically, the OTA server may call a first encryption algorithm corresponding to the first algorithm identifier from the encryption algorithm set according to the first algorithm identifier in the first indication information, and decrypt the first encrypted data using the first key according to the first encryption algorithm.
The OTA server then generates a second random factor (step 507), then randomly selects an encryption scheme from the key rule base as a second key generation scheme, and generates a second key according to the second key generation scheme (step 508).
After the second key is obtained, the second random factor may be encrypted using the second key to obtain second encrypted data (step 509). Specifically, one symmetric encryption algorithm may be randomly selected from the set of encryption algorithms as the second encryption algorithm. And then encrypting the second random factor by using the second key according to a second encryption algorithm to obtain second encrypted data.
The OTA server may then send the second encrypted data carrying the second indication information to the vehicle TBOX (step 510). The second indication information comprises a second scheme identifier of the second encryption scheme in the key rule base and a second algorithm identifier of the second encryption algorithm in the encryption algorithm set.
After receiving the second encrypted data, the vehicle TBOX may call a second key generation scheme corresponding to the second scheme identifier from the key rule base according to the second scheme identifier in the second instruction information, and generate a second key (step 511).
Subsequently, the vehicle TBOX decrypts the second encrypted data using the second key, resulting in a second random factor (step 512). Specifically, the vehicle TBOX may call a second encryption algorithm corresponding to the second algorithm identification from the encryption algorithm set according to the second algorithm identification in the second indication information, and decrypt the second encrypted data using the second key according to the second encryption algorithm.
After obtaining the second random factor, the vehicle TBOX may generate a session key through a second key generation scheme using the first random factor and the second random factor as key materials (step 513). Similarly, after obtaining the first random factor, the OTA server may also use the first random factor and the second random factor as key materials to generate a session key through the second key generation scheme (step 514).
Subsequently, the vehicle TBOX encrypts the vehicle-end certificate using the session key to obtain third encrypted data (step 515), and transmits the third encrypted data to the OTA server (step 516).
After receiving the third encrypted data, the OTA server may decrypt the third encrypted data using the session key and the CA verifies the resulting end certificate (step 517). The OTA server may then encrypt the certificate verification result using the session key, obtain fourth encrypted data (step 518), and return the fourth encrypted data to the vehicle TBOX (step 519).
The vehicle TBOX may decrypt the fourth encrypted data using the session key to obtain a certificate verification result, and if the verification is passed, the vehicle TBOX is in encrypted communication with the OTA server using the session key (step 520). For example, the OTA server may encrypt the OTA upgrade data using the session key and send the encrypted OTA upgrade data to the vehicle TBOX, thereby completing the OTA upgrade process.
The implementation process of the above steps is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
Based on any embodiment, the application further provides a key negotiation device, which is used for realizing key negotiation between the first device and the second device. The key agreement device is applied to a first device that is equipped with a key rule base including a plurality of key generation schemes. As shown in fig. 6, the key agreement device 600 includes:
a random factor module 610 for generating a first random factor;
a first key module 620, configured to generate a first key based on a first key generation scheme randomly selected from the key rule base;
an encryption module 630, configured to encrypt the first random factor with the first key to obtain first encrypted data;
a sending module 640, configured to send first encrypted data carrying first indication information to the second device; the first indication information indicates a decryption method for acquiring first encrypted data;
an obtaining module 650, configured to obtain a second random factor generated by the second device;
a session key module 660 generates a session key using the first random factor and the second random factor, the session key for encrypted communications between the first device and the second device.
In some embodiments, the first device and the second device are piggybacked with the same key rule base;
the first indication information comprises a first pattern identifier of the first key generation scheme in the key rule base, so that the second device obtains the first key generation scheme from the key rule base according to the first pattern identifier, generates a first key based on the first key generation scheme, and decrypts the first encrypted data by using the first key to obtain the first random factor.
In some embodiments, the first device and the second device further comprise the same set of encryption algorithms; the encryption module 630 is specifically configured to:
encrypting the first random factor with the first key based on a first encryption algorithm randomly selected from the set of encryption algorithms;
the first indication information further comprises a first algorithm identification of the first encryption algorithm in the encryption algorithm set, so that the second device obtains the first encryption algorithm from the encryption algorithm set according to the first algorithm identification, and decrypts the first encryption data by using the first key based on the first encryption algorithm.
In some embodiments, the first device and the second device comprise the same set of keying material, and the first key module 620 is specifically configured to:
obtaining target key material from the key material set;
a first key is generated based on the first key generation scheme and the target key material.
In some embodiments, the second device pre-stores a deformation rule for the key; the first indication information comprises deformation of the first key, so that the second device restores the deformation of the first key to the first key according to the deformation rule, and decrypts the first encrypted data by using the first key to obtain the first random factor.
In some embodiments, the acquisition module 650 is specifically configured to:
receiving second encrypted data carrying second indication information sent by the second equipment; the second indication information indicates a decryption method for obtaining second encrypted data;
and decrypting the second encrypted data according to the second indication information to obtain a second random factor.
In some embodiments, key agreement device 600 further includes:
and the updating module is used for updating the key generation scheme in the key rule base.
In some embodiments, the key agreement device 600 is applied to a vehicle OTA upgrade scenario; the first equipment is one of a vehicle and an OTA server; the second device is the other of the vehicle and the OTA server.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
Based on the key negotiation method described in any of the above embodiments, the present application further provides a schematic structural diagram of an electronic device as shown in fig. 7. At the hardware level, as in fig. 7, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, although it may include hardware required for other services. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to implement a key negotiation method according to any of the above embodiments.
The present application also provides a computer storage medium storing a computer program which, when executed by a processor, is operable to perform a key agreement method as described in any of the above embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (11)

1. The key negotiation method is characterized by being used for realizing key negotiation between the first equipment and the second equipment; the method is applied to first equipment, and the first equipment is carried with a key rule base comprising a plurality of key generation schemes; the method comprises the following steps:
generating a first random factor;
generating a first key based on a first key generation scheme randomly selected from the key rule base;
encrypting the first random factor by using the first key to obtain first encrypted data;
transmitting first encrypted data carrying first indication information to the second device; the first indication information indicates a decryption method for acquiring first encrypted data;
acquiring a second random factor generated by the second equipment;
and generating a session key by utilizing the first random factor and the second random factor, wherein the session key is used for encrypted communication between the first device and the second device.
2. The method of claim 1, wherein the first device and the second device are populated with the same key rule base;
the first indication information comprises a first pattern identifier of the first key generation scheme in the key rule base, so that the second device obtains the first key generation scheme from the key rule base according to the first pattern identifier, generates a first key based on the first key generation scheme, and decrypts the first encrypted data by using the first key to obtain the first random factor.
3. The method of claim 2, wherein the first device and the second device further comprise a same set of encryption algorithms;
the encrypting the first random factor using the first key includes: encrypting the first random factor with the first key based on a first encryption algorithm randomly selected from the set of encryption algorithms;
the first indication information further comprises a first algorithm identification of the first encryption algorithm in the encryption algorithm set, so that the second device obtains the first encryption algorithm from the encryption algorithm set according to the first algorithm identification, and decrypts the first encryption data by using the first key based on the first encryption algorithm.
4. A method according to any of claims 1-3, wherein the first device and the second device comprise the same set of keying material, and wherein the process of generating the first key comprises:
obtaining target key material from the key material set;
a first key is generated based on the first key generation scheme and the target key material.
5. The method of claim 1, wherein the second device pre-stores a deformation rule for a key; the first indication information comprises deformation of the first key, so that the second device restores the deformation of the first key to the first key according to the deformation rule, and decrypts the first encrypted data by using the first key to obtain the first random factor.
6. The method of claim 1, wherein the obtaining the second random factor generated by the second device comprises:
receiving second encrypted data carrying second indication information sent by the second equipment; the second indication information indicates a decryption method for obtaining second encrypted data;
and decrypting the second encrypted data according to the second indication information to obtain a second random factor.
7. The method according to claim 1, wherein the method further comprises:
updating the key generation scheme in the key rule base.
8. The method of claim 1, wherein the method is applied to a vehicle OTA upgrade scenario; the first equipment is one of a vehicle and an OTA server; the second device is the other of the vehicle and the OTA server.
9. A key agreement apparatus, for implementing a key agreement between a first device and a second device; the device is applied to first equipment, and the first equipment is carried with a key rule base comprising a plurality of key generation schemes; the device comprises:
the random factor module is used for generating a first random factor;
A first key module for generating a first key based on a first key generation scheme randomly selected from the key rule base;
the encryption module is used for encrypting the first random factor by using the first key to obtain first encrypted data;
the sending module is used for sending first encrypted data carrying first indication information to the second equipment; the first indication information indicates a decryption method for acquiring first encrypted data;
the acquisition module is used for acquiring a second random factor generated by the second equipment;
and the session key module is used for generating a session key by utilizing the first random factor and the second random factor, wherein the session key is used for encrypted communication between the first device and the second device.
10. An electronic device, the electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor, when invoking the executable instructions, performs the operations of the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon computer instructions which when executed by a processor implement the steps of the method of any of claims 1-8.
CN202311434974.6A 2023-10-31 2023-10-31 Key negotiation method and device, electronic equipment and storage medium Pending CN117375825A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311434974.6A CN117375825A (en) 2023-10-31 2023-10-31 Key negotiation method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311434974.6A CN117375825A (en) 2023-10-31 2023-10-31 Key negotiation method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117375825A true CN117375825A (en) 2024-01-09

Family

ID=89405695

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311434974.6A Pending CN117375825A (en) 2023-10-31 2023-10-31 Key negotiation method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117375825A (en)

Similar Documents

Publication Publication Date Title
JP6803481B2 (en) How to manage communication between servers and user devices
CN106603485B (en) Key agreement method and device
CN106790223B (en) Data transmission method, equipment and system
CN106412862B (en) short message reinforcement method, device and system
EP2950506B1 (en) Method and system for establishing a secure communication channel
CN110401629B (en) Authorization activation method and related device
JP6226197B2 (en) Certificate issuing system, client terminal, server device, certificate acquisition method, and certificate issuing method
CN106788989B (en) Method and equipment for establishing secure encrypted channel
CN106878016A (en) Data is activation, method of reseptance and device
CN113497778A (en) Data transmission method and device
CN110650478B (en) OTA method, system, device, SE module, program server and medium
CN108809903B (en) Authentication method, device and system
CN106571915A (en) Terminal master key setting method and apparatus
CN111740995B (en) Authorization authentication method and related device
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN110855695A (en) Improved SDN network security authentication method and system
CN107635227A (en) A kind of group message encryption method and device
CN109391473B (en) Electronic signature method, device and storage medium
CN115378587A (en) Key acquisition method, device, equipment and readable storage medium
CN105554008A (en) User terminal, authentication server, middle server, system and transmission method
CN114765543B (en) Encryption communication method and system of quantum cryptography network expansion equipment
US20190305940A1 (en) Group shareable credentials
CN117082501A (en) Mobile terminal data encryption method
CN114531242A (en) Certificate upgrading method, device, equipment and storage medium
US11552796B2 (en) Cryptographic processing events for encrypting or decrypting data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination