TW201828641A - Key generating method and device for ensuring a more secure data transmission and reducing the risk of illegally intercepting data - Google Patents
Key generating method and device for ensuring a more secure data transmission and reducing the risk of illegally intercepting data Download PDFInfo
- Publication number
- TW201828641A TW201828641A TW106101933A TW106101933A TW201828641A TW 201828641 A TW201828641 A TW 201828641A TW 106101933 A TW106101933 A TW 106101933A TW 106101933 A TW106101933 A TW 106101933A TW 201828641 A TW201828641 A TW 201828641A
- Authority
- TW
- Taiwan
- Prior art keywords
- key
- factor
- encryption
- shared
- encrypted
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本申請關於網路安全技術領域,尤其關於一種金鑰產生方法及裝置。 The present application relates to the field of network security technologies, and in particular, to a key generation method and apparatus.
為了確保資料在終端設備與閘道設備之間、閘道設備與公網伺服器之間的安全傳輸,通常會在終端設備與閘道設備之間、閘道設備與公網伺服器分別建立安全傳輸通道,閘道設備將資料從一個安全通道轉發至另一個安全通道,從而實現資料轉發的功能,而閘道設備在轉發資料的過程中,需要用與終端設備的共享金鑰解密經過終端設備加密的資料,再用與伺服器的共享金鑰加密後轉發給伺服器,因此閘道設備會存在洩露資料資訊的風險。 In order to ensure the safe transmission of data between the terminal equipment and the gateway equipment, the gateway equipment and the public network server, security is usually established between the terminal equipment and the gateway equipment, the gateway equipment and the public network server respectively. The transmission channel, the gateway device forwards the data from one secure channel to another, thereby realizing the function of data forwarding. In the process of forwarding the data, the gateway device needs to decrypt the shared device with the terminal device through the terminal device. The encrypted data is encrypted and then forwarded to the server with the shared key of the server, so there is a risk that the gateway device will leak information.
有鑑於此,本申請提供一種新的技術方案,可以使閘道設備無法獲取到兩設備之間的共享金鑰,從而降低資料在網路傳輸過程中被非法截獲的風險。 In view of this, the present application provides a new technical solution, which can make the gateway device unable to obtain the shared key between the two devices, thereby reducing the risk of data being illegally intercepted during network transmission.
為實現上述目的,本申請提供技術方案如下: 根據本申請的第一方面,提出了一種金鑰產生方法,應用在第一設備上,包括:採用初始金鑰對所述第一設備產生的第一金鑰因子進行加密並透過第一安全通道發送給第二設備,其中,所述初始金鑰為所述第一設備與所述第二設備之間預設的金鑰;透過所述第一安全通道接收經過所述初始金鑰加密的第二金鑰因子,其中,所述第二金鑰因子由所述第二設備產生;對透過所述第一安全通道接收到的經過所述初始金鑰加密的所述第二金鑰因子進行解密,得到所述第二金鑰因子;根據所述第一金鑰因子、所述第二金鑰因子產生所述第一設備與第二設備的共享金鑰。 In order to achieve the above object, the present application provides the technical solution as follows: According to the first aspect of the present application, a method for generating a key is provided, which is applied to a first device, and includes: generating, by using an initial key, the first device The key is encrypted and sent to the second device by using the first secure channel, where the initial key is a preset key between the first device and the second device; The secure channel receives a second key factor encrypted by the initial key, wherein the second key factor is generated by the second device; and the initial gold received through the first secure channel Decrypting the second key factor of the key encryption to obtain the second key factor; generating the sharing of the first device and the second device according to the first key factor and the second key factor Key.
根據本申請的第二方面,提出了一種金鑰產生方法,應用在第二設備上,包括:透過第二安全通道接收來自第一設備的經過初始金鑰加密的第一金鑰因子,其中,所述初始金鑰為所述第一設備與所述第二設備之間預設的金鑰;對經過所述初始金鑰加密的所述第一金鑰因子進行解密,得到所述第一加密因子;根據所述第一金鑰因子、所述第二設備產生的第二金鑰因子產生所述第一設備與第二設備的共享金鑰。 According to a second aspect of the present application, a method for generating a key, which is applied to a second device, includes: receiving, by a second secure channel, a first key factor encrypted by an initial key from a first device, where The initial key is a preset key between the first device and the second device; decrypting the first key factor encrypted by the initial key to obtain the first encryption Generating a shared key of the first device and the second device according to the first key factor and the second key factor generated by the second device.
根據本申請的協力廠商面,提出了一種金鑰產生裝 置,應用在第一設備上,包括:第一加密模組,用於採用初始金鑰對所述第一設備產生的第一金鑰因子進行加密並透過第一安全通道發送給第二設備,其中,所述初始金鑰為所述第一設備與所述第二設備之間預設的金鑰;第一接收模組,用於透過所述第一安全通道接收經過所述初始金鑰加密的第二金鑰因子,其中,所述第二金鑰因子由所述第二設備產生;第一解密模組,用於對透過所述第一接收模組透過所述第一安全通道接收到的經過所述初始金鑰加密的所述第二金鑰因子進行解密,得到所述第二金鑰因子;第一金鑰產生模組,用於根據所述第一金鑰因子、所述第一解密模組解密得到的所述第二金鑰因子產生所述第一設備與第二設備的共享金鑰。 According to the third party device of the present application, a key generation device is provided, which is applied to the first device, and includes: a first encryption module, configured to use the initial key to generate a first key factor generated by the first device Encrypting and transmitting to the second device through the first secure channel, where the initial key is a preset key between the first device and the second device; the first receiving module is configured to transmit The first secure channel receives a second key factor encrypted by the initial key, wherein the second key factor is generated by the second device; and the first decryption module is configured to The first receiving module decrypts the second key factor received by the initial key through the first secure channel to obtain the second key factor; the first key generating module, And generating a shared key of the first device and the second device according to the first key factor and the second key factor decrypted by the first decryption module.
根據本申請的第四方面,提出了一種金鑰產生裝置,應用在第二設備上,包括:第三接收模組,用於透過第二安全通道接收來自第一設備的經過初始金鑰加密的第一金鑰因子,其中,所述初始金鑰為所述第一設備與所述第二設備之間預設的金鑰;第三解密模組,用於對經過所述初始金鑰加密的所述第一金鑰因子進行解密,得到所述第一加密因子;第二金鑰產生模組,用於根據所述第一金鑰因子、所述第二設備產生的第二金鑰因子產生所述第一設備與第二設備的共享金鑰。 According to a fourth aspect of the present application, a key generation apparatus is provided, which is applied to a second device, and includes: a third receiving module, configured to receive an initial key encryption from a first device through a second secure channel a first key factor, wherein the initial key is a preset key between the first device and the second device; and a third decryption module is configured to encrypt the initial key The first key factor is decrypted to obtain the first encryption factor, and the second key generation module is configured to generate according to the first key factor and the second key factor generated by the second device. a shared key of the first device and the second device.
由以上技術方案可見,由於第一金鑰因子與第二金鑰因子在閘道設備的轉發過程中都經過初始金鑰加密,而初始金鑰為第一設備與第二設備之間預設的金鑰,因此閘道設備並不能獲知第一金鑰因子與第二金鑰因子;透過第一金鑰因子與第二金鑰因子產生第一設備與第二設備之間的共享金鑰,可以實現最終協商的共享金鑰只對第一設備和第二設備可知,閘道設備仍無法獲取協商的共享金鑰,因此可以確保資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 It can be seen from the above technical solution that since the first key factor and the second key factor are encrypted by the initial key in the forwarding process of the gateway device, the initial key is preset between the first device and the second device. a key, so the gateway device does not know the first key factor and the second key factor; and the shared key between the first device and the second device is generated by the first key factor and the second key factor, The shared key for achieving the final negotiation is only known to the first device and the second device, and the gateway device still cannot obtain the shared key for negotiation, thereby ensuring more secure transmission of data between the first device and the second device, further Reduce the risk of data being illegally intercepted during transmission.
101‧‧‧步驟 101‧‧‧Steps
102‧‧‧步驟 102‧‧‧Steps
103‧‧‧步驟 103‧‧‧Steps
104‧‧‧步驟 104‧‧‧Steps
201‧‧‧步驟 201‧‧‧Steps
202‧‧‧步驟 202‧‧‧Steps
203‧‧‧步驟 203‧‧‧Steps
204‧‧‧步驟 204‧‧‧Steps
205‧‧‧步驟 205‧‧‧Steps
301‧‧‧步驟 301‧‧‧Steps
302‧‧‧步驟 302‧‧‧Steps
303‧‧‧步驟 303‧‧ steps
401‧‧‧步驟 401‧‧‧ steps
402‧‧‧步驟 402‧‧‧Steps
403‧‧‧步驟 403‧‧‧Steps
404‧‧‧步驟 404‧‧‧Steps
501‧‧‧步驟 501‧‧‧Steps
502‧‧‧步驟 502‧‧‧Steps
503‧‧‧步驟 503‧‧‧Steps
601‧‧‧步驟 601‧‧ steps
602‧‧‧步驟 602‧‧ steps
701‧‧‧步驟 701‧‧‧Steps
702‧‧‧步驟 702‧‧‧Steps
703‧‧‧步驟 703‧‧‧Steps
704‧‧‧步驟 704‧‧‧Steps
705‧‧‧步驟 705‧‧‧Steps
1201‧‧‧第一加密模組 1201‧‧‧First encryption module
12011‧‧‧第一因子產生單元 12011‧‧‧First Factor Generation Unit
12012‧‧‧第一加密單元 12012‧‧‧First encryption unit
12013‧‧‧第二加密單元 12013‧‧‧Second encryption unit
1202‧‧‧第一接收模組 1202‧‧‧First Receiver Module
1203‧‧‧第一解密模組 1203‧‧‧First Decryption Module
12031‧‧‧第一解密單元 12031‧‧‧First Decryption Unit
12032‧‧‧第二加密單元 12032‧‧‧Second encryption unit
1204‧‧‧第一金鑰產生模組 1204‧‧‧First Key Generation Module
12041‧‧‧第一確定單元 12041‧‧‧First determination unit
12042‧‧‧第一因子產生單元 12042‧‧‧first factor generating unit
1205‧‧‧第一確定模組 1205‧‧‧First Confirmation Module
1206‧‧‧第二確定模組 1206‧‧‧Second determination module
1207‧‧‧第一更換模組 1207‧‧‧First replacement module
1208‧‧‧第三確定模組 1208‧‧‧ third determination module
1209‧‧‧資料加密模組 1209‧‧‧ Data Encryption Module
1210‧‧‧第二接收模組 1210‧‧‧second receiving module
1211‧‧‧第二解密模組 1211‧‧‧Second decryption module
1401‧‧‧第三接收模組 1401‧‧‧ Third Receiver Module
1402‧‧‧第三解密模組 1402‧‧‧ Third Decryption Module
1403‧‧‧第二金鑰產生模組 1403‧‧‧Second key generation module
1404‧‧‧第二加密模組 1404‧‧‧Second encryption module
1405‧‧‧第一發送模組 1405‧‧‧First transmission module
1406‧‧‧第三確定模組 1406‧‧‧ third determination module
1407‧‧‧第四確定模組 1407‧‧‧Fourth determination module
1408‧‧‧第二更換模組 1408‧‧‧Second replacement module
1409‧‧‧第四接收模組 1409‧‧‧fourth receiving module
1410‧‧‧第四解密模組 1410‧‧‧ Fourth Decryption Module
1411‧‧‧響應資料產生模組 1411‧‧‧Response data generation module
1412‧‧‧第三加密模組 1412‧‧‧ Third encryption module
1413‧‧‧第二發送模組 1413‧‧‧second transmission module
圖1示出了根據本發明的一示例性實施例一的金鑰產生方法的流程示意圖;圖2示出了根據本發明的一示例性實施例二的金鑰產生方法的流程示意圖;圖3示出了根據本發明的一示例性實施例三的金鑰產生方法的流程示意圖;圖4示出了根據本發明的一示例性實施例四的金鑰產生方法的流程示意圖;圖5示出了根據本發明的一示例性實施例五的金鑰產生方法的流程示意圖;圖6示出了根據本發明的一示例性實施例六的金鑰產生方法的流程示意圖;圖7示出了根據本發明的一示例性實施例七的金鑰產 生方法的流程示意圖;圖8示出了根據本發明的一示例性實施例所適用的終端設備與伺服器之間金鑰協商的信令示意圖;圖9示出了根據本發明的一示例性實施例所適用的終端設備與伺服器之間進行資料傳輸的信令示意圖;圖10示出了根據本發明的一示例性實施例的終端設備的結構示意圖;圖11示出了根據本發明的一示例性實施例的伺服器的結構示意圖;圖12示出了根據本發明的一示例性實施例的金鑰產生裝置的結構示意圖;圖13示出了根據本發明的又一示例性實施例的金鑰產生裝置的結構示意圖;圖14示出了根據本發明的再一示例性實施例的金鑰產生裝置的結構示意圖;圖15示出了根據本發明的另一示例性實施例的金鑰產生裝置的結構示意圖。 1 is a schematic flow chart of a method for generating a key according to an exemplary embodiment of the present invention; FIG. 2 is a schematic flowchart of a method for generating a key according to an exemplary embodiment 2 of the present invention; A flow diagram of a method for generating a key according to an exemplary embodiment 3 of the present invention is shown; FIG. 4 is a flow chart showing a method for generating a key according to an exemplary embodiment 4 of the present invention; A schematic flowchart of a key generation method according to an exemplary embodiment 5 of the present invention; FIG. 6 is a flow chart showing a key generation method according to an exemplary embodiment 6 of the present invention; A schematic flowchart of a method for generating a key of an exemplary embodiment of the present invention; FIG. 8 is a schematic diagram showing signaling of key agreement between a terminal device and a server according to an exemplary embodiment of the present invention; FIG. 9 is a schematic diagram showing signaling for data transmission between a terminal device and a server to which the present invention is applied according to an exemplary embodiment of the present invention; FIG. 10 shows a terminal according to an exemplary embodiment of the present invention. FIG. 11 is a schematic structural diagram of a server according to an exemplary embodiment of the present invention; FIG. 12 is a schematic structural diagram of a key generating apparatus according to an exemplary embodiment of the present invention; 13 is a block diagram showing a structure of a key generating apparatus according to still another exemplary embodiment of the present invention; and FIG. 14 is a block diagram showing a structure of a key generating apparatus according to still another exemplary embodiment of the present invention; A schematic structural diagram of a key generation apparatus according to another exemplary embodiment of the present invention.
這裡將詳細地對示例性實施例進行說明,其示例表示在圖式中。下面的描述涉及圖式時,除非另有表示,不同圖式中的相同數字表示相同或相似的要素。以下示例性實施例中所描述的實施方式並不代表與本申請相一致的所有實施方式。相反,它們僅是與如所附申請專利範圍中所詳 述的、本申請的一些方面相一致的裝置和方法的例子。 Exemplary embodiments will be described in detail herein, examples of which are illustrated in the drawings. When the following description refers to the drawings, the same numerals in the different figures represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Instead, they are merely examples of devices and methods consistent with aspects of the present application as detailed in the appended claims.
在本申請使用的術語是僅僅出於描述特定實施例的目的,而非旨在限制本申請。在本申請和所附申請專利範圍中所使用的單數形式的“一種”、“所述”和“該”也旨在包括多數形式,除非上下文清楚地表示其他含義。還應當理解,本文中使用的術語“及/或”是指並包含一個或多個相關聯的列出專案的任何或所有可能組合。 The terminology used in the present application is for the purpose of describing particular embodiments, and is not intended to be limiting. The singular forms "a", "the" and "the" It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
應當理解,儘管在本申請可能採用術語第一、第二、第三等來描述各種資訊,但這些資訊不應限於這些術語。這些術語僅用來將同一類型的資訊彼此區分開。例如,在不脫離本申請範圍的情況下,第一資訊也可以被稱為第二資訊,類似地,第二資訊也可以被稱為第一資訊。取決於語境,如在此所使用的詞語“如果”可以被解釋成為“在......時”或“當......時”或“響應於確定”。 It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, the first information may also be referred to as second information without departing from the scope of the present application. Similarly, the second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to a determination."
為對本申請進行進一步說明,提供下列實施例:根據本申請一個實施例,由於第一金鑰因子與第二金鑰因子在閘道設備的轉發過程中都經過初始金鑰加密,而初始金鑰為第一設備與第二設備之間預設的金鑰,因此閘道設備並不能獲知第一金鑰因子與第二金鑰因子;透過第一金鑰因子與第二金鑰因子產生第一設備與第二設備之間的共享金鑰,可以實現最終協商的共享金鑰只對第一設備和第二設備可知,閘道設備仍無法獲取協商的共享金鑰,因此可以確保資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 In order to further explain the present application, the following embodiments are provided: According to an embodiment of the present application, since the first key factor and the second key factor are both subjected to initial key encryption in the forwarding process of the gateway device, the initial key is obtained. a preset key between the first device and the second device, so the gateway device does not know the first key factor and the second key factor; and generates the first through the first key factor and the second key factor The shared key between the device and the second device can implement the final negotiated shared key only for the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring that the data is in the first A more secure transmission between the device and the second device further reduces the risk of data being illegally intercepted during transmission.
圖1示出了根據本發明的一示例性實施例一的金鑰產生方法的流程示意圖;在一實施例中,第一設備可以為終端設備,第二設備可以為伺服器,可替換地,第一設備可以為伺服器,第二設備可以為終端設備,本實施例以應用在終端設備上為例進行示例性說明,如圖1所示,金鑰產生方法包括如下步驟:步驟101,採用初始金鑰對第一設備產生的第一金鑰因子進行加密並透過第一安全通道發送給第二設備,其中,初始金鑰為第一設備與第二設備之間預設的金鑰;步驟102,透過第一安全通道接收經過初始金鑰加密的第二金鑰因子,其中,第二金鑰因子由第二設備產生;步驟103,對透過第一安全通道接收到的經過初始金鑰加密的第二金鑰因子進行解密,得到第二金鑰因子;步驟104,根據第一金鑰因子、第二金鑰因子產生第一設備與第二設備的共享金鑰。 FIG. 1 is a schematic flowchart diagram of a method for generating a key according to an exemplary embodiment of the present invention; in an embodiment, the first device may be a terminal device, and the second device may be a server, or The first device may be a server, and the second device may be a terminal device. The embodiment is exemplified by the application on the terminal device. As shown in FIG. 1 , the key generation method includes the following steps: Step 101: The initial key is used to encrypt the first key factor generated by the first device and sent to the second device through the first secure channel, where the initial key is a preset key between the first device and the second device; 102. Receive, by using the first secure channel, a second key factor that is encrypted by the initial key, where the second key factor is generated by the second device. Step 103: encrypt the initial key received through the first secure channel. The second key factor is decrypted to obtain a second key factor; and in step 104, the shared key of the first device and the second device is generated according to the first key factor and the second key factor.
在步驟101中,在一實施例中,初始金鑰Kbasic可以在第一設備投入使用前,第二設備預先將Kbasic頒發給第一設備,可以透過硬體寫入的方式頒發給第一設備。在一實施例中,第一設備與第二設備之間透過閘道設備轉發相關資料資訊,其中,第一安全通道可以由第一設備與閘道設備協商建立,並透過第一安全通道傳輸相關資料資訊,第二安全通道可以由伺服器與閘道設備協商建立,並透過第二安全通道傳輸相關資料資訊。所屬技術領域中具有通常知識者可以理解的是,第一安全通道和第二安全通道的 建立過程可以參見現有技術的相關描述,例如,可以採用安全通訊端層(Secure Socket Layer,簡稱SSL)、安全傳輸層協議(Transport Layer Security,簡稱TLS)的金鑰協商機制。 In step 101, in one embodiment, the initial key K basic can be put into use before the first device, a second device K basic previously issued to the first device, can be issued to the first embodiment through hardware write device. In an embodiment, the first device and the second device forward the related data information through the gateway device, wherein the first secure channel may be established by the first device and the gateway device, and transmitted through the first secure channel. Data information, the second secure channel can be established by the server and the gateway device, and the related information is transmitted through the second secure channel. It can be understood by those skilled in the art that the process of establishing the first secure channel and the second secure channel can be referred to the related description of the related art. For example, a Secure Socket Layer (SSL) can be used. The key negotiation mechanism of the Transport Layer Security (TLS).
在一實施例中,在第一設備需要向第二設備發起金鑰協商流程時,透過偽隨機函數產生第一金鑰因子,採用初始金鑰對第一金鑰因子進行加密,得到第一次加密後的第一金鑰因子,採用第一安全通道的第一加密金鑰對第一次加密後的第一金鑰因子進行加密,得到第二次加密後的第一金鑰因子。透過對第一金鑰因子進行雙重加密,可以使第一金鑰因子在閘道設備處不可知,避免第一金鑰因子在閘道設備側被非法截獲的風險。 In an embodiment, when the first device needs to initiate a key negotiation process to the second device, the first key factor is generated by using a pseudo-random function, and the first key factor is encrypted by using the initial key to obtain the first time. The encrypted first key factor uses the first encryption key of the first secure channel to encrypt the first encrypted first key factor to obtain the second encrypted first key factor. By double encryption of the first key factor, the first key factor can be made unknown at the gateway device, avoiding the risk that the first key factor is illegally intercepted on the gateway device side.
在步驟103中,採用第一加密金鑰對經過雙重加密的第二金鑰因子進行解密,得到第一次解密後的第二金鑰因子,採用初始金鑰對第一次解密後的第二金鑰因子進行解密,得到第二金鑰因子。由於第二金鑰因子在第二設備處已經進行了雙重加密,因此第二金鑰因子在閘道設備處不可知,避免第二金鑰因子在閘道設備側被非法截獲的風險。 In step 103, the double-encrypted second key factor is decrypted by using the first encryption key to obtain the second decrypted second key factor, and the first key is decrypted by the initial key pair. The key factor is decrypted to obtain a second key factor. Since the second key factor has been double-encrypted at the second device, the second key factor is not known at the gateway device, avoiding the risk of the second key factor being illegally intercepted on the gateway device side.
在步驟104中如何根據第一金鑰因子、第二金鑰因子產生第一設備與第二設備的共享金鑰的詳細描述參見下述描述,在此先不詳述。 For a detailed description of how to generate the shared key of the first device and the second device according to the first key factor and the second key factor in step 104, refer to the following description, which will not be described in detail herein.
由上述描述可知,由於第一金鑰因子與第二金鑰因子在閘道設備的轉發過程中都經過初始金鑰加密,而初始金 鑰為第一設備與第二設備之間預設的金鑰,因此閘道設備並不能獲知第一金鑰因子與第二金鑰因子;透過第一金鑰因子與第二金鑰因子產生第一設備與第二設備之間的共享金鑰,可以實現最終協商的共享金鑰只對第一設備和第二設備可知,閘道設備仍無法獲取協商的共享金鑰,因此可以確保資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 It can be seen from the above description that since the first key factor and the second key factor are encrypted by the initial key during the forwarding process of the gateway device, the initial key is the preset gold between the first device and the second device. Key, therefore, the gateway device does not know the first key factor and the second key factor; and the shared key between the first device and the second device is generated by the first key factor and the second key factor, which can be implemented The final shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring more secure transmission of data between the first device and the second device, further reducing The risk of data being illegally intercepted during transmission.
圖2示出了根據本發明的一示例性實施例二的金鑰產生方法的流程示意圖,本實施例以上述圖1所示實施例中的步驟105中如何透過第一金鑰因子和第二金鑰因子產生第一設備與第二設備之間的共享金鑰為例進行示例性說明,如圖2所示,金鑰產生方法包括如下步驟:步驟201,確定第一設備與第二設備之間共享的初始金鑰和第一設備的設備標識;步驟202,將初始金鑰、設備標識、第一金鑰因子、第二金鑰因子依次連接,得到組合字串;步驟203,將組合字串切分為長度相等的兩個子字串;步驟204,對兩個子字串分別進行散列運算,得到兩個散列結果;步驟205,將兩個散列結果以位進行異或運算,得到第一設備與第二設備的共享金鑰。 FIG. 2 is a schematic flowchart diagram of a method for generating a key according to an exemplary embodiment of the present invention. In this embodiment, how to pass the first key factor and the second in step 105 in the embodiment shown in FIG. As shown in FIG. 2, the key generation method includes the following steps: Step 201: Determine the first device and the second device. The initial key shared by the first device and the device identifier of the first device; in step 202, the initial key, the device identifier, the first key factor, and the second key factor are sequentially connected to obtain a combined string; and step 203, the combined word is The string is divided into two substrings of equal length; in step 204, two substrings are respectively hashed to obtain two hash results; and in step 205, the two hash results are XORed by bits. , obtaining a shared key of the first device and the second device.
在第一設備透過上述圖1所示實施例中的步驟104得到第二金鑰因子後,第一設備具有了第一金鑰因子p和第 二金鑰因子q。第一設備可以將第一金鑰因子和第二金鑰因子作為輸入,利用共享金鑰的產生演算法,得到金鑰KAC。其中,金鑰產生演算法如下:KAC=KeyGenerate(Kbasic,“Shared Key”,p,q);其中,Kbasic為初始金鑰,Shared Key為第一設備的設備標識,該設備標識可以為第一設備的設備序號,也可以為MAC位址,或者上述二者的組合,等等,只要能夠使第二設備能夠透過設備標識對第一設備與其它設備進行區分即可。 After the first device obtains the second key factor through step 104 in the embodiment shown in FIG. 1, the first device has the first key factor p and the second key factor q. The first device may take the first key factor and the second key factor as inputs, and use the shared key generation algorithm to obtain the key K AC . The key generation algorithm is as follows: K AC = KeyGenerate (K basic , "Shared Key", p, q); wherein K basic is the initial key, the Shared Key is the device identifier of the first device, and the device identifier can be The device serial number of the first device may also be a MAC address, or a combination of the two, or the like, as long as the second device can distinguish the first device from other devices through the device identifier.
此外,在透過函數KeyGenerate產生共享金鑰的過程中,可以將第一加密金鑰Kbasic對應的字串,“Shared Key”,p,q依次連接,得到組合字串,將組合字串利用函數KeyGenerate產生共享金鑰KAC。 In addition, in the process of generating the shared key through the function KeyGenerate, the string corresponding to the first encryption key K basic , "Shared Key", p, q may be sequentially connected to obtain a combined string, and the combined string utilization function is used. KeyGenerate generates the shared key K AC .
在一實施例中,函數KeyGenerate所實現的過程具體可以為:將輸入的組合字串切分為長度相等的兩個子字串(如果組合字串的長度為奇數,則在組合字串的最後一位補1),之後對兩個子字串分別進行散列運算(例如,MD5),將得到的兩個計算結果以位進行異或運算,得到的結果即是共享金鑰KAC。 In an embodiment, the process implemented by the function KeyGenerate may be specifically: dividing the input combined string into two substrings of equal length (if the length of the combined string is an odd number, at the end of the combined string) One bit complements 1), and then hashes the two substrings separately (for example, MD5), and the obtained two calculation results are XORed by bits, and the obtained result is the shared key K AC .
以MD5為例進行示例性說明,由於MD5可以將任意長度的輸入轉化為128位長度的結果,因此共享金鑰KAC的長度為128位,簡化了共享金鑰計算的複雜度。由於共享金鑰KAC的計算採用MD5,計算量對於計算能力受限 的第一設備而言可以承受。 Taking MD5 as an example for illustration, since MD5 can convert an input of any length into a result of 128-bit length, the length of the shared key K AC is 128 bits, which simplifies the complexity of shared key calculation. Since the calculation of the shared key K AC uses MD5, the amount of calculation can be tolerated for the first device with limited computing power.
本實施例中,透過第一金鑰因子、第二金鑰因子、初始金鑰和第一設備的設備標識產生共享金鑰KAC,因此實現了在第一設備與第二設備之間是透過安全協商並共享該共享金鑰KAC,且該共享金鑰KAC對作為中間節點的閘道設備不可知,因此可以確保第一設備可以利用該共享金鑰KAC對發送至第二設備的資料進行加密,確保資料在網路傳輸過程中的安全性。 In this embodiment, the shared key K AC is generated by using the first key factor, the second key factor, the initial key, and the device identifier of the first device, thereby implementing the transmission between the first device and the second device. The shared key K AC is negotiated and shared securely, and the shared key K AC is unknown to the gateway device as the intermediate node, so that it can be ensured that the first device can use the shared key K AC pair to send to the second device. Data is encrypted to ensure the security of the data during network transmission.
圖3示出了根據本發明的一示例性實施例三的金鑰產生方法的流程示意圖,在上述實施例的基礎上,如圖3所示,金鑰產生方法包括如下步驟:步驟301,確定第一設備與第二設備的共享金鑰的更換週期;步驟302,根據更換週期重新確定第一加密因子和第二加密因子;步驟303,根據重新確定的第一加密因子和第二加密因子更換第一設備與第二設備的共享金鑰。 FIG. 3 is a schematic flowchart diagram of a key generation method according to an exemplary embodiment 3 of the present invention. On the basis of the foregoing embodiment, as shown in FIG. 3, the key generation method includes the following steps: Step 301: a replacement key of the shared key of the first device and the second device; step 302, re-determining the first encryption factor and the second encryption factor according to the replacement cycle; and step 303, replacing according to the re-determined first encryption factor and the second encryption factor A shared key of the first device and the second device.
在一實施例中,第一設備與第二設備可以約定共享金鑰KAC的更換週期,當共享金鑰KAC使用了更換週期對應的時長後,第一設備與第二設備之間重新發起產生共享金鑰KAC的流程,從而可以進一步保證共享金鑰KAC的及資料在網路傳輸過程中的安全性,進一步降低該共享金鑰KAC被破解的可能。 In one embodiment, the first and second devices may agree on a shared key K AC replacement cycle, when the shared key K AC using the replacement cycle duration corresponding to relaunch between the first and second devices The process of generating the shared key K AC can further ensure the security of the shared key K AC and the data in the network transmission process, and further reduce the possibility that the shared key K AC is cracked.
圖4示出了根據本發明的一示例性實施例四的金鑰產 生方法的流程示意圖,在上述圖1所示實施例產生共享金鑰後,可以透過共享金鑰對第一設備待傳輸的資料加密,並傳輸給第二設備,如圖4所示,對待傳輸的資料進行加密並傳輸的過程包括如下步驟:步驟401,確定第一設備需要向第二設備發送的待傳輸的資料;步驟402,採用共享金鑰對待傳輸的資料進行加密,並透過第一安全通道發送給第二設備;步驟403,透過第一安全通過接收第二設備在接收到待傳輸的資料產生的響應資料,響應資料已經經過共享金鑰加密;步驟404,採用共享金鑰對經過共享金鑰加密的響應資料進行解密,得到響應資料。 FIG. 4 is a schematic flowchart diagram of a method for generating a key according to an exemplary embodiment of the present invention. After the shared key is generated in the embodiment shown in FIG. 1, the first device may be transmitted through the shared key. The data is encrypted and transmitted to the second device. As shown in FIG. 4, the process of encrypting and transmitting the data to be transmitted includes the following steps: Step 401: determining, to the second device, the data to be transmitted sent by the first device; 402. Encrypt the data to be transmitted by using the shared key, and send the data to the second device through the first secure channel. Step 403: Receive the response data generated by the second device by receiving the data to be transmitted, and respond The data has been encrypted by the shared key; in step 404, the response data encrypted by the shared key is decrypted by using the shared key to obtain response data.
在步驟401中,待傳輸的資料可以為第一設備上的感測器獲取到的物聯網資料。 In step 401, the data to be transmitted may be the Internet of Things data acquired by the sensor on the first device.
步驟402和步驟403中的第一安全通道的相關描述可以參見上述圖1所示實施例的相關描述,在此不再詳述。 For related descriptions of the first security channel in step 402 and step 403, reference may be made to the related description of the embodiment shown in FIG. 1 above, and details are not described herein again.
在步驟404中,在透過第一安全通道接收到經過共享金鑰加密的響應資料時,可以先透過第一安全通道的第一加密金鑰對經過共享金鑰加密的響應資料進行解密,然後透過共享金鑰對響應資料進行第二次解密,從而得到原始的響應資料。 In step 404, when receiving the response data encrypted by the shared key through the first secure channel, the response data encrypted by the shared key may be decrypted through the first encryption key of the first secure channel, and then The shared key decrypts the response data a second time to obtain the original response data.
本實施例中,由於待傳輸的資料在閘道設備的轉發過程中都經過共享金鑰加密,而共享金鑰為第一設備與第二 設備之間共同協商的金鑰,因此閘道設備並不能獲知共享金鑰,因此可以確保待傳輸的資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 In this embodiment, since the data to be transmitted is encrypted by the shared key during the forwarding process of the gateway device, and the shared key is the key negotiated between the first device and the second device, the gateway device is The shared key cannot be known, so that the data to be transmitted can be transmitted more securely between the first device and the second device, further reducing the risk of the data being illegally intercepted during transmission.
圖5示出了根據本發明的一示例性實施例五的金鑰產生方法的流程示意圖,本實施例中,第一設備可以為終端設備,第二設備可以為伺服器,本實施例可以應用在第二設備上,如圖5所示,金鑰產生方法包括如下步驟:步驟501,透過第二安全通道接收來自第一設備的經過初始金鑰加密的第一金鑰因子,其中,初始金鑰為第一設備與第二設備之間預設的金鑰;步驟502,對經過初始金鑰加密的第一金鑰因子進行解密,得到第一加密因子;步驟503,根據第一金鑰因子、第二設備產生的第二金鑰因子產生第一設備與第二設備的共享金鑰。 FIG. 5 is a schematic flowchart of a method for generating a key according to an exemplary embodiment 5 of the present invention. In this embodiment, the first device may be a terminal device, and the second device may be a server. On the second device, as shown in FIG. 5, the key generation method includes the following steps: Step 501: Receive, by using a second secure channel, the first key factor encrypted by the initial key from the first device, where the initial key is The key is a preset key between the first device and the second device; step 502, decrypting the first key factor encrypted by the initial key to obtain a first encryption factor; and step 503, according to the first key factor The second key factor generated by the second device generates a shared key of the first device and the second device.
步驟501中的第二安全通道的相關描述請參見上述圖1所示實施例的相關描述,在此不再詳述。 For a description of the second security channel in step 501, refer to the related description of the embodiment shown in FIG. 1 above, and details are not described herein.
在步驟502中,在透過第二安全通道接收到經過初始金鑰加密的第一金鑰因子後,可以先透過第二安全通道的第二加密金鑰對經過初始金鑰加密的第一金鑰因子進行解密,然後透過初始金鑰對第一金鑰因子進行第二次解密,從而得到原始的第一金鑰因子。 In step 502, after receiving the first key factor encrypted by the initial key through the second secure channel, the first key encrypted by the initial key may be first transmitted through the second encryption key of the second secure channel. The factor is decrypted, and then the first key factor is decrypted a second time through the initial key to obtain the original first key factor.
步驟503中如何根據第一金鑰因子、第二金鑰因子產生第一設備與第二設備的共享金鑰的詳細描述可以參見上 述圖2所示實施例的描述,在此不再詳述。 For a detailed description of how to generate the shared key of the first device and the second device according to the first key factor and the second key factor in step 503, refer to the description of the embodiment shown in FIG. 2, which is not described in detail herein.
由上述描述可知,由於第一金鑰因子與第二金鑰因子在閘道設備的轉發過程中都經過初始金鑰加密,而初始金鑰為第一設備與第二設備之間預設的金鑰,因此閘道設備並不能獲知第一金鑰因子與第二金鑰因子;透過第一金鑰因子與第二金鑰因子產生第一設備與第二設備之間的共享金鑰,可以實現最終協商的共享金鑰只對第一設備和第二設備可知,閘道設備仍無法獲取協商的共享金鑰,因此可以確保資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 It can be seen from the above description that since the first key factor and the second key factor are encrypted by the initial key during the forwarding process of the gateway device, the initial key is the preset gold between the first device and the second device. Key, therefore, the gateway device does not know the first key factor and the second key factor; and the shared key between the first device and the second device is generated by the first key factor and the second key factor, which can be implemented The final shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring more secure transmission of data between the first device and the second device, further reducing The risk of data being illegally intercepted during transmission.
圖6示出了根據本發明的一示例性實施例六的金鑰產生方法的流程示意圖,如圖6所示,金鑰產生方法包括如下步驟:步驟601,採用初始金鑰對第二設備產生的第二金鑰因子進行加密;步驟602,透過第二安全通道將經過初始金鑰加密後的第二金鑰因子發送給第一設備。 FIG. 6 is a schematic flowchart diagram of a method for generating a key according to an exemplary embodiment 6 of the present invention. As shown in FIG. 6, the method for generating a key includes the following steps: Step 601: generating an initial device by using an initial key The second key factor is encrypted; in step 602, the second key factor encrypted by the initial key is sent to the first device through the second secure channel.
本實施例中,採用第二安全通道的第二加密金鑰對經過初始金鑰加密後的第二金鑰因子進行第二次加密,從而可以使在發送至第一設備的過程中經由閘道設備轉發時第二金鑰因子對閘道設備是可不知的,避免第二金鑰因子在閘道設備側被非法截獲的風險。 In this embodiment, the second key element encrypted by the initial key is used for the second encryption by using the second encryption key of the second secure channel, so that the gateway can be sent to the first device through the gateway. When the device forwards, the second key factor is unknown to the gateway device, and the risk that the second key factor is illegally intercepted on the gateway device side is avoided.
圖7示出了根據本發明的一示例性實施例七的金鑰產生方法的流程示意圖,如圖7所示,金鑰產生方法包括如 下步驟:步驟701,透過第二安全通道接收來自第一設備的經過共享金鑰加密的待傳輸的資料;步驟702,採用共享金鑰對待傳輸的資料進行解密;步驟703,在接收到待傳輸的資料後,產生響應資料;步驟704,透過共享金鑰對響應資料進行加密;步驟705,透過第二安全通道向第一設備發送經過共享金鑰加密的響應資料。 FIG. 7 is a schematic flowchart diagram of a key generation method according to an exemplary embodiment 7 of the present invention. As shown in FIG. 7, the key generation method includes the following steps: Step 701: Receive the first through the second secure channel. Step 702: decrypting the data to be transmitted by using the shared key; Step 703: After receiving the data to be transmitted, generating response data; Step 704, using the shared key The response data is encrypted; in step 705, the response data encrypted by the shared key is sent to the first device through the second secure channel.
步驟701中的第二安全通道的相關描述可以參見上述圖1所示實施例的相關描述,在此不再詳述。 For a description of the second security channel in step 701, refer to the related description of the embodiment shown in FIG. 1 above, which is not described in detail herein.
在步驟704中,在透過第二安全通道接收到來自第一設備的待傳輸的資料後,透過共享金鑰對待傳輸的資料經過共享金鑰解密後得到原始的資料,在需要對第一設備做出響應時,可以先透過第二安全通道的第二加密金鑰對經過共享金鑰加密的響應資料進行加密,從而使閘道設備在轉發響應資料的過程中不能夠獲取到原始的響應資料。 In step 704, after receiving the data to be transmitted from the first device through the second secure channel, the data to be transmitted through the shared key is decrypted by the shared key to obtain the original data, and the first device needs to be When the response is received, the response data encrypted by the shared key may be encrypted through the second encryption key of the second secure channel, so that the gateway device cannot obtain the original response data during the process of forwarding the response data.
本實施例中,由於待傳輸的資料在閘道設備的轉發過程中都經過共享金鑰加密,而共享金鑰為第一設備與第二設備之間共同協商的金鑰,因此閘道設備並不能獲知共享金鑰,因此可以確保待傳輸的資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 In this embodiment, since the data to be transmitted is encrypted by the shared key during the forwarding process of the gateway device, and the shared key is the key negotiated between the first device and the second device, the gateway device is The shared key cannot be known, so that the data to be transmitted can be transmitted more securely between the first device and the second device, further reducing the risk of the data being illegally intercepted during transmission.
透過上述實施例,可以基於第一設備和第二設備之間 預置的初始金鑰,在各自對應的本地透過金鑰產生演算法產生共享金鑰,最後利用共享金鑰對待傳輸的資料進行加密,從而可以使閘道設備在網路中轉發資料時無法查看到原始的資料,從而達到了安全傳輸資料的目的。 Through the foregoing embodiment, the shared key can be generated in each corresponding local key generation algorithm based on the initial key preset between the first device and the second device, and finally the data to be transmitted is encrypted by using the shared key. Therefore, the gateway device can not view the original data when forwarding the data in the network, thereby achieving the purpose of safely transmitting data.
圖8示出了根據本發明的一示例性實施例所適用的終端設備與伺服器之間金鑰協商的信令示意圖,以第一設備為終端設備,第二設備為伺服器為例進行示例性說明,其中,終端設備在接入到網路前,伺服器需要預先為終端設備頒發初始金鑰(Kbasic),可以透過硬體寫入等方式頒發給終端設備,如圖8所示,終端設備和伺服器之間進行金鑰協商包括如下步驟:步驟801,終端設備與閘道設備協商第一安全通道的第一加密金鑰(KAB),並建立終端設備與閘道設備之間的第一安全通道。該第一安全通道的建立方法可以參見現有技術的相關描述。 FIG. 8 is a schematic diagram of signaling for key agreement between a terminal device and a server according to an exemplary embodiment of the present invention. The first device is a terminal device, and the second device is a server. The description shows that, before the terminal device is connected to the network, the server needs to issue an initial key (K basic ) to the terminal device in advance, which can be issued to the terminal device by means of hardware writing, as shown in FIG. The key agreement between the terminal device and the server includes the following steps: Step 801, the terminal device negotiates with the gateway device the first encryption key (K AB ) of the first secure channel, and establishes a relationship between the terminal device and the gateway device. The first safe passage. For the method of establishing the first secure channel, refer to the related description of the prior art.
步驟802,閘道設備與伺服器協商第二安全通道的第二加密金鑰(KBC),並建立第二安全通道。與上述步驟801類似,第二安全通道的建立過程可以參見現有技術的相關描述,同樣可以採用SSL、TLS的金鑰協商機制。所屬技術領域中具有通常知識者可以理解的是,步驟801和步驟802的順序可以互換,可以根據實際執行的需求設定執行順序。 Step 802: The gateway device negotiates with the server a second encryption key (K BC ) of the second secure channel, and establishes a second secure channel. Similar to the foregoing step 801, the process of establishing the second secure channel can be referred to the related description of the prior art, and the key negotiation mechanism of SSL and TLS can also be adopted. It will be understood by those of ordinary skill in the art that the order of steps 801 and 802 can be interchanged, and the order of execution can be set according to actual execution requirements.
步驟803,終端設備準備發起與伺服器的金鑰協商流程,終端設備產生第一金鑰因子(p),該第一金鑰因子 用於產生終端設備與伺服器的共享金鑰。同時,利用初始金鑰(Kbasic)加密第一金鑰因子,得到Kbasic(p),再採用第一加密金鑰KAB加密,得到KAB[Kbasic(p)]。 Step 803: The terminal device prepares to initiate a key negotiation process with the server, and the terminal device generates a first key factor (p), where the first key factor is used to generate a shared key of the terminal device and the server. At the same time, the first key factor is encrypted by using the initial key (K basic ) to obtain K basic (p), and then encrypted by the first encryption key K AB to obtain K AB [K basic (p)].
步驟804,終端設備透過第一安全通道向閘道設備發送經過雙重加密的第一金鑰因子KAB[Kbasic(p)]。 Step 804: The terminal device sends the double-encrypted first key factor K AB [K basic (p)] to the gateway device through the first secure channel.
步驟805,閘道設備在接收到經過雙重加密的第一金鑰因子KAB[Kbasic(p)]後,採用第一安全通道的第一加密金鑰KAB對經過雙重加密的第一金鑰因子KAB[Kbasic(p)]進行解密,得到Kbasic(p),之後再採用第二安全通道的第三加密金鑰KBC進行加密,得到雙重加密的KBC[Kbasic(p)]。 Step 805, after receiving the double-encrypted first key factor K AB [K basic (p)], the gateway device adopts the first encryption key K AB of the first secure channel to the double-encrypted first gold. The key factor K AB [K basic (p)] is decrypted to obtain K basic (p), and then encrypted by the third encryption key K BC of the second secure channel to obtain double-encrypted K BC [K basic (p) )].
步驟806,將經過初始金鑰和第二加密金鑰雙重加密的第一金鑰因子KBC[Kbasic(p)]透過第二安全通道發送給伺服器。 Step 806: The first key factor K BC [K basic (p)] double-encrypted by the initial key and the second encryption key is sent to the server through the second secure channel.
步驟807,伺服器接收到經過雙重加密的第一金鑰因子後,採用第二安全通道的第二加密金鑰KBC對經過雙重加密的第一金鑰因子進行解密,得到Kbasic(p),之後利用初始金鑰Kbasic對Kbasic(p)進行解密,得到第一金鑰因子p。 Step 807: After receiving the double-encrypted first key factor, the server decrypts the double-encrypted first key factor by using the second encryption key K BC of the second secure channel to obtain K basic (p). Then, K basic (p) is decrypted using the initial key K basic to obtain the first key factor p.
步驟808,伺服器透過偽隨機函數產生第二金鑰因子(q),該第二金鑰因子q將與第一金鑰因子p共同作為參數產生共享金鑰KAC。 Step 808, the server generates a second key factor (q) through the pseudo-random function, and the second key factor q will be used together with the first key factor p as a parameter to generate the shared key K AC .
步驟809,伺服器採用初始金鑰Kbasic加密第二加密因子q,得到Kbasic(q),再採用第二加密金鑰KBC對 Kbasic(q)加密,得到KBC[Kbasic(q)]。 Step 809, the server using the initial encryption key K basic second encryption factor q, to give K basic (q), and then using a second encryption key K BC (q) to K basic encryption, to give K BC [K basic (q )].
步驟810,伺服器透過第二安全通道向閘道設備發送經過雙重加密的第二金鑰因子KBC[Kbasic(q)]。 In step 810, the server sends the double-encrypted second key factor K BC [K basic (q)] to the gateway device through the second secure channel.
步驟811,閘道設備接收到經過雙重加密的第二金鑰因子KBC[Kbasic(q)]後,採用第二安全通道的第二加密金鑰KBC對經過雙重加密的第二加密因子進行解密,得到Kbasic(q),之後利用第一安全通道的第一加密金鑰KAB進行加密,得到KAB[Kbasic(q)],之後將經過雙重加密的第二加密因子透過第一安全通道發送至終端設備。 Step 811, after the gateway device receives the double-encrypted second key factor K BC [K basic (q)], the second encryption key K BC of the second secure channel is used to double-encrypt the second encryption factor. Decrypting to obtain K basic (q), and then encrypting with the first encryption key K AB of the first secure channel to obtain K AB [K basic (q)], and then passing the double encrypted second encryption factor through A secure channel is sent to the terminal device.
步驟812,終端設備接收到該經過雙重加密的第二加密因子後,採用第一安全通道的第一加密金鑰KAB對經過雙重加密的第二加密因子進行解密,得到Kbasic(q),之後利用第一加密金鑰Kbasic對第一次解密後的Kbasic(q)進行二次解密,得到第二金鑰因子q。 Step 812: After receiving the double-encrypted second encryption factor, the terminal device decrypts the double-encrypted second encryption factor by using the first encryption key K AB of the first secure channel to obtain K basic (q). Then, the first decrypted K basic (q) is secondarily decrypted by the first encryption key K basic to obtain the second key factor q.
步驟813,終端設備與伺服器均共享了第一金鑰因子p和第二金鑰因子q,終端設備與伺服器均將第一金鑰因子和第二金鑰因子作為輸入,採用金鑰產生演算法,得到終端設備和伺服器之間的共享金鑰KAC。其中,金鑰產生演算法的詳細描述可以參見上述圖2所示實施例的相關描述,在此不再詳述。 Step 813, the terminal device and the server share the first key factor p and the second key factor q, and the terminal device and the server both use the first key factor and the second key factor as inputs, and generate the key by using a key. The algorithm obtains the shared key K AC between the terminal device and the server. For a detailed description of the key generation algorithm, refer to the related description of the embodiment shown in FIG. 2, which is not described in detail herein.
本實施例中,由此實現了共享金鑰KAC在終端設備與公網伺服器間的安全協商和共享,且該共享金鑰對作為中間節點的閘道設備不可知,之後終端設備可以利用該共享金鑰,對發往公網伺服器的物聯網資料進行加密,從而保 證了資料傳輸的安全性。 In this embodiment, the security negotiation and sharing between the terminal device and the public network server are implemented by the shared key K AC , and the shared key pair is unknown to the gateway device as the intermediate node, and then the terminal device can utilize The shared key encrypts the Internet of Things data sent to the public network server, thereby ensuring the security of data transmission.
為了進一步保證共享金鑰及資料傳輸的安全性,終端設備可以與伺服器之間週期性地進行金鑰協商流程來更換共享金鑰KAC,從而可以進一步降低該共享金鑰被破解的可能。 In order to further ensure the security of the shared key and the data transmission, the terminal device can periodically perform a key negotiation process with the server to replace the shared key K AC , thereby further reducing the possibility that the shared key is cracked.
圖9示出了根據本發明的一示例性實施例一的資料傳輸方法的流程示意圖,在透過上述圖8所示實施例產生共享秘鑰後,終端設備如果需要向伺服器發送物聯網資料(data),如圖9所示,資料傳輸方法包括如下步驟:步驟901,使用共享金鑰KAC對物聯網資料進行一次加密,得到密文KAC(data),之後使用第一安全通道的第一加密金鑰KAB二次加密,得到密文KAB[KAC(data)]。 FIG. 9 is a schematic flowchart diagram of a data transmission method according to an exemplary embodiment of the present invention. After the shared secret key is generated through the embodiment shown in FIG. 8, the terminal device needs to send the Internet of Things data to the server. As shown in FIG. 9, the data transmission method includes the following steps: Step 901: Encrypt the Internet of Things data once by using the shared key K AC to obtain the ciphertext K AC (data), and then use the first of the first secure channel. encryption key K AB secondary encryption, ciphertext K AB [K AC (data) ].
步驟902,終端設備透過第一安全通道向閘道設備發送密文KAB[KAC(data)]。 Step 902: The terminal device sends the ciphertext K AB [K AC (data)] to the gateway device through the first secure channel.
步驟903,閘道設備收到密文KAB[KAC(data)]後,使用第一安全金鑰KAB解密,得到KAC(data),然後使用第二加密金鑰KBC進行加密,得到密文KBC[KAC(data)]。 Step 903, after receiving the ciphertext K AB [K AC (data)], the gateway device decrypts using the first security key K AB to obtain K AC (data), and then encrypts using the second encryption key K BC . Get ciphertext K BC [K AC (data)].
步驟904,閘道設備透過第二安全通道向伺服器發送密文KBC[KAC(data)]。 In step 904, the gateway device sends the ciphertext K BC [K AC (data)] to the server through the second secure channel.
步驟905,伺服器接收到經過雙重加密的密文KBC[KAC(data)]後,使用第二加密金鑰KBC解密,得到KAC(data),然後使用共享金鑰KAC解密,得到原始的 物聯網資料data。 Step 905: After receiving the double-encrypted ciphertext K BC [K AC (data)], the server decrypts using the second encryption key K BC to obtain K AC (data), and then decrypts using the shared key K AC . Get the original IoT data.
步驟906,伺服器在得到原始的物聯網資料後,產生響應資料(res),利用共享金鑰KAC對響應資料加密,得到密文KAC(res),再使用第二加密金鑰KBC進行二次加密,得到KBC[KAC(res)]。 Step 906: After obtaining the original IoT data, the server generates response data (res), encrypts the response data by using the shared key K AC , obtains ciphertext K AC (res), and then uses the second encryption key K BC Perform secondary encryption to get K BC [K AC (res)].
步驟907,伺服器透過第二安全通道向閘道設備發送經過雙重加密的密文KBC[KAC(res)]。 In step 907, the server sends the double-encrypted ciphertext K BC [K AC (res)] to the gateway device through the second secure channel.
步驟908,閘道設備收到經過雙重加密的密文KBC[KAC(res)]後,使用第二加密金鑰KBC解密,得到KAC(res),然後使用第一加密金鑰KAB進行加密,得到密文KAB[KAC(res)]。 Step 908, after receiving the double-encrypted ciphertext K BC [K AC (res)], the gateway device decrypts using the second encryption key K BC to obtain K AC (res), and then uses the first encryption key K. AB encrypts to get ciphertext K AB [K AC (res)].
步驟909,閘道設備透過第一安全通道向終端設備發送經過雙重加密的密文KAB[KAC(res)]。 Step 909: The gateway device sends the double-encrypted ciphertext K AB [K AC (res)] to the terminal device through the first secure channel.
步驟910,終端設備接收到經過雙重加密的密文KAB[KAC(res]後,使用第一加密金鑰KAB解密,得到KAC(res),然後使用共享金鑰KAC解密,得到原始的響應資料(res)。 Step 910: After receiving the double-encrypted ciphertext K AB [K AC (res], the terminal device decrypts using the first encryption key K AB to obtain K AC (res), and then decrypts using the shared key K AC to obtain Original response data (res).
本實施例中,實現了終端設備透過中間節點的閘道設備與伺服器間的跨網域的金鑰協商與共享,共享金鑰對閘道設備不可知,確保了物聯網資料在終端設備與伺服器間的端到端的安全傳輸;此外,除了保證終端設備與閘道設備間的資料安全傳輸和閘道設備與公網伺服器間的資料安全傳輸,資料在傳輸路徑上的閘道設備內的轉發過程也受到安全保護,即使閘道設備被非法入侵,經由閘道設備轉 發的物聯網資料也依然由於被共享金鑰加密而受到保護,避免物聯網資料被非法截取。 In this embodiment, the terminal device implements cross-domain key negotiation and sharing between the gateway device of the intermediate node and the server, and the shared key is unknown to the gateway device, ensuring that the Internet of Things data is in the terminal device and End-to-end secure transmission between servers; in addition, in addition to ensuring secure transmission of data between the terminal device and the gateway device and secure transmission of data between the gateway device and the public network server, the data is in the gateway device on the transmission path The forwarding process is also protected by security. Even if the gateway device is illegally invaded, the IoT data forwarded through the gateway device is still protected by the shared key encryption to prevent the IoT data from being illegally intercepted.
對應於上述的金鑰產生方法,本申請還提出了圖10所示的根據本申請的一示例性實施例的終端設備的示意結構圖。請參考圖10,在硬體層面,該網路服務器包括處理器、內部匯流排、網路介面、記憶體以及非易失性記憶體,當然還可能包括其他業務所需要的硬體。處理器從非易失性記憶體中讀取對應的電腦程式到記憶體中然後運行,在邏輯層面上形成金鑰產生裝置。當然,除了軟體實現方式之外,本申請並不排除其他實現方式,比如邏輯裝置抑或軟硬體結合的方式等等,也就是說以下處理流程的執行主體並不限定於各個邏輯單元,也可以是硬體或邏輯裝置。 Corresponding to the above-described key generation method, the present application also proposes a schematic structural diagram of the terminal device according to an exemplary embodiment of the present application shown in FIG. Referring to FIG. 10, on the hardware side, the network server includes a processor, an internal bus, a network interface, a memory, and non-volatile memory, and may of course include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs to form a key generation device on a logical level. Of course, in addition to the software implementation, the present application does not exclude other implementation manners, such as a logical device or a combination of software and hardware, etc., that is, the execution body of the following processing flow is not limited to each logical unit, and may also be It is a hardware or logic device.
對應於上述的金鑰產生方法,本申請還提出了圖11所示的根據本申請的一示例性實施例的伺服器的示意結構圖。請參考圖11,在硬體層面,該網路服務器包括處理器、內部匯流排、網路介面、記憶體以及非易失性記憶體,當然還可能包括其他業務所需要的硬體。處理器從非易失性記憶體中讀取對應的電腦程式到記憶體中然後運行,在邏輯層面上形成金鑰產生裝置。當然,除了軟體實現方式之外,本申請並不排除其他實現方式,比如邏輯裝置抑或軟硬體結合的方式等等,也就是說以下處理流程的執行主體並不限定於各個邏輯單元,也可以是硬體或邏輯裝置。 Corresponding to the above-described key generation method, the present application also proposes a schematic configuration diagram of the server according to an exemplary embodiment of the present application shown in FIG. Referring to FIG. 11, on the hardware side, the network server includes a processor, an internal bus, a network interface, a memory, and non-volatile memory, and may of course include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs to form a key generation device on a logical level. Of course, in addition to the software implementation, the present application does not exclude other implementation manners, such as a logical device or a combination of software and hardware, etc., that is, the execution body of the following processing flow is not limited to each logical unit, and may also be It is a hardware or logic device.
圖12示出了根據本發明的一示例性實施例的金鑰產生裝置的結構示意圖;如圖12所示,該金鑰產生裝置可以包括:第一加密模組1201、第一接收模組1202、第一解密模組1203、第一金鑰產生模組1204。其中:第一加密模組1201,用於採用初始金鑰對第一設備產生的第一金鑰因子進行加密並透過第一安全通道發送給第二設備,其中,初始金鑰為第一設備與第二設備之間預設的金鑰;第一接收模組1202,用於透過第一安全通道接收經過初始金鑰加密的第二金鑰因子,其中,第二金鑰因子由第二設備產生;第一解密模組1203,用於對透過第一接收模組1202透過第一安全通道接收到的經過初始金鑰加密的第二金鑰因子進行解密,得到第二金鑰因子;第一金鑰產生模組1204,用於根據第一金鑰因子、第一解密模組1203解密得到的第二金鑰因子產生第一設備與第二設備的共享金鑰。 FIG. 12 is a schematic structural diagram of a key generation apparatus according to an exemplary embodiment of the present invention; as shown in FIG. 12, the key generation apparatus may include: a first encryption module 1201, and a first receiving module 1202. The first decryption module 1203 and the first key generation module 1204. The first encryption module 1201 is configured to encrypt the first key factor generated by the first device by using the initial key, and send the first key element to the second device by using the first secure channel, where the initial key is the first device and a preset key between the second devices; the first receiving module 1202 is configured to receive, by using the first secure channel, a second key factor encrypted by the initial key, where the second key factor is generated by the second device The first decryption module 1203 is configured to decrypt the second key factor that is received by the first receiving module 1202 through the first secure channel and is encrypted by the initial key to obtain a second key factor; The key generation module 1204 is configured to generate a shared key of the first device and the second device according to the first key factor and the second key factor decrypted by the first decryption module 1203.
圖13示出了根據本發明的又一示例性實施例的金鑰產生裝置的結構示意圖;如圖13所示,在上述圖12所示實施例的基礎上,第一加密模組1201可包括:第一因子產生單元12011,用於在第一設備需要向第二設備發起金鑰協商流程時,透過偽隨機函數產生第一金鑰因子;第一加密單元12012,用於採用初始金鑰對第一因子 產生單元12011產生的第一金鑰因子進行加密,得到第一次加密後的第一金鑰因子;第二加密單元12013,用於採用第一安全通道的第一加密金鑰對第一加密單元12012第一次加密後的第一金鑰因子進行加密,得到第二次加密後的第一金鑰因子。 FIG. 13 is a schematic structural diagram of a key generation apparatus according to still another exemplary embodiment of the present invention; as shown in FIG. 13, on the basis of the embodiment shown in FIG. 12, the first encryption module 1201 may include a first factor generating unit 12011, configured to generate a first key factor through a pseudo-random function when the first device needs to initiate a key negotiation process to the second device; the first encrypting unit 12012 is configured to adopt an initial key pair The first key factor generated by the first factor generating unit 12011 is encrypted to obtain the first key factor after the first encryption; the second encrypting unit 12013 is configured to use the first encryption key pair of the first secure channel. The first key factor encrypted by the first encryption unit 12012 is encrypted to obtain the first key factor after the second encryption.
在一實施例中,第一解密模組1203包括:第一解密單元12031,用於採用第一加密金鑰對經過雙重加密的第二金鑰因子進行解密,得到第一次解密後的第二金鑰因子;第二加密單元12032,用於採用初始金鑰對第一解密單元12031第一次解密後的第二金鑰因子進行解密,得到第二金鑰因子。 In an embodiment, the first decryption module 1203 includes: a first decryption unit 12031, configured to decrypt the double-encrypted second key factor by using the first encryption key, to obtain a second decrypted second key The second encryption unit 12032 is configured to decrypt the second key factor decrypted by the first decryption unit 12031 by using the initial key to obtain a second key factor.
在一實施例中,第一金鑰產生模組1204可包括:第一確定單元12041,用於確定第一設備與第二設備之間共享的第一加密金鑰和第一設備的設備標識;第一因子產生單元12042,用於根據第一加密金鑰、第一確定單元12041確定的設備標識、第一金鑰因子、第一解密模組1203得到的第二金鑰因子產生第一設備與第二設備的共享金鑰。 In an embodiment, the first key generation module 1204 may include: a first determining unit 12041, configured to determine a first encryption key shared between the first device and the second device, and a device identifier of the first device; The first factor generating unit 12042 is configured to generate the first device according to the first encryption key, the device identifier determined by the first determining unit 12041, the first key factor, and the second key factor obtained by the first decryption module 1203. The shared key of the second device.
在一實施例中,第一因子產生單元具體用於:將第一加密金鑰、設備標識、第一金鑰因子、第二金鑰因子依次連接,得到組合字串;將組合字串切分為長度相等的兩個子字串;對兩個子字串分別進行散列運算,得到兩個散列結 果;將兩個散列結果以位進行異或運算,得到第一設備與第二設備的共享金鑰。 In an embodiment, the first factor generating unit is specifically configured to: sequentially connect the first encryption key, the device identifier, the first key factor, and the second key factor to obtain a combined string; and divide the combined string into Two substrings of equal length; respectively hashing the two substrings to obtain two hash results; and performing an exclusive OR operation on the two hash results to obtain the first device and the second device Shared key.
在一實施例中,裝置還可包括:第一確定模組1205,用於確定第一設備與第二設備的共享金鑰的更換週期;第二確定模組1206,用於根據第一確定模組1205確定的更換週期重新確定第一加密因子和第二加密因子;第一更換模組1207,用於根據第二確定模組1206重新確定的第一加密因子和第二加密因子更換第一設備與第二設備的共享金鑰。 In an embodiment, the device may further include: a first determining module 1205, configured to determine a replacement period of the shared key of the first device and the second device; and a second determining module 1206, configured to determine, according to the first determining mode The replacement period determined by the group 1205 re-determines the first encryption factor and the second encryption factor; the first replacement module 1207 is configured to replace the first device according to the first encryption factor and the second encryption factor re-determined by the second determination module 1206. The shared key with the second device.
在一實施例中,裝置還可包括:第三確定模組1208,用於確定第一設備需要向第二設備發送的待傳輸的資料;資料加密模組1209,用於採用共享金鑰對第三確定模組1208確定的待傳輸的資料進行加密,並透過第一安全通道發送給第二設備。 In an embodiment, the device may further include: a third determining module 1208, configured to determine that the first device needs to send the data to be transmitted to the second device; and a data encryption module 1209, configured to use the shared key pair The data to be transmitted determined by the third determining module 1208 is encrypted and sent to the second device through the first secure channel.
在一實施例中,裝置還可包括:第二接收模組1210,用於透過第一安全通過接收第二設備在接收到待傳輸的資料產生的響應資料,響應資料已經經過共享金鑰加密;第二解密模組1211,用於採用共享金鑰對經過共享金鑰加密的響應資料進行解密,得到響應資料。 In an embodiment, the device may further include: a second receiving module 1210, configured to receive, by using the first security, the response data generated by the second device after receiving the data to be transmitted, and the response data has been encrypted by the shared key; The second decryption module 1211 is configured to decrypt the response data encrypted by the shared key by using the shared key to obtain response data.
圖14示出了根據本發明的再一示例性實施例的金鑰 產生裝置的結構示意圖;如圖14所示,該金鑰產生裝置可以包括:第三接收模組1401、第三解密模組1402、第二金鑰產生模組1403。其中:第三接收模組1401,用於透過第二安全通道接收來自第一設備的經過初始金鑰加密的第一金鑰因子,其中,初始金鑰為第一設備與第二設備之間預設的金鑰;第三解密模組1402,用於對經過初始金鑰加密的第一金鑰因子進行解密,得到第一加密因子;第二金鑰產生模組1403,用於根據第一金鑰因子、第二設備產生的第二金鑰因子產生第一設備與第二設備的共享金鑰。 FIG. 14 is a schematic structural diagram of a key generation apparatus according to still another exemplary embodiment of the present invention; as shown in FIG. 14, the key generation apparatus may include: a third receiving module 1401, and a third decryption module. 1402. The second key generation module 1403. The third receiving module 1401 is configured to receive, by using the second secure channel, the first key factor that is encrypted by the initial key from the first device, where the initial key is between the first device and the second device. The third decryption module 1402 is configured to decrypt the first key factor encrypted by the initial key to obtain a first encryption factor, and the second key generation module 1403 is configured to use the first key The key factor and the second key factor generated by the second device generate a shared key of the first device and the second device.
圖15示出了根據本發明的另一示例性實施例的金鑰產生裝置的結構示意圖;如圖15所示,在上述圖14所示實施例的基礎上,第二金鑰產生模組1403具體用於:將第一加密金鑰、第一設備的設備標識、第一金鑰因子、第二金鑰因子依次連接,得到組合字串;將組合字串切分為長度相等的兩個子字串;對兩個子字串分別進行散列運算,得到兩個散列結果;將兩個散列結果以位進行異或運算,得到第一設備與第二設備的共享金鑰。 FIG. 15 is a schematic structural diagram of a key generation apparatus according to another exemplary embodiment of the present invention; as shown in FIG. 15, on the basis of the embodiment shown in FIG. 14, the second key generation module 1403 Specifically, the first encryption key, the device identifier of the first device, the first key factor, and the second key factor are sequentially connected to obtain a combined string; the combined string is divided into two equal lengths. a string; respectively, performing hash operations on the two substrings to obtain two hash results; and performing an exclusive OR operation on the two hash results in bits to obtain a shared key of the first device and the second device.
在一實施例中,裝置還可包括:第二加密模組1404,用於採用初始金鑰對第二設備產生的第二金鑰因子進行加密; 第一發送模組1405,用於透過第二安全通道將經過初始金鑰加密後的第二金鑰因子發送給第一設備。 In an embodiment, the device may further include: a second encryption module 1404, configured to encrypt the second key factor generated by the second device by using the initial key; the first sending module 1405, configured to transmit the second key The secure channel sends the second key factor encrypted by the initial key to the first device.
在一實施例中,裝置還可包括:第三確定模組1406,用於確定第一設備與第二設備的共享金鑰的更換週期;第四確定模組1407,用於根據更換週期重新確定第一加密因子和第二加密因子;第二更換模組1408,用於根據重新確定的第一加密因子和第二加密因子更換第一設備與第二設備的共享金鑰。 In an embodiment, the device may further include: a third determining module 1406, configured to determine a replacement period of the shared key of the first device and the second device; and a fourth determining module 1407, configured to re-determine according to the replacement cycle The first encryption factor and the second encryption factor; the second replacement module 1408 is configured to replace the shared key of the first device and the second device according to the re-determined first encryption factor and the second encryption factor.
在一實施例中,裝置還可包括:第四接收模組1409,用於透過第二安全通道接收來自第一設備的經過共享金鑰加密的待傳輸的資料;第四解密模組1410,用於採用共享金鑰對待傳輸的資料進行解密。 In an embodiment, the device may further include: a fourth receiving module 1409, configured to receive, by the second secure channel, the data to be transmitted encrypted by the shared key from the first device; and the fourth decrypting module 1410, Decrypt the data to be transmitted using the shared key.
在一實施例中,裝置還可包括:響應資料產生模組1411,用於在接收到待傳輸的資料後,產生響應資料;第三加密模組1412,用於透過共享金鑰對響應資料進行加密;第二發送模組1413,用於透過第二安全通道向第一設備發送經過共享金鑰加密的響應資料。 In an embodiment, the device may further include: a response data generating module 1411, configured to generate response data after receiving the data to be transmitted; and a third encryption module 1412, configured to perform the response data by using the shared key The second sending module 1413 is configured to send the response data encrypted by the shared key to the first device through the second secure channel.
上述實施例可見,由於第一金鑰因子與第二金鑰因子在閘道設備的轉發過程中都經過初始金鑰加密,而初始金 鑰為第一設備與第二設備之間預設的金鑰,因此閘道設備並不能獲知第一金鑰因子與第二金鑰因子;透過第一金鑰因子與第二金鑰因子產生第一設備與第二設備之間的共享金鑰,可以實現最終協商的共享金鑰只對第一設備和第二設備可知,閘道設備仍無法獲取協商的共享金鑰,因此可以確保資料在第一設備與第二設備之間更加安全的傳輸,進一步降低資料在傳輸過程中被非法截獲的風險。 The above embodiment can be seen that the first key factor and the second key factor are encrypted by the initial key during the forwarding process of the gateway device, and the initial key is the preset gold between the first device and the second device. Key, therefore, the gateway device does not know the first key factor and the second key factor; and the shared key between the first device and the second device is generated by the first key factor and the second key factor, which can be implemented The final shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring more secure transmission of data between the first device and the second device, further reducing The risk of data being illegally intercepted during transmission.
所屬技術領域中具有通常知識者在考慮說明書及實踐這裡揭露的發明後,將容易想到本申請的其它實施方案。本申請旨在涵蓋本申請的任何變型、用途或者適應性變化,這些變型、用途或者適應性變化遵循本申請的一般性原理並包括本申請未揭露的本技術領域中的通常知識或慣用技術手段。說明書和實施例僅被視為示例性的,本申請的真正範圍和精神由下面的申請專利範圍指出。 Other embodiments of the present application will be readily apparent to those of ordinary skill in the art in view of this disclosure. The present application is intended to cover any variations, uses, or adaptations of the application, which are in accordance with the general principles of the application and include the general knowledge or conventional technical means in the technical field not disclosed herein. . The specification and examples are to be regarded as illustrative only, and the true scope and spirit of the application
還需要說明的是,術語“包括”、“包含”或者其任何其他變體意在涵蓋非排他性的包含,從而使得包括一系列要素的過程、方法、商品或者設備不僅包括那些要素,而且還包括沒有明確列出的其他要素,或者是還包括為這種過程、方法、商品或者設備所固有的要素。在沒有更多限制的情況下,由語句“包括一個......”限定的要素,並不排除在包括所述要素的過程、方法、商品或者設備中還存在另外的相同要素。 It is also to be understood that the terms "comprises" or "comprising" or "comprising" or any other variations are intended to encompass a non-exclusive inclusion, such that a process, method, article, Other elements not explicitly listed, or elements that are inherent to such a process, method, commodity, or equipment. An element defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device including the element.
以上所述僅為本申請的較佳實施例而已,並不用以限制本申請,凡在本申請的精神和原則之內,所做的任何修 改、等同替換、改進等,均應包含在本申請保護的範圍之內。 The above is only the preferred embodiment of the present application, and is not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc., which are made within the spirit and principles of the present application, should be included in the present application. Within the scope of protection.
Claims (28)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101933A TWI724091B (en) | 2017-01-19 | 2017-01-19 | Method and device for generating key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW106101933A TWI724091B (en) | 2017-01-19 | 2017-01-19 | Method and device for generating key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201828641A true TW201828641A (en) | 2018-08-01 |
| TWI724091B TWI724091B (en) | 2021-04-11 |
Family
ID=63960105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106101933A TWI724091B (en) | 2017-01-19 | 2017-01-19 | Method and device for generating key |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI724091B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20200104043A (en) * | 2019-02-26 | 2020-09-03 | 삼성전자주식회사 | Electronic device for storing user identification information and method thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209075A (en) * | 2013-03-15 | 2013-07-17 | 南京易司拓电力科技股份有限公司 | Password exchange method |
-
2017
- 2017-01-19 TW TW106101933A patent/TWI724091B/en active
Also Published As
| Publication number | Publication date |
|---|---|
| TWI724091B (en) | 2021-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11463243B2 (en) | Key generation method and apparatus using double encryption | |
| US12047362B2 (en) | Systems and methods for secure multi-party communications using a proxy | |
| TWI683566B (en) | Quantum key output method, storage consistency verification method, device and system | |
| AU2015335689B2 (en) | Efficient start-up for secured connections and related services | |
| US9338150B2 (en) | Content-centric networking | |
| US20150229621A1 (en) | One-time-pad data encryption in communication channels | |
| WO2016065321A1 (en) | Secure communication channel with token renewal mechanism | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| US12010216B2 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| US10291600B2 (en) | Synchronizing secure session keys | |
| US10630466B1 (en) | Apparatus and method for exchanging cryptographic information with reduced overhead and latency | |
| US11528127B2 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| CN113221146B (en) | Method and device for data transmission among block chain nodes | |
| Olumide et al. | A hybrid encryption model for secure cloud computing | |
| US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
| WO2020042023A1 (en) | Instant messaging data encryption method and apparatus | |
| TWI724091B (en) | Method and device for generating key | |
| US20230041783A1 (en) | Provision of digital content via a communication network |