WO2011150650A1 - Method and device for key authorization information management - Google Patents

Method and device for key authorization information management Download PDF

Info

Publication number
WO2011150650A1
WO2011150650A1 PCT/CN2010/080294 CN2010080294W WO2011150650A1 WO 2011150650 A1 WO2011150650 A1 WO 2011150650A1 CN 2010080294 W CN2010080294 W CN 2010080294W WO 2011150650 A1 WO2011150650 A1 WO 2011150650A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
timestamp
certificate
storage module
user
Prior art date
Application number
PCT/CN2010/080294
Other languages
French (fr)
Chinese (zh)
Inventor
郎风华
尹瀚
宋成
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011150650A1 publication Critical patent/WO2011150650A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Definitions

  • a Trusted Platform (TPM) module is a chip that is built in a computer to provide a trusted root for a computer.
  • the TPM integrates a CPU core, a RAM, a ROM, an F lash encryption algorithm, and a co-processing. Modules such as random number generators.
  • the TPM is actually a small system-on-chip that contains cryptographic components and storage components. Data storage in the TPM is more reliable than in other storage units such as PCs and servers, and it is impossible for any device to write directly to the TPM.
  • the TPM generates a number of keys, one for each authorized value.
  • the S torage Root Key (SRK) and its authorized value are stored in the storage area inside the TPM.
  • the other keys and their authorized values are stored in encrypted form in an external key storage module.
  • the key storage module is first loaded into the TPM for decryption, and then the key authorization value update protocol is invoked, and according to the old authorization value input by the user, it is confirmed whether the key is authorized to operate the key. If yes, replace the old authorization value with the new authorization value entered by the user and save it to the key storage module.
  • the TPM When determining whether the user has the right to use the key, the TPM first loads the key storage module into the TPM for decryption, extracts the authorization value from it, and compares it with the authorized value input by the user. If the two are the same, the user has the right. The key is used, otherwise the user does not have access to the key.
  • the embodiment of the invention provides a key authorization information management method and device, which can prevent the key from being illegally used.
  • the method for managing key authorization information includes:
  • the key authorization information management apparatus includes:
  • An authorization value judging module configured to determine whether an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module
  • a timestamp determining module configured to determine whether a timestamp of the key in the key storage module is the same as a timestamp in the timestamp certificate of the key; the timestamp certificate is stored in a timestamp certificate module, The timestamp in the timestamp certificate indicates the time when the user last specified the key authorization value; a key usage determining module, configured to: when an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module, and the key in the key storage module When the timestamp is the same as the timestamp in the timestamp certificate of the key, it is determined that the user has the right to use the key.
  • the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value saved in the key storage module, and determine the timestamp and the time in the timestamp certificate stored in the key storage module. Whether the stamps are the same; if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates the time when the user last authorized the authorized value of the key, if the user has modified
  • the authorization time, the timestamp in the timestamp certificate is the time when the user last modified the authorization value, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the modification.
  • FIG. 1 is a flowchart of a method for managing key authorization information according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for generating a time stamp certificate of a key according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for generating a time stamp certificate of a key according to another embodiment of the present invention
  • FIG. 5A is a structural diagram of a key authorization information management apparatus according to an embodiment of the present invention
  • FIG. 5B is a structural diagram of another key authorization information management apparatus according to an embodiment of the present invention. detailed description Referring to FIG. 1, an embodiment of the present invention provides a method for managing key authorization information, where the method includes:
  • the timestamp in the timestamp certificate is the time when the user first inputs the authorization value; if the user modifies the authorization value of the key, The timestamp in the timestamp certificate is the time when the user last modified the authorization value.
  • the timestamp certificate includes: the timestamp, a key identifier, and a digital signature; the digital signature is a timestamp and an identifier using an attestation identity key (Attrastat Ident I ty Key, ⁇ ) The signature of the key identifier.
  • the key identifier is a unique identifier information of the key, such as a key handle or a universal unique identifier (Uniform ID) of the key, and the timestamp in the embodiments of the present invention may be The value of the monotonic counter built into the TPM.
  • the key storage module in each embodiment of the present invention is a data block external to the TPM.
  • the step further includes: verifying, according to the digital signature in the timestamp certificate of the key, whether the timestamp certificate of the key is legal, and if so, performing the judgment.
  • the step of whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key.
  • the authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module, and the timestamp of the key in the key storage module is the same as the secret When the timestamp in the key's timestamp certificate is the same, it is determined that the user has the right to use the key.
  • the timestamp needs to be obtained in the following two cases:
  • the first case when receiving the key generation request instruction input by the user, generating a key, and obtaining an authorization value input by the user, and acquiring the current value of the counter as the first time stamp, which needs to be stored in the key storage module and
  • the information to be encrypted is encrypted and saved in the key storage module; and the first time stamp and the key identifier are signed, and a time stamp certificate is generated.
  • the information that needs to be stored in the key storage module and needs to be encrypted includes the first timestamp and an authorization value, and the information that needs to be encrypted further includes a private key and some other information in the key.
  • the second case when receiving the authorization value change instruction input by the user, acquiring the current value of the counter as the second timestamp, and replacing the existing time of the key in the key storage module with the second timestamp Stamping, replacing the existing authorization value of the key in the key storage module with a new authorization value input by the user; and signing the second timestamp and the key identifier to generate a new timestamp certificate,
  • the new timestamp certificate replaces the original timestamp certificate of the key.
  • the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, and determine the time of the key stored in the key storage module. Whether the timestamp in the timestamp certificate of the key is the same, if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates that the user last modified The time at which the key is authorized, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification, due to the original key storage module The timestamp of the key is different from the timestamp in the timestamp certificate of the key, so the key cannot be used to prevent the key from being used illegally.
  • the first stage a key generation phase, in which a timestamp is added to the key storage module while the key is generated, and a timestamp certificate is generated according to the added timestamp.
  • the stage includes:
  • a key generation request instruction input by the user is received.
  • 202. Generate a key according to the key generation request instruction, and acquire an authorization value of the key input by the user.
  • the key generation command in the TPM may be generated according to the key generation request instruction.
  • TPM.Crea teKey generates a key.
  • the key generated in this step includes a public key and a private key.
  • TPM_ReadCounter command (which is the counter read command) to get the value of the built-in monotonic counter.
  • the information that needs to be stored in the key storage module and needs to be encrypted includes a first timestamp, an authorization value, a private key, and other information.
  • Public information includes: public keys, key identifiers, and other information.
  • the key storage module includes a plurality of key data blocks, and each key data block is used to store encrypted information and public information of one key. This step is to save the encrypted information and the public information to a key data block in the key storage module.
  • the timestamp certificate includes: a first timestamp, a key identifier, and a digital signature.
  • the first timestamp and the key identifier may be signed by calling the A I K inside the TPM.
  • the embodiment When generating a key, the embodiment obtains a timestamp, saves the timestamp to a key storage module outside the TPM, and generates a timestamp certificate, so that the subsequent user needs to use the key by using the key storage module.
  • the timestamp of the key is compared to the timestamp in the timestamp certificate of the key to determine if the user is authorized to use the key.
  • Phase 2 Change the Authorization Value phase, in which a new timestamp certificate is generated while changing the authorization value, and the original timestamp certificate is replaced with a new timestamp certificate. See Figure 3, which includes:
  • step 304 Determine whether the old authorization value input by the user is the same as the decrypted authorization value. If yes, go to step 305. If no, end the process.
  • the change authorization value command TPM_ChangeAuth in the TPM can be used to determine whether the old authorization value input by the user is the same as the decrypted authorization value, and receives the new authorization value input by the user.
  • the information that needs to be stored in the key storage module and needs to be encrypted includes a second timestamp, an authorization value newly input by the user, a private key, and other information.
  • the specific implementation process of the step may be as follows: Fill the new encrypted information and the public information into the key data block of the key in the key storage module, and the original encrypted information and the public key in the key data block of the key Information coverage.
  • the timestamp certificate includes: a second timestamp, a key identifier, and a digital signature.
  • the second timestamp and the key identifier can be signed by the AIK.
  • the embodiment obtains a timestamp, replaces the timestamp of the key stored in the key storage module with a new timestamp, and generates a new timestamp certificate by using the new timestamp.
  • the new timestamp certificate replaces the original timestamp certificate of the key, so that when the subsequent user wants to use the key, the timestamp of the key in the key storage module is timed with the timestamp certificate of the key.
  • the stamp is compared to determine if the user is authorized to use the key.
  • the third stage determining the user's key usage authority phase, in which the authorization value entered by the user is determined to be the same as the authorization value of the key stored in the key storage module, and the key storage module is determined to be saved.
  • the timestamp of the key is the same as the timestamp in the timestamp certificate of the key to determine whether the user has the right to use the key.
  • the stage specifically includes:
  • the key usage request instruction input by the user is received.
  • step 404 Determine whether the authorization value of the key input by the user is the same as the authorized value obtained by the decryption. If yes, go to step 405. If no, go to step 409.
  • the TPM-Cha nge Au t h can be used to determine whether the authorization value input by the user is the same as the decrypted authorization value by calling the change authorization value command in the TPM.
  • step 406. Determine whether the timestamp certificate is legal. If yes, go to step 407. If no, go to step 409. Specifically, it is determined whether the timestamp certificate is legal according to the digital signature in the timestamp certificate. due to
  • AIK is a non-migrating signature key. Any data signed by AIK indicates that it has been processed by TPM, which means it is legal.
  • step 407. Determine whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key. If yes, go to step 408. If no, go to step 409.
  • the location of the timestamp certificate is not fixed. For example, it may be determined whether the timestamp certificate is legal after determining whether the timestamp is the same, and may be adjusted according to the actual situation (for example, according to the actual situation).
  • the processing complexity and the time consuming are both performed first, and the steps that are easy to implement or consume less time are executed first, and are not limited herein.
  • the user when the user requests to use the key, it is required to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, determine whether the timestamp certificate is legal, and determine the key storage module.
  • the timestamp of the saved key is the same as the timestamp in the timestamp certificate of the key; if all three judgments are yes, it is determined that the user has the right to use the key, thus, because the timestamp certificate
  • the timestamp indicates the time when the user last modified the authorization value of the key, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification,
  • the timestamp of the key in the key storage module is different from the timestamp in the timestamp certificate, so the key cannot be used to prevent the key from being illegally used.
  • an embodiment of the present invention provides a key authorization information management apparatus, including: an authorization value determining module 501, configured to determine an authorization value of a key requested by a user and the key in a key storage module. Whether the authorization values are the same;
  • the timestamp judging module 502 is configured to determine whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, and the timestamp in the timestamp certificate indicates the user last time The time when the key authorization value is specified;
  • a key usage determining module 503 configured to: when an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module, and the key in the key storage module When the timestamp is the same as the timestamp in the timestamp certificate of the key, it is determined that the user has the right to use the key.
  • the embodiment of the present invention further includes:
  • each module may be implemented based on a TPM platform or a system having a similar hardware architecture.
  • the timestamp certificate is stored in the timestamp certificate storage module, and the timestamp certificate storage module and the key storage module are stored in an external memory independent of the TPM platform (for example, in a file).
  • the form is stored in the system hard drive).
  • the key storage module includes one or more key data blocks, and each key data block includes encrypted information and public information.
  • the encrypted information includes an authorized value, a private key, a timestamp, and other information
  • the public information includes: a key identifier, a public key, and other information.
  • the timestamp certificate storage module includes one or more timestamp certificates, wherein each timestamp certificate includes a key identifier, a digital signature, and a timestamp.
  • the digital signature here may be a signature of the timestamp and key identification using the proof of identity key AIK.
  • the timestamp certificate verification module 504 is configured to verify whether the timestamp certificate of the key is legal according to the digital signature in the timestamp certificate of the key used by the user. Specifically, the timestamp certificate verification module 504 can verify whether the timestamp certificate of the key is legal according to the digital signature in the timestamp certificate of the key when the determination result of the authorization value judgment module 501 is YES; if legal, Then, the timestamp judgment module 502 determines the timestamp, and finally determines whether the user has the right to use the key through the key use determining module 503; if not, the key use determining module 503 directly determines that the user does not have the right to use the key. .
  • the timestamp determination module 502 may first determine the timestamp, and then verify the timestamp certificate by the timestamp certificate verification module 504. Legitimacy can be adjusted according to the actual situation (for example, according to the complexity and time consumption of the two, the steps that are easy to implement or consume less time are executed first), and are not limited herein.
  • the receiving processing module 506 is configured to receive a key generation request instruction input by the user, and receive an authorization value of the key input by the user.
  • the timestamp management module 507 is configured to: after receiving the key generation request instruction, use the current value of the counter as the first timestamp; for example, when the embodiment of the present invention is based on the TPM platform, the value of the monotonic counter inside the TPM can be used. Come as the first timestamp;
  • the encryption and decryption module 505 is configured to encrypt the information that needs to be stored in the key storage module and needs to be encrypted, and save the obtained encryption information into the key storage module, where the information needs to be stored in the key storage module.
  • the information that needs to be encrypted includes the first timestamp and the authorization value, and further includes a private key and other information;
  • the timestamp management module 507 is further configured to: sign the first timestamp and the key identifier, generate a timestamp certificate, and store the timestamp certificate into the timestamp certificate storage module.
  • the receiving processing module 506 is further configured to receive an authorization value change instruction input by the user, and receive a new authorization value of the key input by the user, in order to obtain the timestamp and modify the authorization value.
  • the timestamp management module 507 is further configured to: after receiving the authorization value change instruction, obtain the current value of the counter as the second timestamp;
  • the encryption and decryption module 505 is further configured to encrypt information that needs to be stored in the key storage module and needs to be encrypted, and replace the existing key in the key storage module with the new encrypted information obtained by the encryption. Encrypting information, where the information that needs to be stored in the key storage module and needs to be encrypted includes the second timestamp and the new authorization value, and further includes a private key and other information;
  • the timestamp management module 507 is further configured to: sign the second timestamp and the key identifier, generate a new timestamp certificate, and replace the new timestamp certificate with an existing one in the timestamp certificate storage module. The timestamp certificate of the key.
  • the encryption/decryption module 505 is used for decrypting the encrypted information in the key storage module in addition to the encryption. For example, after receiving the relevant user instruction by the receiving processing module, the data in the obtained key data block is decrypted, and information such as an authorized value and a time stamp is obtained for use by the authorization value judging module and the time stamp management module.
  • the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, and determine the time of the key stored in the key storage module. Whether the timestamp in the timestamp certificate of the key is the same; if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates that the user last modified The time at which the key is authorized, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification, since the original key storage module The timestamp of the key is different from the timestamp in the timestamp certificate of the key, so the key cannot be used to prevent the key from being used illegally.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method and a device for key authorization information management are disclosed, the method involves: judging whether the key authorization value requested to use by a user is same with the key authorization value in a key storage module (101); judging whether the key timestamp in the key storage module is same with the timestamp in the key timestamp certificate (102), the timestamp in the timestamp certificate expresses the time when the user appointed the key authorization value for the last time; when the key authorization value requested to use by the user is same with the key authorization value in the key storage module and the key timestamp in the key storage module is same with the timestamp in the key timestamp certificate, it is determined that the user is entitled to use the key (103). The application detects the authorization value and the key timestamp simultaneously so that an attacker can not use the key due to the difference of the key timestamps even if the attacker copies the original key storage module and acquires the authorization value before modification, thus the safety of key using is enhanced.

Description

密钥授权信息管理方法及装置 本申请要求于 2010 年 6 月 1 日提交中国专利局、 申请号为 201010192499. 2 , 发明名称为 "密钥授权信息管理方法及装置" 的中国专利 申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及加密技术领域, 特别涉及一种密钥授权信息管理方法及装置。 背景技术 可信平台模块(Trus ted P la tform Module , TPM )是一种植于计算机内 部为计算机提供可信根的芯片, TPM内部集成了 CPU核、 RAM、 ROM, F la sh加密 算法、 协处理器、 随机数生成器等模块。  Key Authorization Information Management Method and Apparatus The present application claims to be submitted to the Chinese Patent Office on June 1, 2010, and the application number is 201010192499. 2, the priority of the Chinese patent application entitled "Key Authorization Information Management Method and Apparatus" The entire contents of which are incorporated herein by reference. The present invention relates to the field of encryption technologies, and in particular, to a key authorization information management method and apparatus. BACKGROUND A Trusted Platform (TPM) module is a chip that is built in a computer to provide a trusted root for a computer. The TPM integrates a CPU core, a RAM, a ROM, an F lash encryption algorithm, and a co-processing. Modules such as random number generators.
TPM实际上是一个含有密码运算部件和存储部件的小型片上系统。 数据存 储在 TPM内部的存储单元比存储在 PC机上和服务器等其他存储单元里面更加 可靠, 任何器件都不可能直接对 TPM进行写入。  The TPM is actually a small system-on-chip that contains cryptographic components and storage components. Data storage in the TPM is more reliable than in other storage units such as PCs and servers, and it is impossible for any device to write directly to the TPM.
TPM会生成很多密钥, 每个密钥对应一个授权值。 但是, 由于 TPM内部存 储空间有限, 不可能将所有的密钥都存储在 TPM内部, 所以将存储根密钥 ( S torage Root Key , SRK )及其授权值保存在 TPM内部的存储区中, 而将其 他密钥及其授权值以加密的形式存储在外部的密钥存储模块中。 当需要修改 一个密钥的授权值时, 先将密钥存储模块加载到 TPM中进行解密, 然后调用密 钥授权值更新协议, 根据用户输入的旧的授权值, 确认是否有权限操作该密 钥, 如果是, 则将用户输入的新的授权值替换旧的授权值并保存到密钥存储 模块中。 TPM在判断用户是否有权使用密钥时, 先将密钥存储模块加载到 TPM 中进行解密, 从中取出授权值, 再与用户输入的授权值进行比较, 如果两者 相同, 则表示用户有权使用密钥, 否则, 用户无权使用密钥。  The TPM generates a number of keys, one for each authorized value. However, since the internal storage space of the TPM is limited, it is impossible to store all the keys in the TPM, so the S torage Root Key (SRK) and its authorized value are stored in the storage area inside the TPM. The other keys and their authorized values are stored in encrypted form in an external key storage module. When it is necessary to modify the authorization value of a key, the key storage module is first loaded into the TPM for decryption, and then the key authorization value update protocol is invoked, and according to the old authorization value input by the user, it is confirmed whether the key is authorized to operate the key. If yes, replace the old authorization value with the new authorization value entered by the user and save it to the key storage module. When determining whether the user has the right to use the key, the TPM first loads the key storage module into the TPM for decryption, extracts the authorization value from it, and compares it with the authorized value input by the user. If the two are the same, the user has the right. The key is used, otherwise the user does not have access to the key.
发明人在实现本发明的过程中, 发现现有技术至少存在如下缺点: 从上述过程可以看出, 判断用户是否有权限使用密钥关键看用户输入的 密钥的授权值是否正确, 如果攻击者先前知道了授权值并复制了密钥存储模 块, 那么即使用户后续修改了密钥存储模块中的授权值, 攻击者也可以通过 使 TPM加载修改之前的密钥存储模块, 并根据先前的授权值来使用密钥, 从而 造成密钥被非法使用。 发明内容 In the process of implementing the present invention, the inventors have found that the prior art has at least the following disadvantages: It can be seen from the above process that determining whether the user has the right to use the key key depends on whether the authorization value of the key input by the user is correct. If the attacker previously knows the authorization value and copies the key storage module, even if the user subsequently modifies The authorization value in the key storage module, the attacker can also use the key by using the TRM to load the key storage module before the modification, and use the key according to the previous authorization value, thereby causing the key to be illegally used. Summary of the invention
本发明实施例提供一种密钥授权信息管理方法及装置, 能够防止密钥被 非法使用。  The embodiment of the invention provides a key authorization information management method and device, which can prevent the key from being illegally used.
其中, 一种密钥授权信息管理方法包括:  The method for managing key authorization information includes:
判断用户请求使用的密钥的授权值与密钥存储模块中所述密钥的授权值 是否相同;  Determining whether the authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module;
判断密钥存储模块中所述密钥的时间戳与所述密钥的时间戳证书中的时 间戳是否相同, 所述时间戳证书中的时间戳表示用户最后一次指定密钥授权 值的时间;  Determining whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, and the timestamp in the timestamp certificate indicates the time when the user last specified the key authorization value;
当所述用户请求使用的密钥的授权值与所述密钥存储模块中所述密钥的 授权值相同, 且所述密钥存储模块中所述密钥的时间戳与所述密钥的时间戳 证书中的时间戳相同时, 确定用户有权使用密钥。  When the authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module, and the time stamp of the key in the key storage module is related to the key When the timestamps in the timestamp certificate are the same, it is determined that the user has the right to use the key.
其中, 一种密钥授权信息管理装置包括:  The key authorization information management apparatus includes:
授权值判断模块, 用于判断用户请求使用的密钥的授权值与密钥存储模 块中所述密钥的授权值是否相同;  An authorization value judging module, configured to determine whether an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module;
时间戳判断模块, 用于判断密钥存储模块中所述密钥的时间戳与所述密 钥的时间戳证书中的时间戳是否相同; 所述时间戳证书存储于时间戳证书模 块, 所述时间戳证书中的时间戳表示用户最后一次指定密钥授权值的时间; 密钥使用确定模块, 用于当所述用户请求使用的密钥的授权值与所述密 钥存储模块中所述密钥的授权值相同, 且所述密钥存储模块中所述密钥的时 间戳与所述密钥的时间戳证书中的时间戳相同时, 确定用户有权使用密钥。 a timestamp determining module, configured to determine whether a timestamp of the key in the key storage module is the same as a timestamp in the timestamp certificate of the key; the timestamp certificate is stored in a timestamp certificate module, The timestamp in the timestamp certificate indicates the time when the user last specified the key authorization value; a key usage determining module, configured to: when an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module, and the key in the key storage module When the timestamp is the same as the timestamp in the timestamp certificate of the key, it is determined that the user has the right to use the key.
本发明实施例在用户请求使用密钥时, 需要判断用户输入的授权值与密 钥存储模块中保存的授权值是否相同, 和判断密钥存储模块中保存的时间戳 与时间戳证书中的时间戳是否相同; 如果两个判断结果都为是, 才确定该用 户有权使用密钥, 这样, 因为时间戳证书中的时间戳表示用户最后一次指定 密钥的授权值的时间, 如果用户修改过授权值, 则该时间戳证书中的时间戳 为用户最后一次修改授权值的时间, 所以即使攻击者复制了原来的密钥存储 模块(即授权值修改之前的密钥存储模块)并获取了修改之前的授权值, 由 于原来的密钥存储模块中的时间戳与时间戳证书中的时间戳不同, 所以也无 法使用密钥, 防止密钥被非法使用。 附图说明 为了更清楚地说明本发明实施例的技术方案, 下面将对实施例中所需要 使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的 一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  When the user requests to use the key, the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value saved in the key storage module, and determine the timestamp and the time in the timestamp certificate stored in the key storage module. Whether the stamps are the same; if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates the time when the user last authorized the authorized value of the key, if the user has modified The authorization time, the timestamp in the timestamp certificate is the time when the user last modified the authorization value, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the modification. The previous authorization value, because the timestamp in the original key storage module is different from the timestamp in the timestamp certificate, the key cannot be used to prevent the key from being illegally used. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings may be obtained based on these drawings without any creative work.
图 1是本发明一实施例提供的密钥授权信息管理方法流程图;  FIG. 1 is a flowchart of a method for managing key authorization information according to an embodiment of the present invention;
图 2是本发明一实施例提供的生成密钥的时间戳证书的方法流程图; 图 3是本发明另一实施例提供的生成密钥的时间戳证书的方法流程图; 图 4是本发明实施例提供的确定密钥使用权利的方法流程图;  2 is a flowchart of a method for generating a time stamp certificate of a key according to an embodiment of the present invention; FIG. 3 is a flowchart of a method for generating a time stamp certificate of a key according to another embodiment of the present invention; A flowchart of a method for determining a key usage right provided by an embodiment;
图 5A是本发明实施例提供的一种密钥授权信息管理装置结构图; 图 5B是本发明实施例提供的另一种密钥授权信息管理装置结构图。 具体实施方式 参阅图 1 ,本发明一实施例提供一种密钥授权信息管理方法,该方法包括:5A is a structural diagram of a key authorization information management apparatus according to an embodiment of the present invention; and FIG. 5B is a structural diagram of another key authorization information management apparatus according to an embodiment of the present invention. detailed description Referring to FIG. 1, an embodiment of the present invention provides a method for managing key authorization information, where the method includes:
101、 判断用户请求使用的密钥的授权值与密钥存储模块中所述密钥的授 权值是否相同。 101. Determine whether an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module.
102、 判断密钥存储模块中所述密钥的时间戳与所述密钥的时间戳证书中 的时间戳是否相同, 所述时间戳证书中的时间戳表示用户最后一次指定密钥 授权值的时间。  102. Determine whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, and the timestamp in the timestamp certificate indicates that the user last specified the key authorization value. time.
具体的, 如果用户在生成密钥时输入授权值之后没有修改密钥的授权值, 则该时间戳证书中的时间戳为用户首次输入授权值的时间; 如果用户修改过 密钥的授权值, 则该时间戳证书中的时间戳为用户最后一次修改授权值的时 间。  Specifically, if the user does not modify the authorization value of the key after inputting the authorization value, the timestamp in the timestamp certificate is the time when the user first inputs the authorization value; if the user modifies the authorization value of the key, The timestamp in the timestamp certificate is the time when the user last modified the authorization value.
其中, 所述时间戳证书包括: 所述时间戳、 密钥标识和数字签名; 所述 数字签名为利用证明身份密钥 (At tes ta t ion Ident i ty Key , ΑΙΚ )对所述 时间戳和密钥标识的签名。  The timestamp certificate includes: the timestamp, a key identifier, and a digital signature; the digital signature is a timestamp and an identifier using an attestation identity key (Attrastat Ident I ty Key, ΑΙΚ) The signature of the key identifier.
其中, 密钥标识是密钥的唯一标识性信息, 比如密钥句柄或者密钥的通 用唯一识别码 ( Universa l ly Unique Ident if ier , UUID )等; 本发明各实施 例中的时间戳可以是 TPM内置的单调计数器的值。 本发明各实施例中的密钥存 储模块为 TPM外部的数据块。  The key identifier is a unique identifier information of the key, such as a key handle or a universal unique identifier (Uniform ID) of the key, and the timestamp in the embodiments of the present invention may be The value of the monotonic counter built into the TPM. The key storage module in each embodiment of the present invention is a data block external to the TPM.
为了保证该步骤所使用的时间戳证书的合法性, 该步骤还包括: 根据所 述密钥的时间戳证书中的数字签名验证所述密钥的时间戳证书是否合法, 如 果是, 再执行判断所述密钥存储模块中所述密钥的时间戳与所述密钥的时间 戳证书中的时间戳是否相同的步骤。  In order to ensure the validity of the timestamp certificate used in the step, the step further includes: verifying, according to the digital signature in the timestamp certificate of the key, whether the timestamp certificate of the key is legal, and if so, performing the judgment. The step of whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key.
103、 当所述用户请求使用的密钥的授权值与所述密钥存储模块中所述密 钥的授权值相同, 且所述密钥存储模块中所述密钥的时间戳与所述密钥的时 间戳证书中的时间戳相同时, 确定用户有权使用密钥。  103. The authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module, and the timestamp of the key in the key storage module is the same as the secret When the timestamp in the key's timestamp certificate is the same, it is determined that the user has the right to use the key.
本发明实施例中, 在如下两种情况下, 需要获取时间戳: 第一种情况: 接收到用户输入的密钥生成请求指令时, 生成密钥, 并获 取用户输入的授权值, 获取计数器的当前值作为第一时间戳, 将需要存储到 密钥存储模块中且需要加密的信息加密后保存到所述密钥存储模块中; 并对 所述第一时间戳和密钥标识签名, 生成时间戳证书。 其中, 所述需要存储到 密钥存储模块中且需要加密的信息包括所述第一时间戳和授权值, 该需要加 密的信息还包括密钥中的私钥和其他一些信息。 In the embodiment of the present invention, the timestamp needs to be obtained in the following two cases: The first case: when receiving the key generation request instruction input by the user, generating a key, and obtaining an authorization value input by the user, and acquiring the current value of the counter as the first time stamp, which needs to be stored in the key storage module and The information to be encrypted is encrypted and saved in the key storage module; and the first time stamp and the key identifier are signed, and a time stamp certificate is generated. The information that needs to be stored in the key storage module and needs to be encrypted includes the first timestamp and an authorization value, and the information that needs to be encrypted further includes a private key and some other information in the key.
第二种情况: 接收到用户输入的授权值更改指令时, 获取计数器的当前 值作为第二时间戳, 用所述第二时间戳替换所述密钥存储模块中所述密钥已 有的时间戳, 用用户输入的新的授权值替换所述密钥存储模块中所述密钥已 有的授权值; 并对所述第二时间戳和密钥标识签名, 生成新的时间戳证书, 用所述新的时间戳证书替换所述密钥原来的时间戳证书。  The second case: when receiving the authorization value change instruction input by the user, acquiring the current value of the counter as the second timestamp, and replacing the existing time of the key in the key storage module with the second timestamp Stamping, replacing the existing authorization value of the key in the key storage module with a new authorization value input by the user; and signing the second timestamp and the key identifier to generate a new timestamp certificate, The new timestamp certificate replaces the original timestamp certificate of the key.
本发明实施例在用户请求使用密钥时, 需要判断用户输入的授权值与密 钥存储模块中保存的该密钥的授权值是否相同, 和判断密钥存储模块中保存 的该密钥的时间戳与该密钥的时间戳证书中的时间戳是否相同, 如果两个判 断结果都为是, 才确定该用户有权使用密钥, 这样, 因为时间戳证书中的时 间戳表示用户最后一次修改密钥的授权值的时间, 所以即使攻击者复制了原 来的密钥存储模块(即授权值修改之前的密钥存储模块)并获取了修改之前 的授权值, 由于原来的密钥存储模块中的该密钥的时间戳与该密钥的时间戳 证书中的时间戳不同, 所以无法使用密钥, 防止密钥被非法使用。  When the user requests to use the key, the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, and determine the time of the key stored in the key storage module. Whether the timestamp in the timestamp certificate of the key is the same, if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates that the user last modified The time at which the key is authorized, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification, due to the original key storage module The timestamp of the key is different from the timestamp in the timestamp certificate of the key, so the key cannot be used to prevent the key from being used illegally.
为了更清楚地对本发明实施例技术方案进行说明, 下面以基于 TPM平台为 例, 分三个阶段对本发明提供的密钥授权信息管理方法进行详细介绍:  In order to explain the technical solutions of the embodiments of the present invention more clearly, the following describes the key authorization information management method provided by the present invention in three stages based on the TPM platform:
第一阶段: 生成密钥阶段, 在该阶段中, 在生成密钥的同时添加时间戳 到密钥存储模块, 并根据添加的时间戳生成时间戳证书, 参阅图 2 , 该阶段具 体包括:  The first stage: a key generation phase, in which a timestamp is added to the key storage module while the key is generated, and a timestamp certificate is generated according to the added timestamp. Referring to FIG. 2, the stage includes:
201、 接收到用户输入的密钥生成请求指令。  201. Receive a key generation request instruction input by a user.
当用户想要生成密钥时, 接收到用户输入的密钥生成请求指令。 202、 根据密钥生成请求指令生成密钥, 并获取用户输入的该密钥的授权 值。 When the user wants to generate a key, a key generation request instruction input by the user is received. 202. Generate a key according to the key generation request instruction, and acquire an authorization value of the key input by the user.
具体的, 可以根据密钥生成请求指令 TPM中的密钥生成命令  Specifically, the key generation command in the TPM may be generated according to the key generation request instruction.
TPM.Crea teKey, 生成密钥。 其中, 该步骤中生成的密钥包括公钥和私钥。 TPM.Crea teKey, generates a key. The key generated in this step includes a public key and a private key.
203、 获取内置的单调计数器的值为第一时间戳。  203. Obtain a value of the built-in monotonic counter as a first timestamp.
具体的, 可以调用 TPM_ReadCounter命令(该命令为计数器读取命令) , 获取内置的单调计数器的值。  Specifically, you can call the TPM_ReadCounter command (which is the counter read command) to get the value of the built-in monotonic counter.
204、 将需要存储到密钥存储模块中且需要加密的信息进行加密, 得到加 密信息, 将加密信息和公开信息保存到密钥存储模块中。  204. Encrypt the information that needs to be stored in the key storage module and needs to be encrypted, obtain the encrypted information, and save the encrypted information and the public information into the key storage module.
其中, 需要存储到密钥存储模块中且需要加密的信息包括第一时间戳、 授权值、 私钥和其他信息。 公开信息包括: 公钥、 密钥标识和其他信息。  The information that needs to be stored in the key storage module and needs to be encrypted includes a first timestamp, an authorization value, a private key, and other information. Public information includes: public keys, key identifiers, and other information.
其中, 密钥存储模块包括多个密钥数据块, 每个密钥数据块用于存储一 个密钥的加密信息和公开信息。 该步骤就是将加密信息和公开信息保存到密 钥存储模块中的一个密钥数据块中。  The key storage module includes a plurality of key data blocks, and each key data block is used to store encrypted information and public information of one key. This step is to save the encrypted information and the public information to a key data block in the key storage module.
205、 对第一时间戳和密钥标识进行签名, 生成时间戳证书, 该时间戳证 书包括: 第一时间戳、 密钥标识和数字签名。  205. Sign the first timestamp and the key identifier to generate a timestamp certificate, where the timestamp certificate includes: a first timestamp, a key identifier, and a digital signature.
具体的, 可以调用 TPM内部的 A I K对第一时间戳和密钥标识进行签名。 Specifically, the first timestamp and the key identifier may be signed by calling the A I K inside the TPM.
206、 将时间戳证书保存到时间戳证书存储模块中。 206. Save the timestamp certificate to the timestamp certificate storage module.
本发明实施例在生成密钥时, 获取时间戳, 将时间戳保存到 TPM外部的密 钥存储模块中, 并生成时间戳证书, 以便后续用户要使用密钥时, 通过将密 钥存储模块中的该密钥的时间戳与该密钥的时间戳证书中的时间戳进行比较 确定用户是否有权使用密钥。  When generating a key, the embodiment obtains a timestamp, saves the timestamp to a key storage module outside the TPM, and generates a timestamp certificate, so that the subsequent user needs to use the key by using the key storage module. The timestamp of the key is compared to the timestamp in the timestamp certificate of the key to determine if the user is authorized to use the key.
第二阶段: 更改授权值阶段, 在该阶段中, 在更改授权值的同时生成新 的时间戳证书, 并用新的时间戳证书替换原来的时间戳证书, 参阅图 3 , 该阶 段具体包括:  Phase 2: Change the Authorization Value phase, in which a new timestamp certificate is generated while changing the authorization value, and the original timestamp certificate is replaced with a new timestamp certificate. See Figure 3, which includes:
301、 接收到用户输入的授权值更改指令。 当用户想更改授权值时, 接收到用户输入的授权值更改指令。 301. Received an authorization value change instruction input by a user. When the user wants to change the authorization value, he receives an authorization value change instruction input by the user.
302、 将密钥存储模块中该密钥对应的密钥数据块加载到 TPM中, 可以利 用密钥数据块中的一些公开信息 (如公钥)对加密信息部分进行解密, 得到 授权值、 时间戳等信息。  302. Load the key data block corresponding to the key in the key storage module into the TPM, and decrypt the encrypted information part by using some public information (such as a public key) in the key data block to obtain an authorized value and time. Poke and other information.
其中, 具体解密方法可以参见现有技术, 在此不再赘述。  For the specific decryption method, refer to the prior art, and details are not described herein again.
303、 接收用户输入的旧的授权值。  303. Receive an old authorization value input by the user.
304、判断用户输入的旧的授权值与解密得到的授权值是否相同,如果是, 执行步骤 305 , 如果否, 结束本流程。  304. Determine whether the old authorization value input by the user is the same as the decrypted authorization value. If yes, go to step 305. If no, end the process.
305、 确定允许用户修改授权值, 接收用户输入的新的授权值。  305. Determine to allow the user to modify the authorization value, and receive a new authorization value input by the user.
具体的, 可以通过调用 TPM中的更改授权值命令 TPM_ChangeAuth判断用户 输入的旧的授权值与解密得到的授权值是否相同, 并接收用户输入的新的授 权值。  Specifically, the change authorization value command TPM_ChangeAuth in the TPM can be used to determine whether the old authorization value input by the user is the same as the decrypted authorization value, and receives the new authorization value input by the user.
306、 获取内置的单调计数器的值为第二时间戳。  306. Obtain a value of the built-in monotonic counter as a second timestamp.
具体的, 可以是调用 TPM_ReadCounter命令获取内置的单调计数器的值。 Specifically, you can call the TPM_ReadCounter command to get the value of the built-in monotonic counter.
307、 将需要存储到密钥存储模块且需要加密的信息进行加密, 用加密得 到的新的加密信息替换密钥存储模块中原来存储的该密钥的加密信息。 307. Encrypt the information that needs to be stored in the key storage module and needs to be encrypted, and replace the encrypted information of the key originally stored in the key storage module with the new encrypted information obtained by the encryption.
其中, 需要存储到密钥存储模块且需要加密的信息包括第二时间戳、 用 户新输入的授权值、 私钥和其他信息。  The information that needs to be stored in the key storage module and needs to be encrypted includes a second timestamp, an authorization value newly input by the user, a private key, and other information.
该步骤的具体实现过程可以如下: 将新的加密信息和公开信息填充到密 钥存储模块中该密钥的密钥数据块中, 将该密钥的密钥数据块中原来的加密 信息和公开信息覆盖。  The specific implementation process of the step may be as follows: Fill the new encrypted information and the public information into the key data block of the key in the key storage module, and the original encrypted information and the public key in the key data block of the key Information coverage.
308、 对第二时间戳和密钥标识进行签名, 生成新的时间戳证书, 该时间 戳证书包括: 第二时间戳、 密钥标识和数字签名。  308. Sign the second timestamp and the key identifier to generate a new timestamp certificate, where the timestamp certificate includes: a second timestamp, a key identifier, and a digital signature.
具体的, 可以利用 AIK对第二时间戳和密钥标识进行签名。  Specifically, the second timestamp and the key identifier can be signed by the AIK.
309、 用该新的时间戳证书替换时间戳证书存储模块中原来存储的该密钥 的时间戳证书。 本发明实施例在用户更改授权值时, 获取时间戳, 并用新的时间戳替换 密钥存储模块中原来存储的该密钥的时间戳, 并利用新的时间戳生成新的时 间戳证书, 用新的时间戳证书替换该密钥的原有时间戳证书, 以便后续用户 要使用密钥时, 通过将密钥存储模块中的该密钥的时间戳与该密钥的时间戳 证书中的时间戳进行比较确定用户是否有权使用密钥。 309. Replace the timestamp certificate of the key originally stored in the timestamp certificate storage module with the new timestamp certificate. When the user changes the authorization value, the embodiment obtains a timestamp, replaces the timestamp of the key stored in the key storage module with a new timestamp, and generates a new timestamp certificate by using the new timestamp. The new timestamp certificate replaces the original timestamp certificate of the key, so that when the subsequent user wants to use the key, the timestamp of the key in the key storage module is timed with the timestamp certificate of the key. The stamp is compared to determine if the user is authorized to use the key.
第三阶段: 确定用户的密钥使用权限阶段, 在该阶段中, 通过判断用户 输入的授权值与密钥存储模块中保存的该密钥的授权值是否相同, 和判断密 钥存储模块中保存的该密钥的时间戳与该密钥的时间戳证书中的时间戳是否 相同来决定用户是否有权使用密钥, 参阅图 4 , 该阶段具体包括:  The third stage: determining the user's key usage authority phase, in which the authorization value entered by the user is determined to be the same as the authorization value of the key stored in the key storage module, and the key storage module is determined to be saved. The timestamp of the key is the same as the timestamp in the timestamp certificate of the key to determine whether the user has the right to use the key. Referring to FIG. 4, the stage specifically includes:
401、 接收到用户输入的密钥使用请求指令。  401. Receive a key usage request instruction input by a user.
当用户想使用密钥时, 接收到用户输入的密钥使用请求指令。  When the user wants to use the key, the key usage request instruction input by the user is received.
402、 将密钥存储模块中该密钥的密钥数据块加载到 TPM中, 利用密钥数 据块中的一些公开信息 (如公钥)对加密信息部分进行解密, 得到授权值、 时间戳和密钥标识等信息。  402. Load the key data block of the key in the key storage module into the TPM, and decrypt the encrypted information part by using some public information (such as a public key) in the key data block to obtain an authorization value, a timestamp, and Information such as key identification.
其中, 具体解密方法可以参见现有技术, 在此不再赘述。  For the specific decryption method, refer to the prior art, and details are not described herein again.
403、 接收用户输入的密钥的授权值。  403. Receive an authorization value of a key input by the user.
404、 判断用户输入的密钥的授权值与解密得到的授权值是否相同, 如果 是, 执行步骤 405 , 如果否, 执行步骤 409。  404. Determine whether the authorization value of the key input by the user is the same as the authorized value obtained by the decryption. If yes, go to step 405. If no, go to step 409.
具体的, 可以是通过调用 TPM中的更改授权值命令 TPM- Cha nge Au t h判断用 户输入的授权值与解密得到的授权值是否相同。  Specifically, the TPM-Cha nge Au t h can be used to determine whether the authorization value input by the user is the same as the decrypted authorization value by calling the change authorization value command in the TPM.
405、 根据密钥数据块中的密钥标识, 从时间戳证书存储模块中获取该密 钥的时间戳证书。  405. Obtain a timestamp certificate of the key from the timestamp certificate storage module according to the key identifier in the key data block.
406、 判断时间戳证书是否合法, 如果是, 执行步骤 407 , 如果否, 执行 步骤 409。 具体的, 根据时间戳证书中的数字签名判断时间戳证书是否合法。 由于406. Determine whether the timestamp certificate is legal. If yes, go to step 407. If no, go to step 409. Specifically, it is determined whether the timestamp certificate is legal according to the digital signature in the timestamp certificate. due to
AIK是不可迁移的签名密钥, 凡是经过 AIK签名的数据, 都表明已经过 TPM的处 理, 即表明是合法的。 AIK is a non-migrating signature key. Any data signed by AIK indicates that it has been processed by TPM, which means it is legal.
407、 判断密钥存储模块中的该密钥的时间戳与该密钥的时间戳证书中的 时间戳是否相同, 如果是, 执行步骤 408 , 如果否, 执行步骤 409。  407. Determine whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key. If yes, go to step 408. If no, go to step 409.
具体的, 判断步骤 401解密得到的时间戳与该密钥的时间戳证书中的时间 戳是否相同。  Specifically, it is determined whether the timestamp obtained by the decryption step 401 is the same as the timestamp in the timestamp certificate of the key.
408、 确定用户有权使用密钥, 操作密钥, 结束本流程。  408. Determine that the user has the right to use the key, operate the key, and end the process.
409、 确定用户没有权利使用密钥, 提示错误信息。  409. Determine that the user does not have the right to use the key, and prompts an error message.
需要说明的是, 所述步骤 406判断时间戳证书是否合法的位置并不固定, 例如, 也可以在判断时间戳是否相同后再判断时间戳证书是否合法, 具体可 以根据实际情况进行调整(如根据两者处理复杂度、 消耗时间, 先执行容易 实现或消耗时间少的步骤) , 在此并不限定。  It should be noted that, in the step 406, the location of the timestamp certificate is not fixed. For example, it may be determined whether the timestamp certificate is legal after determining whether the timestamp is the same, and may be adjusted according to the actual situation (for example, according to the actual situation). The processing complexity and the time consuming are both performed first, and the steps that are easy to implement or consume less time are executed first, and are not limited herein.
本发明实施例在用户请求使用密钥时, 需要判断用户输入的授权值与密 钥存储模块中保存的该密钥的授权值是否相同, 判断时间戳证书是否合法, 和判断密钥存储模块中保存的该密钥的时间戳与该密钥的时间戳证书中的时 间戳是否相同; 如果三个判断结果都为是, 才确定该用户有权使用密钥, 这 样, 因为时间戳证书中的时间戳表示用户最后一次修改密钥的授权值的时间, 所以即使攻击者复制了原来的密钥存储模块(即授权值修改之前的密钥存储 模块)并获取了修改之前的授权值, 由于原来的密钥存储模块中的该密钥的 时间戳与时间戳证书中的时间戳不同, 所以也无法使用密钥, 防止密钥被非 法使用。  In the embodiment of the present invention, when the user requests to use the key, it is required to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, determine whether the timestamp certificate is legal, and determine the key storage module. The timestamp of the saved key is the same as the timestamp in the timestamp certificate of the key; if all three judgments are yes, it is determined that the user has the right to use the key, thus, because the timestamp certificate The timestamp indicates the time when the user last modified the authorization value of the key, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification, The timestamp of the key in the key storage module is different from the timestamp in the timestamp certificate, so the key cannot be used to prevent the key from being illegally used.
参见图 5A , 本发明实施例提供了一种密钥授权信息管理装置, 包括: 授权值判断模块 501 , 用于判断用户请求使用的密钥的授权值与密钥存储 模块中所述密钥的授权值是否相同; 时间戳判断模块 502 , 用于判断密钥存储模块中所述密钥的时间戳与所述 密钥的时间戳证书中的时间戳是否相同, 所述时间戳证书中的时间戳表示用 户最后一次指定密钥授权值的时间; Referring to FIG. 5A, an embodiment of the present invention provides a key authorization information management apparatus, including: an authorization value determining module 501, configured to determine an authorization value of a key requested by a user and the key in a key storage module. Whether the authorization values are the same; The timestamp judging module 502 is configured to determine whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, and the timestamp in the timestamp certificate indicates the user last time The time when the key authorization value is specified;
密钥使用确定模块 503 , 用于当所述用户请求使用的密钥的授权值与所述 密钥存储模块中所述密钥的授权值相同, 且所述密钥存储模块中所述密钥的 时间戳与所述密钥的时间戳证书中的时间戳相同时, 确定用户有权使用密钥。  a key usage determining module 503, configured to: when an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module, and the key in the key storage module When the timestamp is the same as the timestamp in the timestamp certificate of the key, it is determined that the user has the right to use the key.
具体的, 参见图 5B, 本发明实施例还包括:  Specifically, referring to FIG. 5B, the embodiment of the present invention further includes:
时间戳证书验证模块 504、 加解密模块 505、 接收处理模块 506以及时间戳 管理模块 507。  The timestamp certificate verification module 504, the encryption and decryption module 505, the reception processing module 506, and the time stamp management module 507.
本发明实施例中, 各模块可以基于 TPM平台或具有类似硬件架构的系统实 现。 以基于 TPM平台实现为例, 在本发明实施例中时间戳证书存储于时间戳证 书存储模块, 时间戳证书存储模块以及密钥存储模块均存储于独立于 TPM平台 的外部存储器(如以文件的形式存储于系统硬盘当中) 。  In the embodiments of the present invention, each module may be implemented based on a TPM platform or a system having a similar hardware architecture. For example, in the embodiment of the present invention, the timestamp certificate is stored in the timestamp certificate storage module, and the timestamp certificate storage module and the key storage module are stored in an external memory independent of the TPM platform (for example, in a file). The form is stored in the system hard drive).
其中, 密钥存储模块包括一个或多个密钥数据块, 每个密钥数据块包括 加密信息和公开信息。 加密信息包括授权值、 私钥、 时间戳和其他信息, 公 开信息包括: 密钥标识、 公钥和其他信息。  The key storage module includes one or more key data blocks, and each key data block includes encrypted information and public information. The encrypted information includes an authorized value, a private key, a timestamp, and other information, and the public information includes: a key identifier, a public key, and other information.
其中, 时间戳证书存储模块包括一个或多个时间戳证书, 其中, 每个时 间戳证书包括密钥标识、 数字签名和时间戳。 这里的数字签名可以是利用证 明身份密钥 AIK对所述时间戳和密钥标识的签名。  The timestamp certificate storage module includes one or more timestamp certificates, wherein each timestamp certificate includes a key identifier, a digital signature, and a timestamp. The digital signature here may be a signature of the timestamp and key identification using the proof of identity key AIK.
本发明实施例中, 时间戳证书验证模块 504 , 用于根据用户请求使用的密 钥的时间戳证书中的数字签名验证所述密钥的时间戳证书是否合法。 具体的, 时间戳证书验证模块 504可以在授权值判断模块 501的判断结果为是时根据所 述密钥的时间戳证书中的数字签名验证所述密钥的时间戳证书是否合法; 如 果合法, 则再通过时间戳判断模块 502对时间戳进行判断, 最后通过密钥使用 确定模块 503确定用户是否有权使用密钥; 如果不合法, 则密钥使用确定模块 503直接确定用户无权使用密钥。 需要说明的是,时间戳证书验证模块 504的位置并不固定,在具体实现中, 也可以先通过时间戳判断模块 502对时间戳进行判断, 再通过时间戳证书验证 模块 504验证时间戳证书的合法性, 可以根据实际情况进行调整(如根据两者 处理复杂度、 消耗时间, 先执行容易实现或消耗时间少的步骤) , 在此并不 限定。 In the embodiment of the present invention, the timestamp certificate verification module 504 is configured to verify whether the timestamp certificate of the key is legal according to the digital signature in the timestamp certificate of the key used by the user. Specifically, the timestamp certificate verification module 504 can verify whether the timestamp certificate of the key is legal according to the digital signature in the timestamp certificate of the key when the determination result of the authorization value judgment module 501 is YES; if legal, Then, the timestamp judgment module 502 determines the timestamp, and finally determines whether the user has the right to use the key through the key use determining module 503; if not, the key use determining module 503 directly determines that the user does not have the right to use the key. . It should be noted that the location of the timestamp certificate verification module 504 is not fixed. In a specific implementation, the timestamp determination module 502 may first determine the timestamp, and then verify the timestamp certificate by the timestamp certificate verification module 504. Legitimacy can be adjusted according to the actual situation (for example, according to the complexity and time consumption of the two, the steps that are easy to implement or consume less time are executed first), and are not limited herein.
为了在密钥生成时获取时间戳并生成时间戳证书, 本发明实施例中: 接收处理模块 506 , 用于接收用户输入的密钥生成请求指令, 并接收用户 输入的密钥的授权值;  In the embodiment of the present invention, the receiving processing module 506 is configured to receive a key generation request instruction input by the user, and receive an authorization value of the key input by the user.
时间戳管理模块 507 , 用于在接收到密钥生成请求指令后, 将计数器的当 前值作为第一时间戳; 例如, 当本发明实施例基于 TPM平台时, 可以使用 TPM 内部的单调计数器的值来作为第一时间戳;  The timestamp management module 507 is configured to: after receiving the key generation request instruction, use the current value of the counter as the first timestamp; for example, when the embodiment of the present invention is based on the TPM platform, the value of the monotonic counter inside the TPM can be used. Come as the first timestamp;
加解密模块 505 , 用于将需要存储到密钥存储模块中且需要加密的信息加 密, 将得到的加密信息保存到所述密钥存储模块中, 其中, 所述需要存储到 密钥存储模块中且需要加密的信息包括所述第一时间戳和授权值, 还包括私 钥和其他信息;  The encryption and decryption module 505 is configured to encrypt the information that needs to be stored in the key storage module and needs to be encrypted, and save the obtained encryption information into the key storage module, where the information needs to be stored in the key storage module. And the information that needs to be encrypted includes the first timestamp and the authorization value, and further includes a private key and other information;
时间戳管理模块 507 , 还用于对所述第一时间戳和密钥标识签名, 生成时 间戳证书, 将所述时间戳证书存储到所述时间戳证书存储模块中。  The timestamp management module 507 is further configured to: sign the first timestamp and the key identifier, generate a timestamp certificate, and store the timestamp certificate into the timestamp certificate storage module.
为了在修改授权值时获取时间戳并生成时间戳证书, 本发明实施例中, 接收处理模块 506 , 还用于接收用户输入的授权值更改指令, 并接收用户 输入的密钥的新授权值;  In the embodiment of the present invention, the receiving processing module 506 is further configured to receive an authorization value change instruction input by the user, and receive a new authorization value of the key input by the user, in order to obtain the timestamp and modify the authorization value.
时间戳管理模块 507 , 还用于在接收到授权值更改指令后, 获取计数器的 当前值作为第二时间戳;  The timestamp management module 507 is further configured to: after receiving the authorization value change instruction, obtain the current value of the counter as the second timestamp;
加解密模块 505 , 还用于将需要存储到密钥存储模块中且需要加密的信息 进行加密, 用加密后得到的新的加密信息替换所述密钥存储模块中已有的所 述密钥的加密信息, 其中, 所述需要存储到密钥存储模块中且需要加密的信 息包括所述第二时间戳和所述新授权值, 还包括私钥和其他信息; 时间戳管理模块 507 , 还用于对所述第二时间戳和密钥标识签名, 生成新 的时间戳证书, 将所述新的时间戳证书替换所述时间戳证书存储模块中已有 的所述密钥的时间戳证书。 The encryption and decryption module 505 is further configured to encrypt information that needs to be stored in the key storage module and needs to be encrypted, and replace the existing key in the key storage module with the new encrypted information obtained by the encryption. Encrypting information, where the information that needs to be stored in the key storage module and needs to be encrypted includes the second timestamp and the new authorization value, and further includes a private key and other information; The timestamp management module 507 is further configured to: sign the second timestamp and the key identifier, generate a new timestamp certificate, and replace the new timestamp certificate with an existing one in the timestamp certificate storage module. The timestamp certificate of the key.
需要说明的是, 上述加解密模块 505除了用于加密外, 也用于将密钥存储 模块中加密信息进行解密。 例如, 在通过接收处理模块收到相关用户指令后, 对获得的密钥数据块中的数据进行解密, 得到授权值及时间戳等信息, 以供 授权值判断模块以及时间戳管理模块使用。  It should be noted that the encryption/decryption module 505 is used for decrypting the encrypted information in the key storage module in addition to the encryption. For example, after receiving the relevant user instruction by the receiving processing module, the data in the obtained key data block is decrypted, and information such as an authorized value and a time stamp is obtained for use by the authorization value judging module and the time stamp management module.
本发明实施例在用户请求使用密钥时, 需要判断用户输入的授权值与密 钥存储模块中保存的该密钥的授权值是否相同, 和判断密钥存储模块中保存 的该密钥的时间戳与该密钥的时间戳证书中的时间戳是否相同; 如果两个判 断结果都为是, 才确定该用户有权使用密钥, 这样, 因为时间戳证书中的时 间戳表示用户最后一次修改密钥的授权值的时间, 所以即使攻击者复制了原 来的密钥存储模块(即授权值修改之前的密钥存储模块)并获取了修改之前 的授权值, 由于原来的密钥存储模块中该密钥的时间戳与该密钥的时间戳证 书中的时间戳不同, 所以也无法使用密钥, 防止密钥被非法使用。  When the user requests to use the key, the embodiment of the present invention needs to determine whether the authorization value input by the user is the same as the authorization value of the key stored in the key storage module, and determine the time of the key stored in the key storage module. Whether the timestamp in the timestamp certificate of the key is the same; if both judgments are yes, it is determined that the user has the right to use the key, because the timestamp in the timestamp certificate indicates that the user last modified The time at which the key is authorized, so even if the attacker copies the original key storage module (that is, the key storage module before the authorization value is modified) and obtains the authorization value before the modification, since the original key storage module The timestamp of the key is different from the timestamp in the timestamp certificate of the key, so the key cannot be used to prevent the key from being used illegally.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤 是可以通过程序来指令相关的硬件完成, 所述的程序可以存储于一种计算机 可读存储介质中, 例如只读存储器, 磁盘或光盘等。  A person skilled in the art can understand that all or part of the steps of implementing the above embodiments may be performed by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, such as a read only memory. Disk or disc, etc.
以上对本发明实施例所提供的密钥授权信息管理方法及装置进行了详细 实施例的说明只是用于帮助理解本发明的方法及其核心思想; 同时, 对于本 领域的一般技术人员, 依据本发明的思想, 在具体实施方式及应用范围上均 会有改变之处, 综上所述, 本说明书内容不应理解为对本发明的限制。  The foregoing detailed description of the method and apparatus for managing the key authorization information provided by the embodiments of the present invention is only for helping to understand the method and core idea of the present invention. Meanwhile, for those skilled in the art, according to the present invention, The present invention is not limited by the scope of the present invention.

Claims

权 利 要求 Rights request
1、 一种密钥授权信息管理方法, 其特征在于, 包括: A key authorization information management method, comprising:
判断用户请求使用的密钥的授权值与密钥存储模块中所述密钥的授权值 是否相同;  Determining whether the authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module;
判断密钥存储模块中所述密钥的时间戳与所述密钥的时间戳证书中的时 间戳是否相同, 所述时间戳证书中的时间戳表示用户最后一次指定密钥授权 值的时间;  Determining whether the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, and the timestamp in the timestamp certificate indicates the time when the user last specified the key authorization value;
当所述用户请求使用的密钥的授权值与所述密钥存储模块中所述密钥的 授权值相同, 且所述密钥存储模块中所述密钥的时间戳与所述密钥的时间戳 证书中的时间戳相同时, 确定用户有权使用密钥。  When the authorization value of the key requested by the user is the same as the authorization value of the key in the key storage module, and the time stamp of the key in the key storage module is related to the key When the timestamps in the timestamp certificate are the same, it is determined that the user has the right to use the key.
2、 根据权利要求 1所述的方法, 其特征在于:  2. The method of claim 1 wherein:
所述时间戳证书包括: 时间戳、 密钥标识和数字签名; 所述数字签名为 利用证明身份密钥 A I K对所述时间戳和密钥标识的签名。  The timestamp certificate includes: a timestamp, a key identifier, and a digital signature; the digital signature is a signature of the timestamp and the key identifier by using the attestation identity key A I K .
3、 根据权利要求 1所述的方法, 其特征在于, 还包括:  3. The method according to claim 1, further comprising:
根据所述密钥的时间戳证书中的数字签名验证所述密钥的时间戳证书是 否合法, 如果是, 判断所述密钥存储模块中所述密钥的时间戳与所述密钥的 时间戳证书中的时间戳是否相同。  Determining whether the timestamp certificate of the key is legal according to the digital signature in the timestamp certificate of the key, and if so, determining the timestamp of the key in the key storage module and the time of the key Whether the timestamps in the certificate are the same.
4、 根据权利要求 1-3任一项所述的方法, 其特征在于, 该方法还包括: 接收到用户输入的密钥生成请求指令时, 生成密钥, 并获取用户输入的 授权值, 获取计数器的当前值作为第一时间戳, 将需要存储到密钥存储模块 中且需要加密的信息加密后保存到所述密钥存储模块中; 其中, 所述需要存 储到密钥存储模块中且需要加密的信息包括所述第一时间戳和授权值;  The method according to any one of claims 1-3, wherein the method further comprises: when receiving a key generation request instruction input by the user, generating a key, and acquiring an authorization value input by the user, obtaining The current value of the counter is used as the first timestamp, and the information that needs to be stored in the key storage module is encrypted and saved in the key storage module; wherein the need to be stored in the key storage module and required The encrypted information includes the first timestamp and an authorization value;
对所述第一时间戳和密钥标识签名, 生成时间戳证书。  And signing the first timestamp and the key identifier to generate a timestamp certificate.
5、 根据权利要求 1-3任一项所述的方法, 其特征在于, 该方法还包括: 接收到用户输入的授权值更改指令时, 获取计数器的当前值作为第二时 间戳, 接收用户输入的新授权值, 用所述第二时间戳替换所述密钥存储模块 中所述密钥已有的时间戳, 用所述新授权值替换所述密钥存储模块中所述密 钥已有的授权值; The method according to any one of claims 1 to 3, further comprising: when receiving an authorization value change instruction input by a user, acquiring a current value of the counter as a second time stamp, receiving user input New authorization value, replacing the key storage module with the second timestamp The timestamp of the key in the key, and replacing the existing authorization value of the key in the key storage module with the new authorization value;
对所述第二时间戳和密钥标识签名, 生成新的时间戳证书, 用所述新的 时间戳证书替换所述密钥原来的时间戳证书。  Signing the second timestamp and the key identification, generating a new timestamp certificate, and replacing the original timestamp certificate of the key with the new timestamp certificate.
6、 一种密钥授权信息管理装置, 其特征在于, 包括:  A key authorization information management apparatus, comprising:
授权值判断模块, 用于判断用户请求使用的密钥的授权值与密钥存储模 块中所述密钥的授权值是否相同;  An authorization value judging module, configured to determine whether an authorization value of a key requested by the user is the same as an authorization value of the key in the key storage module;
时间戳判断模块, 用于判断密钥存储模块中所述密钥的时间戳与所述密 钥的时间戳证书中的时间戳是否相同; 所述时间戳证书存储于时间戳证书模 块, 所述时间戳证书中的时间戳表示用户最后一次指定密钥授权值的时间; 密钥使用确定模块, 用于当所述用户请求使用的密钥的授权值与所述密 钥存储模块中所述密钥的授权值相同, 且所述密钥存储模块中所述密钥的时 间戳与所述密钥的时间戳证书中的时间戳相同时, 确定用户有权使用密钥。  a timestamp determining module, configured to determine whether a timestamp of the key in the key storage module is the same as a timestamp in the timestamp certificate of the key; the timestamp certificate is stored in a timestamp certificate module, The timestamp in the timestamp certificate indicates the time when the user last specified the key authorization value; the key usage determining module is configured to use the authorization value of the key requested by the user and the secret in the key storage module The authorization value of the key is the same, and when the timestamp of the key in the key storage module is the same as the timestamp in the timestamp certificate of the key, it is determined that the user has the right to use the key.
7、 根据权利要求 6所述的装置, 其特征在于:  7. Apparatus according to claim 6 wherein:
所述时间戳证书包括: 时间戳、 密钥标识和数字签名; 所述数字签名为 利用证明身份密钥 A I K对所述时间戳和密钥标识的签名。  The timestamp certificate includes: a timestamp, a key identifier, and a digital signature; the digital signature is a signature of the timestamp and the key identifier by using the attestation identity key A I K .
8、 根据权利要求 6所述的装置, 其特征在于, 还包括:  8. The device according to claim 6, further comprising:
时间戳证书验证模块, 用于根据所述密钥的时间戳证书中的数字签名验 证所述密钥的时间戳证书是否合法;  a timestamp certificate verification module, configured to verify, according to the digital signature in the timestamp certificate of the key, whether the timestamp certificate of the key is legal;
所述时间戳判断模块, 用于在时间戳证书验证模块的验证结果为所述密 钥的时间戳证书合法时, 判断密钥存储模块中所述密钥的时间戳与时间戳证 书存储模块中所述密钥的时间戳证书中的时间戳是否相同。  The timestamp judging module is configured to: when the timestamp certificate verification module verifies that the timestamp certificate of the key is legal, determine the timestamp of the key in the key storage module and the timestamp certificate storage module Whether the timestamps in the timestamp certificate of the key are the same.
9、 根据权利要求 6-8任一项所述的装置, 其特征在于, 还包括: 接收处理模块, 用于接收用户输入的密钥生成请求指令, 并接收用户输 入的密钥的授权值; 时间戳管理模块, 用于在接收到密钥生成请求指令后, 将计数器的当前 值作为第一时间戳; The device according to any one of claims 6-8, further comprising: a receiving processing module, configured to receive a key generation request instruction input by the user, and receive an authorization value of the key input by the user; a timestamp management module, configured to: after receiving the key generation request instruction, use a current value of the counter as the first timestamp;
加解密模块, 用于将需要存储到密钥存储模块中且需要加密的信息加密, 将得到的加密信息保存到所述密钥存储模块中;  And an encryption and decryption module, configured to encrypt information that needs to be stored in the key storage module and needs to be encrypted, and save the obtained encrypted information into the key storage module;
所述时间戳管理模块, 还用于对所述第一时间戳和密钥标识签名, 生成 时间戳证书, 将所述时间戳证书存储到所述时间戳证书存储模块中。  The timestamp management module is further configured to: sign the first timestamp and the key identifier, generate a timestamp certificate, and store the timestamp certificate into the timestamp certificate storage module.
10、 根据权利要求 9所述的装置, 其特征在于:  10. Apparatus according to claim 9 wherein:
所述接收处理模块, 还用于接收用户输入的授权值更改指令, 并接收用 户输入的密钥的新授权值;  The receiving processing module is further configured to receive an authorization value change instruction input by the user, and receive a new authorization value of the key input by the user;
所述时间戳管理模块, 还用于在接收到授权值更改指令后, 获取计数器 的当前值作为第二时间戳;  The timestamp management module is further configured to: after receiving the authorization value change instruction, acquire the current value of the counter as the second timestamp;
所述加解密模块, 还用于将需要存储到密钥存储模块中且需要加密的信 息进行加密, 用加密后得到的新的加密信息替换所述密钥存储模块中已有的 所述密钥的加密信息;  The encryption and decryption module is further configured to encrypt information that needs to be stored in the key storage module and needs to be encrypted, and replace the existing key in the key storage module with new encrypted information obtained by encryption. Encrypted information;
所述时间戳管理模块, 还用于对所述第二时间戳和密钥标识签名, 生成 新的时间戳证书, 将所述新的时间戳证书替换所述时间戳证书存储模块中已 有的所述密钥的时间戳证书。  The timestamp management module is further configured to: sign the second timestamp and the key identifier, generate a new timestamp certificate, and replace the new timestamp certificate with the existing one in the timestamp certificate storage module. The timestamp certificate of the key.
PCT/CN2010/080294 2010-06-01 2010-12-27 Method and device for key authorization information management WO2011150650A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010101924992A CN102270285B (en) 2010-06-01 2010-06-01 Key authorization information management method and device
CN201010192499.2 2010-06-01

Publications (1)

Publication Number Publication Date
WO2011150650A1 true WO2011150650A1 (en) 2011-12-08

Family

ID=45052588

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/080294 WO2011150650A1 (en) 2010-06-01 2010-12-27 Method and device for key authorization information management

Country Status (2)

Country Link
CN (1) CN102270285B (en)
WO (1) WO2011150650A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102957704B (en) * 2012-11-09 2016-02-24 北京神州绿盟信息安全科技股份有限公司 A kind ofly determine method, Apparatus and system that MITM attacks
EP3185464B1 (en) * 2015-12-21 2020-05-20 Hewlett-Packard Development Company, L.P. Key generation information trees
CN107959567B (en) * 2016-10-14 2021-07-27 阿里巴巴集团控股有限公司 Data storage method, data acquisition method, device and system
CN106529949A (en) * 2016-11-07 2017-03-22 飞天诚信科技股份有限公司 Safety payment device and method
CN107103214B (en) * 2017-04-06 2019-12-10 海信集团有限公司 Application program anti-debugging method and device applied to Android system
FR3079044B1 (en) * 2018-03-14 2020-05-22 Ledger SECURE DATA PROCESSING

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1889434A (en) * 2006-07-21 2007-01-03 胡祥义 Method for safety efficient network user identity discrimination
CN101005699A (en) * 2006-01-22 2007-07-25 华为技术有限公司 Method and system for managing terminal open platform power information
CN101202631A (en) * 2007-12-21 2008-06-18 任少华 System and method for identification authentication based on cipher key and timestamp

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039186B (en) * 2007-05-08 2010-08-04 中国科学院软件研究所 Method for auditing safely system log
US20090217058A1 (en) * 2008-02-27 2009-08-27 Spansion Llc Secure data transfer after authentication between memory and a requester

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005699A (en) * 2006-01-22 2007-07-25 华为技术有限公司 Method and system for managing terminal open platform power information
CN1889434A (en) * 2006-07-21 2007-01-03 胡祥义 Method for safety efficient network user identity discrimination
CN101202631A (en) * 2007-12-21 2008-06-18 任少华 System and method for identification authentication based on cipher key and timestamp

Also Published As

Publication number Publication date
CN102270285B (en) 2013-12-04
CN102270285A (en) 2011-12-07

Similar Documents

Publication Publication Date Title
CN111010410B (en) Mimicry defense system based on certificate identity authentication and certificate signing and issuing method
CN111708991B (en) Service authorization method, device, computer equipment and storage medium
CA2904615C (en) Method and apparatus for embedding secret information in digital certificates
US11853438B2 (en) Providing cryptographically secure post-secrets-provisioning services
US20140270179A1 (en) Method and system for key generation, backup, and migration based on trusted computing
US9064129B2 (en) Managing data
US10911538B2 (en) Management of and persistent storage for nodes in a secure cluster
JP2011060311A (en) Validation of inclusion of platform within data center
JP2010514000A (en) Method for securely storing program state data in an electronic device
US20220417028A1 (en) Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
US8538890B2 (en) Encrypting a unique cryptographic entity
US20200344075A1 (en) Secure provisioning of keys
US11190511B2 (en) Generating authentication information independent of user input
KR101817152B1 (en) Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential
WO2011150650A1 (en) Method and device for key authorization information management
US20160335453A1 (en) Managing Data
CN115913677A (en) Block chain-based collaboration edge storage data privacy protection system and method
CN115242471A (en) Information transmission method and device, electronic equipment and computer readable storage medium
US20230376574A1 (en) Information processing device and method, and information processing system
US20240249029A1 (en) Utilizing hardware tokens in conjunction with HSM for code signing
Wu et al. Secure key management of mobile agent system using tpm-based technology on trusted computing platform
CN118631435A (en) Cluster key negotiation method based on consensus mechanism and trusted execution environment
CN118378235A (en) Storage system, system including the same, and method of operating the system
CN115438352A (en) Data processing method, device, equipment and storage medium
CN103124256A (en) Trusted cryptography module and trusted computing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10852445

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10852445

Country of ref document: EP

Kind code of ref document: A1