CN117560150A - Key determination method, device, electronic equipment and computer readable storage medium - Google Patents
Key determination method, device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN117560150A CN117560150A CN202311834640.8A CN202311834640A CN117560150A CN 117560150 A CN117560150 A CN 117560150A CN 202311834640 A CN202311834640 A CN 202311834640A CN 117560150 A CN117560150 A CN 117560150A
- Authority
- CN
- China
- Prior art keywords
- key
- public key
- encryption algorithm
- request data
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 162
- 230000004044 response Effects 0.000 claims abstract description 70
- 238000004891 communication Methods 0.000 claims abstract description 33
- 238000012795 verification Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 abstract description 17
- 238000010586 diagram Methods 0.000 description 11
- 230000000694 effects Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000010276 construction Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application relates to a key determination method, a key determination device, an electronic device and a computer readable storage medium. The method comprises the following steps: transmitting request data to a second device; the request data comprises a first public key of a preset encryption algorithm; receiving a response message sent by the second equipment in response to the request data; the response message comprises a second public key of the encryption algorithm; and determining a first private key and the second public key of the encryption algorithm as a shared key of the first device and the second device. By adopting the method, the risk of leakage of the client key in the process of communication between the client and the server is avoided.
Description
Technical Field
The present disclosure relates to the field of cryptography, and in particular, to a method and apparatus for determining a key, an electronic device, and a computer readable storage medium.
Background
With the development of communication technology, clients can communicate with a server to perform data transmission interaction with each other, and the like.
In the conventional technology, in the process of communication interaction between a client of an Android application system or a client of an iOS application system and a server, transmission data is encrypted by adopting the existing cryptography technologies such as an encryption algorithm, a hash algorithm, a digital certificate and the like, but in the conventional technology, the risk of leakage of a client key in the process of communication between the client and the server still exists.
Disclosure of Invention
The embodiment of the application provides a key determining method, a device, electronic equipment and a computer readable storage medium, which can avoid the risk of leakage of a client key in the process of communication between the client and a server.
In a first aspect, an embodiment of the present application provides a key determining method, which is applied to a first device, and includes:
transmitting request data to a second device; the request data comprises a first public key of a preset encryption algorithm;
receiving a response message sent by the second equipment in response to the request data; the response message comprises a second public key of the encryption algorithm;
and determining a first private key and the second public key of the encryption algorithm as a shared key of the first device and the second device.
In a second aspect, an embodiment of the present application provides a key determining apparatus, applied to a first device, including:
the first sending module is used for sending request data to the second equipment; the request data comprises a first public key of a preset encryption algorithm;
the receiving module is used for receiving a response message sent by the second equipment in response to the request data; the response message comprises a second public key of the encryption algorithm;
And the first determining module is used for determining the first private key and the second public key of the encryption algorithm as the shared secret key of the first device and the second device.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory and a processor, where the memory stores a computer program, where the computer program, when executed by the processor, causes the processor to perform the steps of the key determining method according to the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of the first aspect.
The first device carries a first public key of a preset encryption algorithm in request data and sends the first public key of the preset encryption algorithm to the second device, so that the second device can send a response message to the first device after receiving the request data, wherein the response message sent by the second device comprises a second public key of the encryption algorithm, the first device can determine the first private key of the preset encryption algorithm stored by the first device and the received second public key as a shared key of the first device and the second device, and the first private key of the preset encryption algorithm is stored in a memory of the first device in the process, so that the security of the first private key is ensured, the second public key of the encryption algorithm is determined in a response message sent by the first device, the security of the acquired second public key is also ensured, the first device can further determine the first private key of the preset encryption algorithm stored by the first device and the received second public key of the encryption algorithm as a shared key of the second device, the first device and the second public key of the second device can be mutually shared with the first device, and the security of the second device is ensured, and the shared key is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a diagram of an application environment for a key determination method in one embodiment;
FIG. 2 is a flow diagram of a method of key determination in one embodiment;
FIG. 3 is a flow chart of a method of key determination in another embodiment;
FIG. 4 is a flow chart of a method of key determination in another embodiment;
FIG. 5 is a flow chart of a method of key determination in another embodiment;
FIG. 6 is a flow chart of a method of key determination in another embodiment;
FIG. 7 is a flow chart of a method of key determination in another embodiment;
FIG. 8 is a block diagram of a key determining apparatus in one embodiment;
fig. 9 is a block diagram showing the construction of a key determining apparatus in another embodiment;
fig. 10 is a block diagram showing the construction of a key determining apparatus in another embodiment;
FIG. 11 is a block diagram showing the construction of a key determining apparatus in another embodiment;
FIG. 12 is a block diagram showing the construction of a key determining apparatus in another embodiment;
fig. 13 is a block diagram showing the structure of a key determining apparatus in another embodiment;
fig. 14 is a block diagram showing the structure of a key determining apparatus in another embodiment;
FIG. 15 is a schematic diagram of the internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The key determining method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the first device 102 communicates with the second device 104 via a network. The first device 102 may be a client, the second device 104 may be a server, or both the first device 102 and the second device 104 may be clients, or both the first device 102 and the second device 104 may be servers. The client may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server may be implemented by a stand-alone server or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a key determining method is provided, which is illustrated by taking an example that the method is applied to the first device in fig. 1, and includes the following steps:
s201, sending request data to a second device; the request data comprises a first public key of a preset encryption algorithm.
The preset encryption algorithm may be an elliptic curve encryption algorithm, an RSA encryption algorithm, or other asymmetric encryption algorithms.
Optionally, in this embodiment, the first device may generate a first public key of a preset encryption algorithm, then encapsulate the generated first public key of the encryption algorithm, generate the request data, and send the generated request data to the second device through a communication channel between the first device and the second device. The request data in this embodiment is request data sent by the first device to the second device for requesting generation of a shared key between the first device and the second device.
S202, receiving a response message sent by the second device in response to the request data; the response message includes the second public key of the encryption algorithm.
In this embodiment, after the first device sends the generated request data to the second device, the second device may parse the received request data, parse a first public key of a preset encryption algorithm from the received request data, and at the same time, the second device generates a second public key of the encryption algorithm, encapsulates the second public key into a response message of the request data, and sends the generated response message to the first device through a communication channel between the second device and the first device.
Correspondingly, after the first device receives the response message sent by the second device and the validity of the response message is verified, the second public key of the preset encryption algorithm included in the received response message can be obtained by analyzing the response message.
Optionally, in this embodiment, after the second device receives the request data, the second device may verify the received request data, and in a case that the request data passes the verification, correspondingly, determine a second public key of a preset encryption algorithm according to a preset key negotiation algorithm and a second base point stored in the second device, and generate the response message according to the second public key of the preset encryption algorithm, a second private key of the preset encryption algorithm stored in the second device, and a service certificate of the second device.
S203, determining the first private key and the second public key of the encryption algorithm as a shared key of the first device and the second device.
In this embodiment, the first device may generate the first private key of the preset encryption algorithm in advance based on a random number, and optionally, the random number may be generated randomly by the first device, or may be obtained by the first device from the second device.
Optionally, in this embodiment, the first device may determine the first private key of the encryption algorithm stored in the first device as a private key of a shared key between the first device and the second device, and determine the second public key of the encryption algorithm sent by the second device as a public key of the shared key between the first device and the second device, so as to obtain the shared key for communication between the first device and the second device.
Optionally, in this embodiment, after determining the shared key for communication between the first device and the second device, the first device may store the shared key in a trusted execution environment (Trusted Execution Environment, TEE) of the first device, and use the shared key in a TEE layer of the first device when the shared key is used later, so as to ensure security of the shared key.
In the key determining method, the first device sends the first public key of the preset encryption algorithm to the second device through carrying the first public key of the preset encryption algorithm in the request data, so that the second device can send a response message to the first device after receiving the request data, wherein the response message sent by the second device comprises the second public key of the encryption algorithm, the first device can determine the first private key of the encryption algorithm stored by the first device and the received second public key as a shared key of the first device and the second device, and the first private key of the preset encryption algorithm is stored in a memory of the first device in the process, so that the security of the first private key is ensured, the second public key of the encryption algorithm is determined in a response message sent by the first device from the second device, the security of the second public key of the obtained encryption algorithm is also ensured, and further, the first device determines the first private key of the encryption algorithm stored by itself and the second public key of the preset encryption algorithm stored by the first device as the shared key of the second public key of the second device, and the second public key of the second encryption algorithm is obtained by the second device, and the communication security interaction of the first device and the second device is ensured, and the security of the shared key can be ensured.
The detailed process of the first device generating the above-described request data will be explained in this embodiment. In one embodiment, as shown in fig. 3, the method further includes:
s301, determining a first public key according to a preset key negotiation algorithm and a first base point stored in a trusted execution environment of the first device.
The preset key negotiation algorithm may be determined by the interaction between the first device and the second device through negotiation between the two parties. As an alternative implementation manner, the first device may send a Client Hello message to the second device, where the Client Hello message may include a version number of the first device, a cryptographic algorithm suite list supported by the first device, after receiving the Client Hello message sent by the first device, the second device may send a Server Hello message to the first device, where the Server Hello message may include bundle information selected by the second device, for example, the bundle information may include a key negotiation algorithm between the first device and the second device, a signature algorithm between the first device and the second device, an algorithm used by communications after the first device and the second device handshake, and a digest algorithm, and so on, where, for example, assuming that bundle information included in the Server Hello message is ecdhe_rsa_wit_aes_256_gcm_sha384, the signature algorithm uses the ECDHE algorithm, the post-AES communication uses 256 bits symmetric handshake algorithm, and the length of the post-RSA algorithm uses the hash algorithm, and the key mode uses the hash algorithm.
Optionally, in this embodiment, the first device may determine, according to a preset key negotiation algorithm, a calculation method of determining, by the first device, a public key of the preset encryption algorithm, so as to determine, based on the determined calculation method and a first base point stored in a trusted execution environment of the first device, the first public key of the preset encryption algorithm. It can be appreciated that in this embodiment, since the first base point is stored in the TEE layer of the first device and is only used in the TEE layer, the stored first base point is not revealed, stolen, tampered and forged, and the security of the stored first base point is ensured.
In this embodiment, assuming that the preset encryption algorithm is an elliptic curve encryption algorithm, the first device determines, according to a key negotiation algorithm of the elliptic curve encryption algorithm negotiated with the second device and the first base point, that a calculation formula of the preset encryption algorithm may be: ta_ecdhe_pk=ta_ecdhe_sk, where G represents the first base point, ta_ecdhe_sk represents the first private key of the elliptic curve encryption algorithm, i.e. the private key of the first device side elliptic curve encryption algorithm, and ta_ecdhe_pk represents the first public key of the elliptic curve encryption algorithm, i.e. the public key of the first device side elliptic curve encryption algorithm.
S302, request data is generated according to the first private key and the first public key.
Optionally, in this embodiment, the first device may perform signature processing on a first public key of a preset encryption algorithm according to a first private key of the preset encryption algorithm, and encapsulate the first public key after the signature processing, so as to generate the request data.
In this embodiment, since the first device is a first public key determined according to a preset key negotiation algorithm and a first base point stored in a trusted execution environment of the first device, and since the first base point is stored in the trusted execution environment of the first device, security of the stored first base point is ensured, security of a first public key of a preset encryption algorithm determined according to the preset key negotiation algorithm and the first base point is ensured, and security of request data generated according to a first private key of the preset encryption algorithm and a first public key of the preset encryption algorithm is further ensured.
In the scenario of generating the request data according to the first private key of the preset encryption algorithm and the first public key of the preset encryption algorithm, the first device may perform signature processing on the first public key through the first private key, obtain signature information of the first public key, and generate the request data based on the signature information of the first public key. In one embodiment, as shown in fig. 4, S302 includes:
S401, signature processing is carried out on the first public key according to the first private key, and signature information is obtained.
Optionally, in this embodiment, the first device and the second device may negotiate a signature algorithm in advance, and after determining a first public key of a preset encryption algorithm, perform signature processing on the first public key of the preset encryption algorithm by using the pre-negotiated signature algorithm according to a private key of the preset encryption algorithm, to obtain signature information. Illustratively, the first device may sign the first public key of the preset encryption algorithm using the following formula: sign_ta_ecdhe_pk=sign (first private key, ta_ecdhe_pk), in which sign_ta_ecdhe_pk represents the acquired signature information, sign represents the signature algorithm, and ta_ecdhe_pk identifies the first public key of the preset encryption algorithm.
S402, generating request data according to the signature information, the first public key and the device certificate of the first device.
Optionally, in this embodiment, the device certificate of the first device is further stored in the first device in advance, and after the first device obtains the signature information, a first public key of a preset encryption algorithm, and the device certificate of the first device may be encapsulated by the first device, so as to generate the request data.
It should be noted that, the process of generating the response message by the second device is similar to the process of generating the request data by the first device, and for the specific process of generating the response message by the second device, reference may be made to the process of generating the request data by the first device in this embodiment, which is not described herein.
It can be understood that, since the request data is generated according to the signature information generated by the first device, the first public key of the preset encryption algorithm and the device certificate of the first device, after the second device receives the request data, the certificate chain of the device certificate of the first device can be verified step by step, after the authenticity and the legality of the device certificate of the first device are confirmed, the signature information is verified by using the first public key, the integrity of the request data sent by the first device is verified, and after the integrity verification of the request data is passed, the response message is generated.
In addition, in this embodiment, it should be noted that, in the production process of the production line, the first device presets the first private key of the preset encryption algorithm and the device certificate of the first device, and the second device presets the second private key of the preset encryption algorithm and the service certificate of the second device, which can be used for device authentication of the first device and the second device, so as to ensure validity of the key source; the first private key and the second private key of the preset encryption algorithm can be one-machine-one-secret or one-type-one-secret, and the device certificate of the first device and the service certificate of the second device can be signed by the PKI root key and can be used for bidirectional authentication of the first device and the second device in the key negotiation process.
In this embodiment, the process of signing the first public key of the preset encryption algorithm by the first device according to the first private key of the preset encryption algorithm is relatively simple, and signature information can be relatively quickly obtained, so that request data can be quickly generated according to the signature information, the first public key of the preset encryption algorithm and the device certificate of the first device, and the generation efficiency of the generated request data is ensured.
In the scenario that the first device determines the first private key and the second public key of the preset encryption algorithm as the shared key of the first device and the second device, the first device needs to determine the second public key of the preset encryption algorithm from the response message sent by the second device. In one embodiment, as shown in fig. 5, the method further includes:
s501, carrying out integrity verification on the response message according to the service certificate and the second public key.
In this embodiment, as described above, the specific process of generating the response message by the second device is the same as the process of generating the request data by the first device, that is, after the request data is verified, the second device may determine the second public key of the preset encryption algorithm according to the preset key negotiation algorithm and the second base point stored in the second device, perform signature processing on the second public key according to the preset second private key of the preset encryption algorithm stored in advance, obtain the signature information of the second device, and then generate the response message according to the signature information of the second device, the second public key and the service certificate of the second device. That is, the response message received by the first device carries the service certificate of the second device, the second public key of the preset encryption algorithm and the signature information of the second device, so that after the first device receives the response message sent by the second device, the first device can verify the certificate chain of the service certificate step by step, verify the signature information in the response message by using the second public key of the preset encryption algorithm after the authenticity and the legality of the certificate are confirmed, and after the verification is passed, the integrity verification of the response message is confirmed.
S502, acquiring a second public key from the response message when the integrity verification of the response message is passed.
In this embodiment, after the integrity verification of the received response message is passed, the first device may obtain the second public key of the preset encryption algorithm from the received response message by parsing the received response message. Optionally, the second device may use an parsing algorithm that is negotiated with the first device in advance, parse the received response message, and obtain a second public key of the preset encryption algorithm from the parsing algorithm.
In this embodiment, the first device verifies the integrity of the received response message according to the service certificate of the second device and the second public key of the preset encryption algorithm, so that the received response message can be ensured to be a complete message, and after the integrity verification of the received response message is passed, the second public key of the preset encryption algorithm can be obtained from the received response message, so that the integrity of the second public key of the preset encryption algorithm obtained by the first device is ensured.
In the scenario where the first device determines the first private key and the second public key of the preset encryption algorithm as the shared key of the first device and the second device, the first private key of the preset encryption algorithm may be generated by the first device based on the random number, and a detailed process of generating the first private key of the preset encryption algorithm by the first device will be described in this embodiment. In one embodiment, the method further comprises: determining a randomly generated random number as a first private key; or, determining the first random number in the communication packet sent by the second device as the first private key.
In this embodiment, the first device may randomly generate a random number, and determine the randomly generated random number as a first private key of a preset encryption algorithm; or, in the process of interaction with the second device, the second device may send a communication packet carrying the first random number to the first device, and the first device may determine the first random number in the communication packet as a first private key of a preset encryption algorithm.
It will be appreciated that the random number randomly generated by the first device may be a pseudo random number, which is not reliable enough, and by carrying the first random number in the communication packet sent by the second device to the first device, the randomness of the random number may be increased, and the security of the generated first private key is ensured.
In this embodiment, if the first private key of the preset encryption algorithm is a first random number in a communication packet sent by the second device to the first device, as an optional implementation manner, in order to promote randomness of the generated shared key between the first device and the second device, the first device may generate the target shared key based on the shared key, the first random number, and the second random number in the communication packet sent by the first device to the second device, where the randomness of the generated target shared key is greater than the randomness of the shared key. Alternatively, in this embodiment, the first device may multiply the shared key, the first random number, and the second random number, and determine the product value as the target shared key.
In this embodiment, the first device determines the random number generated randomly as the first private key of the preset encryption algorithm, or determines the first random number in the communication packet sent by the second device as the first private key of the preset encryption algorithm, which enriches the determination mode of the first device for determining the first private key of the preset encryption algorithm, so that the determination mode of the first device for determining the preset encryption algorithm is more flexible.
In some scenarios, the first device may further verify the authenticity of the determined shared key of the first device and the second device, and in one embodiment, as shown in fig. 6, the method further includes:
s601, symmetrically encrypting abstract information of the request data by using a shared key to obtain an encrypted message.
It can be understood that after the first device and the second device acquire the public key of the preset encryption algorithm of the other party, the shared key between the first device and the second device can be determined based on the public key of the other party and the private key of the preset encryption algorithm stored in the first device and the second device, that is, the shared key of the communication between the first device and the second device is determined by the first device and the second device.
In this embodiment, the first device may determine the summary information of the request data, and then symmetrically encrypt the summary information of the request data by using the determined shared key to obtain an encrypted message.
S602, the encrypted message is sent to the second device, so that the second device decrypts the encrypted message by using the shared key, and the authenticity of the shared key is verified.
In this embodiment, since the second device also determines the shared key when communicating with the first device, after the first device sends the encrypted message to the second device, the second device may decrypt the received encrypted message using the shared key to verify the authenticity of the shared key generated by the second device and the first device. Optionally, if the second device decrypts the received encrypted message successfully by using the shared key, the second device may determine that the authenticity verification of the shared key is passed.
In this embodiment, the first device symmetrically encrypts the summary information of the request data by using the generated shared key to obtain an encrypted message, and sends the encrypted message to the second device, so that the second device can decrypt the encrypted message by using the shared key with the first device, and verifies the authenticity of the shared key according to the decryption result, thereby ensuring the authenticity of the generated shared key.
For easy understanding by those skilled in the art, the key determining method provided in the present disclosure is described in detail below, and as shown in fig. 7, the method may include:
S1, a first device determines a random number generated randomly as a first private key of a preset encryption algorithm; or determining the first random number in the communication packet sent by the second device as a first private key of a preset encryption algorithm.
S2, the first device determines a first public key of a preset encryption algorithm according to a preset key negotiation algorithm and a first base point stored in a trusted execution environment of the first device.
And S3, the first device performs signature processing on a first public key of a preset encryption algorithm according to a first private key of the preset encryption algorithm to obtain first signature information.
S4, generating request data according to the first signature information, the preset encryption algorithm first public key and the device certificate of the first device, and sending the request data to the second device.
S5, the second device verifies the request data sent by the first device, and under the condition that the request data passes verification, a first public key of a preset encryption algorithm is obtained from the request data.
S6, the second device determines the random number generated randomly as a second private key of a preset encryption algorithm; or determining the second random number in the communication packet sent by the first device as a second private key of a preset encryption algorithm.
And S7, the second device determines a second public key of the preset encryption algorithm according to the preset key negotiation algorithm and a second base point stored in the second device.
And S8, the second equipment performs signature processing on a second public key of the preset encryption algorithm according to a second private key of the preset encryption algorithm to obtain second signature information.
S9, the second device generates a response message according to the second signature information, the second public key of the preset encryption algorithm and the service certificate of the second device, and sends the response message to the first device, and the second device can determine the second private key of the preset encryption algorithm and the acquired first public key of the preset encryption algorithm as the shared secret key of the first device and the second device.
S10, after receiving the response message, the first device verifies the integrity of the response message according to the service certificate in the response message and a second public key of a preset encryption algorithm.
S11, the first device acquires a second public key of a preset encryption algorithm from the response message under the condition that the integrity verification of the response message is passed.
S12, the first device determines the acquired second public key of the preset encryption algorithm and the acquired first private key of the preset encryption algorithm as a shared key of the first device and the second device.
S13, if a first private key of a preset encryption algorithm is a first random number in a communication packet sent by a second device, and a second private key of the preset encryption algorithm is a second random number in the communication packet sent by the first device, the first device generates a target shared key based on the shared key, the first random number and the second random number; wherein the randomness of the target shared key is greater than the randomness of the shared key.
S14, the first device symmetrically encrypts the abstract information of the request data by using the shared key, and sends the encrypted message to the second device, so that the second device decrypts the encrypted message by using the shared key, and the authenticity of the shared key is verified.
It should be noted that, for the description of the above steps, reference may be made to the description related to the above embodiments, and the effects thereof are similar, which is not repeated herein.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiments of the present application also provide a key determining apparatus for implementing the above-mentioned key determining method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the key determining device or devices provided below may refer to the limitation of the key determining method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 8, there is provided a key determining apparatus including: a first transmitting module 10, a receiving module 11 and a first determining module 12, wherein:
a first transmitting module 10, configured to transmit request data to a second device; the request data comprises a first public key of a preset encryption algorithm.
A receiving module 11, configured to receive a response message sent by the second device in response to the request data; the response message includes the second public key of the encryption algorithm.
A first determining module 12, configured to determine a first private key and a second public key of an encryption algorithm as a shared key of the first device and the second device.
Optionally, when the response message is that the second device passes the verification of the request data, the second public key is determined according to a preset key negotiation algorithm and a second base point stored in the second device, and is generated according to the second public key, a second private key of the encryption algorithm and a service certificate of the second device.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, as shown in fig. 9, optionally, the above apparatus further includes: a second determination module 13 and a first generation module 14, wherein:
the second determining module 13 is configured to determine the first public key according to a preset key negotiation algorithm and a first base point stored in a trusted execution environment of the first device.
The first generation module 14 is configured to generate request data according to the first private key and the first public key.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, as shown in fig. 10, optionally, the above first generating module 14 includes: an acquisition unit 141 and a generation unit 142, wherein:
the obtaining unit 141 is configured to perform signature processing on the first public key according to the first private key, and obtain signature information.
And a generating unit 142 for generating request data according to the signature information, the first public key and the device certificate of the first device.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, as shown in fig. 11, optionally, the above apparatus further includes: a verification module 15 and an acquisition module 16, wherein:
and the verification module 15 is used for carrying out integrity verification on the response message according to the service certificate and the second public key.
The obtaining module 16 is configured to obtain the second public key from the response message if the integrity verification of the response message is passed.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, as shown in fig. 12, optionally, the above apparatus further includes: a third determination module 17, wherein:
a third determining module 17, configured to determine a random number generated randomly as a first private key; or, determining the first random number in the communication packet sent by the second device as the first private key.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, if the first private key is a first random number, as shown in fig. 13, optionally, the apparatus further includes: a second generation module 18, wherein:
A second generation module 18, configured to generate a target shared key based on the shared key, the first random number, and a second random number in a communication packet sent by the first device to the second device; wherein the randomness of the target shared key is greater than the randomness of the shared key.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
On the basis of the above embodiment, as shown in fig. 14, optionally, the above apparatus further includes: an encryption module 19 and a second transmission module 20, wherein:
the encryption module 19 is configured to symmetrically encrypt summary information of the request data by using the shared key, so as to obtain an encrypted message.
And the second sending module 20 is configured to send the encrypted message to the second device, so that the second device decrypts the encrypted message by using the shared key, and verifies the authenticity of the shared key.
The key determining device provided in this embodiment may execute the above method embodiment, and its implementation principle and technical effects are similar, and will not be described herein.
The respective modules in the above-described key determination apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be an electronic device, and the internal structure of which may be as shown in fig. 15. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a key determination method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 15 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application is applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
Embodiments of the present application also provide a computer-readable storage medium. One or more non-transitory computer-readable storage media containing computer-executable instructions that, when executed by one or more processors, cause the processors to perform the steps of a key determination method.
Embodiments of the present application also provide a computer program product containing instructions that, when run on a computer, cause the computer to perform a key determination method.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (12)
1. A key determination method, applied to a first device, comprising:
transmitting request data to a second device; the request data comprises a first public key of a preset encryption algorithm;
receiving a response message sent by the second equipment in response to the request data; the response message comprises a second public key of the encryption algorithm;
and determining a first private key and the second public key of the encryption algorithm as a shared key of the first device and the second device.
2. The method according to claim 1, wherein the method further comprises:
determining the first public key according to a preset key negotiation algorithm and a first base point stored in a trusted execution environment of the first device;
and generating the request data according to the first private key and the first public key.
3. The method of claim 2, wherein generating the request data from the first private key and the first public key comprises:
carrying out signature processing on the first public key according to the first private key to obtain signature information;
and generating the request data according to the signature information, the first public key and the device certificate of the first device.
4. A method according to any one of claims 1-3, wherein the response message is generated by determining the second public key according to a preset key agreement algorithm and a second base point stored in the second device, and according to the second public key, a second private key of the encryption algorithm and a service certificate of the second device, in case that the second device verifies the request data.
5. The method according to claim 4, wherein the method further comprises:
Carrying out integrity verification on the response message according to the service certificate and the second public key;
and acquiring the second public key from the response message in the condition that the integrity verification of the response message is passed.
6. The method according to claim 1, wherein the method further comprises:
determining a randomly generated random number as the first private key; or,
and determining a first random number in a communication packet sent by the second device as the first private key.
7. The method of claim 6, wherein if the first private key is the first random number, the method further comprises:
generating a target shared key based on the shared key, the first random number, and a second random number in a communication packet sent by the first device to the second device; wherein the randomness of the target shared key is greater than the randomness of the shared key.
8. A method according to any one of claims 1-3, wherein the method further comprises:
symmetrically encrypting the abstract information of the request data by using the shared secret key to obtain an encrypted message;
and sending the encrypted message to the second device so that the second device decrypts the encrypted message by using the shared key, and verifies the authenticity of the shared key.
9. A key determining apparatus, applied to a first device, comprising:
the first sending module is used for sending request data to the second equipment; the request data comprises a first public key of a preset encryption algorithm;
the receiving module is used for receiving a response message sent by the second equipment in response to the request data; the response message comprises a second public key of the encryption algorithm;
and the first determining module is used for determining the first private key and the second public key of the encryption algorithm as the shared secret key of the first device and the second device.
10. An electronic device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of the key determination method of any of claims 1 to 8.
11. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 8.
12. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311834640.8A CN117560150A (en) | 2023-12-27 | 2023-12-27 | Key determination method, device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311834640.8A CN117560150A (en) | 2023-12-27 | 2023-12-27 | Key determination method, device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117560150A true CN117560150A (en) | 2024-02-13 |
Family
ID=89812953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311834640.8A Pending CN117560150A (en) | 2023-12-27 | 2023-12-27 | Key determination method, device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117560150A (en) |
-
2023
- 2023-12-27 CN CN202311834640.8A patent/CN117560150A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111181720B (en) | Service processing method and device based on trusted execution environment | |
| US10419430B2 (en) | Mutual authentication method and authentication apparatus | |
| US11082224B2 (en) | Location aware cryptography | |
| CN111130803B (en) | Method, system and device for digital signature | |
| CN111082934A (en) | Cross-domain secure multiparty computing method and device based on trusted execution environment | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| CN113572743B (en) | Data encryption and decryption methods and devices, computer equipment and storage medium | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| TWI553504B (en) | A cloud encryption system and method | |
| CN113742709B (en) | Information processing method and device, readable medium and electronic equipment | |
| Hasan et al. | Secure lightweight ECC-based protocol for multi-agent IoT systems | |
| CN114239078A (en) | Power grid data auditing method and device, power grid system and storage medium | |
| CN116049802B (en) | Application single sign-on method, system, computer equipment and storage medium | |
| CN110417722B (en) | Business data communication method, communication equipment and storage medium | |
| CN117041956A (en) | Communication authentication method, device, computer equipment and storage medium | |
| CN117061105A (en) | Data processing method and device, readable medium and electronic equipment | |
| Mohammed et al. | Secure third party auditor (tpa) for ensuring data integrity in fog computing | |
| CN114124440B (en) | Secure transmission method, apparatus, computer device and storage medium | |
| CN115883212A (en) | Information processing method, device, electronic equipment and storage medium | |
| CN116455561A (en) | Embedded TLS protocol for lightweight devices | |
| CN113595742B (en) | Data transmission method, system, computer device and storage medium | |
| CN111786955B (en) | Method and apparatus for protecting a model | |
| CN114398658A (en) | Data processing method and device | |
| CN117560150A (en) | Key determination method, device, electronic equipment and computer readable storage medium | |
| CN114696999A (en) | Identity authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |