WO2017201809A1 - 终端通信方法及系统 - Google Patents
终端通信方法及系统 Download PDFInfo
- Publication number
- WO2017201809A1 WO2017201809A1 PCT/CN2016/087576 CN2016087576W WO2017201809A1 WO 2017201809 A1 WO2017201809 A1 WO 2017201809A1 CN 2016087576 W CN2016087576 W CN 2016087576W WO 2017201809 A1 WO2017201809 A1 WO 2017201809A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal
- server
- private key
- code
- random
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the present invention relates to the field of network security technologies, and in particular, to a method and system for terminal communication.
- Encryption protection of data is to use encryption algorithm in both communication parties.
- the data to be transmitted by the sender is encrypted according to the selected encryption algorithm and transmitted. After receiving the data, the receiver decrypts the data according to the selected decryption algorithm.
- most of the traditional mobile communication systems use a symmetric encryption algorithm.
- the symmetric encryption (also known as private key encryption) algorithm refers to an encryption algorithm that encrypts and decrypts the same key, sometimes called a traditional cryptographic algorithm.
- the encryption key can be derived from the decryption key, and the decryption key can also be derived from the encryption key.
- the encryption key and the decryption key are the same, so this encryption algorithm is also called Secret key algorithm or single key algorithm.
- the symmetric encryption algorithm requires the sender and the receiver to agree on a key before secure communication. Therefore, the security of the symmetric encryption algorithm depends on the key. Leaking the key means that anyone can decrypt the message they send or receive. , so the confidentiality of the key is critical to the security of the communication.
- the traditional symmetric encryption method has difficulty in managing keys, has poor scalability, and cannot provide problems such as preventing the repudiation function.
- a terminal communication method is applied to a terminal, and the communication method includes:
- the random number generates a session private key
- the registration of the execution terminal in the server includes:
- the registration code is stored when it is verified that the digital certificate of the server is legal.
- the method before the sending the session key generation request to the server, the method further includes:
- the encrypting operation of the identification code of the terminal and the data representing the identity of the terminal includes:
- the random number includes a random verification code and a random private key, and generating a signature private key of the terminal by using the private key of the terminal and a signature function according to the registration code and the random verification code;
- the receiving, by the server, a temporary identification code generated according to the identification code of the terminal generated by the server, and generating the temporary identification code according to the registration code, the temporary identification code, and the random number generated by the terminal includes:
- the decrypted identification code is the same as the identification code of the terminal and the decrypted random verification code is the same as the random verification code generated by the terminal, according to the registration code, the random verification code, the random private key, and the temporary identification code. Generating a session private key of the terminal.
- the signature private key of the server and the encrypted information packet of the server are obtained by the following methods:
- the server After receiving the encrypted information packet and the encryption key packet of the terminal, the server decrypts the encryption key packet by using an asymmetric encryption function and a private key of the server to obtain randomness of the terminal. Private key
- the server decrypts the encrypted information packet by using a symmetric encryption function and a random private key of the terminal to obtain a signature private key of the terminal, an identifier of the terminal, and a digital certificate of the terminal;
- the server verifies the digital certificate of the terminal by using a public key of the authentication center
- the server decrypts the signature private key of the terminal by using an authentication function and a public key of the terminal, to obtain a registration code of the terminal and a random verification code;
- the server When the terminal is legal, the server generates a temporary knowledge of the terminal according to the identification code of the terminal. a different code, and associating the identification code of the terminal with the temporary identification code;
- the server calculates a signature private key of the server by using a private key of the server and a signature function according to the registration code and a random verification code, and according to the signature private key of the server, the identification code of the terminal, and The temporary identification code calculates the encrypted information packet of the server by using the random private key of the terminal and a symmetric encryption function.
- the session public key sent by the server is obtained by performing an exclusive OR operation on the session private key of the terminal and the session private key of the second terminal.
- obtaining the session private key of the second terminal according to the session private key of the terminal and the session public key includes:
- a terminal communication method is applied to a server, and the terminal communication method includes:
- Receiving a session key generation request sent by the terminal transmitting, to the terminal, a temporary identification code generated according to the identification code of the terminal, and a random number generated and transmitted by the terminal according to the registration code, and the temporary The identification code generates a session private key of the terminal;
- the communication method further includes the step of generating the temporary identification code:
- the server decrypts the signature private key of the terminal by using an authentication function and a public key of the terminal, to obtain a registration code of the terminal and a random verification code;
- the temporary identification code of the terminal is generated according to the identification code of the terminal, and the identification code of the terminal is associated with the temporary identification code;
- the encrypted information packet and the encryption key packet of the terminal are obtained by the following methods:
- the random number includes a random verification code and a random private key, and generating a signature of the terminal by using the private key of the terminal and a signature function according to the registration code and the random verification code Private key
- a terminal communication system is applied to a terminal, the communication system comprising:
- a registration module configured to send an online registration request to the server to perform registration of the terminal in the server, and receive a registration code generated and transmitted by the server;
- a session key generation module configured to send a session key generation request to the server, receive a temporary identification code generated by the server and generated according to the identifier of the terminal, and according to the registration code, the temporary identification code And generating, by the terminal, a random number to generate a session private key;
- a communication module configured to send a request for communication with the second terminal to the server, receive a session public key sent by the server, and acquire the second terminal according to the session private key of the terminal and the session public key a session private key to communicate securely with the second terminal.
- the registration module is further configured to:
- the registration code is stored when it is verified that the digital certificate of the server is legal.
- the registration module is further configured to:
- the encrypting operation of the identification code of the terminal and the data representing the identity of the terminal includes:
- the random number includes a random verification code and a random private key, and generating a signature private key of the terminal by using the private key of the terminal and a signature function according to the registration code and the random verification code;
- the receiving, by the server, a temporary identification code generated according to the identification code of the terminal generated by the server, and generating the temporary identification code according to the registration code, the temporary identification code, and the random number generated by the terminal includes:
- the decrypted identification code is the same as the identification code of the terminal and the decrypted random verification code is the same as the random verification code generated by the terminal, according to the registration code, the random verification code, the random private key, and the temporary identification code. Generating a session private key of the terminal.
- the signature private key of the server and the encrypted information packet of the server are obtained by the following methods:
- the server After receiving the encrypted information packet and the encryption key packet of the terminal, the server decrypts the encryption key packet by using an asymmetric encryption function and a private key of the server to obtain randomness of the terminal. Private key
- the server decrypts the encrypted information packet by using a symmetric encryption function and a random private key of the terminal to obtain a signature private key of the terminal, an identifier of the terminal, and a digital certificate of the terminal;
- the server uses the public key of the authentication center to verify the digital certificate of the terminal;
- the server decrypts the signature private key of the terminal by using an authentication function and a public key of the terminal, to obtain a registration code of the terminal and a random verification code;
- the server When the terminal is legal, the server generates a temporary identification code of the terminal according to the identification code of the terminal, and associates the identification code of the terminal with the temporary identification code;
- the identification code of the terminal and the temporary identification code are used to calculate the encrypted information packet of the server by using the random private key of the terminal and a symmetric encryption function.
- the session public key sent by the server is obtained by performing an exclusive OR operation on the session private key of the terminal and the session private key of the second terminal.
- the obtaining the session private key of the second terminal according to the session private key of the terminal and the session public key includes:
- a terminal communication system is applied to a server, the communication system comprising:
- a registration module configured to receive a network registration request sent by the terminal, generate a random registration code according to the network registration request, and send the registration code to the terminal;
- a session key generation module configured to receive a session key generation request sent by the terminal, send a temporary identification code generated according to the identification code of the terminal to the terminal, and generate, according to the registration code, the terminal Transmitting the random number and the temporary identification code to generate a session private key of the terminal;
- a communication module configured to receive a request for communication with the second terminal, and send a session public key to the terminal, where the session public key is an exclusive OR of the session private key of the terminal and the second terminal The operation is obtained.
- the session key generation module is further configured to:
- the server decrypts the signature private key of the terminal by using an authentication function and a public key of the terminal, to obtain a registration code of the terminal and a random verification code;
- the temporary identification code of the terminal is generated according to the identification code of the terminal, and the identification code of the terminal is associated with the temporary identification code;
- the encrypted information packet and the encryption key packet of the terminal are obtained by the following methods:
- the random number includes a random verification code and a random private key, and generating a signature private key of the terminal by using the private key of the terminal and a signature function according to the registration code and the random verification code;
- each session private key is generated by a random number, and the eavesdropper cannot obtain any communication content through multiple comparisons, thereby ensuring the user's untrackability. Even if a session private key is stolen, it cannot continue to obtain the future session private key, and can effectively prevent replay attacks.
- FIG. 1 is a flow chart of a method of a preferred embodiment of a terminal communication method of the present invention.
- FIG. 2 is a flow chart showing the method of the registration phase of the preferred embodiment of the terminal communication method of the present invention.
- FIG. 3 is a diagram showing an example of data interaction in a registration phase of a preferred embodiment of the terminal communication method according to the present invention.
- FIG. 4 and FIG. 5 are flowcharts showing a method of a session private key generation phase in a preferred embodiment of the terminal communication method of the present invention.
- FIG. 6 is a diagram showing an example of data interaction in a session private key generation phase in a preferred embodiment of the terminal communication method according to the present invention.
- FIG. 7 is a flow chart showing the method of the secure communication phase of the preferred embodiment of the terminal communication method of the present invention.
- FIG. 8 is a diagram showing an example of a secure communication phase of a preferred embodiment of the terminal communication method of the present invention. Figure.
- FIG. 9 is a schematic diagram of an application environment of a preferred embodiment of the terminal communication system of the present invention.
- FIG. 10 is a hardware architecture diagram of the terminal of the present invention.
- Figure 11 is a functional block diagram of a preferred embodiment of the terminal communication system of the present invention.
- Signature function SIGN-enc (message, key), which is expressed as a signature operation function for message message using private key key;
- the signature function SIGN-dec (message, key), which is represented by using the public key key to perform a name-checking operation function on the message message;
- An asymmetric encryption function RSA-enc (message, key), which is expressed as an asymmetric encryption operation function for the message message using the public key key;
- An asymmetric decryption function RSA-dec (message, key), which is expressed as an asymmetric decryption operation function for the message message using a private key key;
- a symmetric encryption function AES-enc (message, key), which is expressed as a symmetric encryption operation function for message message using a private key key;
- a symmetric decryption function AES-dec (message, key), which is expressed as a symmetric decryption operation function for message message using a private key key;
- ⁇ The symbol indicates the meaning of the sum, such as SIGN-enc (A ⁇ B, key), indicating that A and B are signed using the private key key;
- ⁇ is a mathematical operation symbol, representing an exclusive OR algorithm, such as If the two values a and b are not the same, the XOR result is 1; if the two values a and b are the same, the XOR result is 0.
- FIG. 1 is a flowchart of a method for a preferred embodiment of a terminal communication method according to the present invention. According to different needs, the execution order in the flow shown in this figure can be changed, and some can be omitted.
- the terminal may be a mobile communication device, such as a mobile phone.
- the terminal is installed with a Subscriber Identity Module (SIM) card.
- SIM Subscriber Identity Module
- the SIM card is an Embedded Subscriber Identity Module (eSIM) card.
- the eSIM card directly embeds the traditional SIM card into the chip of the terminal device, instead of being added as a separate removable component to the terminal device, thereby allowing the user to select the operator package in a more flexible manner, or without Replace the operator at any time while unlocking the terminal device and purchasing a new terminal device.
- IMSI International Mobile Subscriber Identification Number
- GSM Global System for Mobile Communications
- the terminal sends an incoming network registration request to the registration server to perform registration in the registration server.
- the registration server after receiving the network registration request sent by the terminal, the registration server generates a random registration code according to the network registration request, and the registration code is associated with the registration server.
- a digital certificate CertRS is sent to the terminal.
- the S1 may further include: the terminal according to the registration service
- the server's digital certificate CertRS verifies that the registration server is legitimate.
- the digital certificate is a series of digits of the identity information of the communicating parties in the Internet communication, and provides a way to verify the identity of the communicating entity on the Internet, issued by an authority, a Certificate Authority (CA) center.
- the identity of the communicating party can be identified on the Internet.
- the terminal verifies the authenticity of the digital certificate CertRS of the registration server by using the public key of the authentication center to verify whether the registration server is legal.
- the S1 may further include: after verifying that the registration server is legal, the terminal further performs an encryption operation on the identifier of the terminal and the data representing the identity of the terminal by using an encryption function.
- the identifier of the terminal may be an IMSI of the terminal
- the data representing the identity of the terminal may be a digital certificate of the terminal and a registration code assigned by the registration server to the terminal.
- FIG. 2 and FIG. 3 A detailed implementation flowchart of the S1 can be referred to FIG. 2 and FIG. 3 and the following description of FIG. 2 and FIG.
- the terminal sends a session key generation request to the registration server, and generates a session private key according to the data transmitted by the registration server, where the session private key is generated according to the registration server and the terminal.
- the random number and the temporary identification code generated according to the identification code of the terminal are generated.
- the S2 further includes: the terminal to the registration server While transmitting the session key generation request, the identification code of the encrypted operation terminal and the data representing the identity of the terminal are further transmitted to the registration server.
- the registration server decrypts the identification code of the terminal and the data representing the identity of the terminal by using a corresponding decryption algorithm, first performing an identity authentication operation of the terminal, and determining a user identity of the terminal according to the data of the identity of the representative terminal.
- a temporary identification code such as a Temporary Mobile Subscriber Identity (TMSI)
- TMSI Temporary Mobile Subscriber Identity
- the terminal sends a request for communication with the second terminal to the registration server, receives a session public key sent by the registration server, and acquires a second terminal according to the session private key of the terminal and the session public key.
- the session private key to communicate securely with the second terminal.
- the terminal A when the terminal A communicates with the terminal B, the terminal A obtains the session private key TKB of the terminal B from the registration server by using its own session private key TKA. Similarly, terminal B can obtain the session private key TKA of terminal A with its own session private key TKB. Therefore, the terminal A and the terminal B can perform secure communication using the session private key of the other party.
- FIG. 2 it is a registration stage in a preferred embodiment of the communication method of the terminal of the present invention. Law flow chart. According to different needs, the execution order in the flow chart shown in this figure can be changed, and some can be omitted.
- the terminal After the terminal sends an incoming network registration request to the registration server to perform registration in the registration server, S10, the terminal receives the acquisition terminal identification transmitted by the registration server. A request for a code, and a digital certificate to receive the registration server and a random registration code.
- the terminal verifies the authenticity of the received digital certificate of the registration server by using the public key of the authentication center, and determines whether the digital certificate of the registration server is successfully verified in S12. When the digital certificate verification of the registration server is unsuccessful, the process is directly ended.
- the terminal When the digital certificate verification of the registration server is successful, executing S13, the terminal generates a random verification code and a random private key, and in S14, uses the private key of the terminal according to the registration code and the random verification code, and A signature function that generates a signature private key of the terminal.
- the terminal calculates an encrypted information packet by using the random private key and a symmetric encryption function according to the signature private key of the terminal, the identifier of the terminal, and the digital certificate of the terminal, and according to the random private key.
- the encryption key package is calculated using the public key of the registration server and an asymmetric encryption function.
- the terminal stores the digital certificate, the registration code, the random verification code, and the random private key of the registration server in a secure storage area of the terminal, such as a security area of the eSIM card of the terminal.
- the registration process of the terminal is divided into the following stages:
- the registration server After receiving the registration request, the registration server generates a random registration code RN1;
- the server sends a request for acquiring the terminal IMSI to the terminal, and sends the random registration code RN1 and the certificate CertRS of the registration server to the terminal;
- the terminal uses the public key of the authentication center to verify the authenticity of the registration server certificate CertRS. If the verification is successful, the random verification code RN2 and the random private key KRN are generated; otherwise, if the registration server certificate CertRS verification is unsuccessful, End the process;
- the terminal stores the registration code RN1, the random verification code RN2, the random private key KRN, and the registration server certificate CertRS in a security area of the eSIM card of the terminal.
- FIG. 4 and FIG. 5 it is a flowchart of a method for generating a session private key in a preferred embodiment of the terminal communication method of the present invention. According to different needs, the execution order in the flow chart shown in this figure can be changed, and some can be omitted.
- the terminal sends a session key generation request to the registration server, and sends the encrypted information packet and the encryption key package of the terminal to the registration server.
- the registration server decrypts the encryption key package by using an asymmetric encryption function and a private key of the server to obtain a random private key of the terminal.
- the registration server decrypts the encrypted information packet by using a symmetric encryption function and a random private key of the terminal, to obtain a signature private key of the terminal, an identifier of the terminal, and a digital certificate of the terminal.
- the registration server verifies whether the digital certificate of the terminal is authentic by using the public key of the authentication center, and determines whether the digital certificate of the terminal is successfully verified in S24. If the digital certificate verification of the terminal is unsuccessful, the process is directly ended.
- the registration server acquires the public key of the terminal from the authentication center.
- the registration server decrypts the signature private key of the terminal by using an authentication function and a public key of the terminal, to obtain a registration code of the terminal and a random verification code.
- the registration server further determines the legality of the terminal according to the registration code of the terminal, and determines whether the terminal is legal in S28.
- the terminal is not legal, and the process ends directly.
- the registration server generates a temporary identifier of the terminal according to the identifier of the terminal, associates the terminal identifier with the temporary identifier, and stores the temporary identifier and the random verification code in the In the registration server.
- the registration server calculates the signature private key of the registration server by using the registration server private key and a signature function according to the registration code and the random verification code, according to the signature private key of the registration server.
- the identification code of the terminal and the temporary identification code are used to calculate an encrypted information packet of the registration server by using a random private key of the terminal and a symmetric encryption function.
- the registration server transmits the signature private key of the registration server and the encrypted information packet of the registration server to the terminal, and generates a location according to the registration code, the random verification code, the random private key, and the temporary identification code.
- the session private key of the terminal is the public key of the terminal.
- the terminal decrypts the encrypted information packet of the registration server by using a random private key of the terminal and a symmetric decryption function, and obtains a signature private key of the registration server, an identifier of the terminal, and a temporary identification code.
- the terminal decrypts the signature private key of the registration server by using an authentication function and a public key of the registration server to obtain the registration code and the random verification code.
- the terminal determines the validity of the registration server according to the decrypted identification code and the random verification code, and determines whether the registration server is legal in S35.
- the decrypted identification code and the random verification code do not match the identification code of the terminal and the random verification code, the registration server is illegal and directly ends the process.
- the registration server When decrypting the obtained identification code and the random verification code and the identification code of the terminal and the random test When the authentication codes are matched, the registration server is legal, and S36 is executed, and the terminal generates a session private key according to the registration code, the random verification code, the random private key, and the temporary identification code.
- the process of generating a session private key can be divided into the following stages:
- the terminal sends a generate session key request to the registration server, and sends AKsim and RKrs to the registration server;
- the registration server uses the public key of the certificate authority CA to verify the authenticity of the digital certificate CertSIM of the terminal. If the verification is successful, the public key PKsim of the terminal is obtained from the authentication center CA. Otherwise, if the verification is unsuccessful, End the process;
- the registration server determines the authenticity of the decrypted registration code RN1. If the verification is successful, the registration server generates a temporary mobile subscriber identity TMSI according to the international mobile subscriber identity IMSI of the terminal, and the TMSI is associated with IMSI, further, TMSI And the random verification code RN2 is stored in the registration server; if the authenticity verification of the RN1 fails, the process ends;
- FIG. 7 a flow chart of a method for secure communication in a preferred embodiment of the terminal communication method of the present invention is shown. According to different needs, the execution order in the flow chart shown in this figure can be changed, and some can be omitted.
- the first terminal sends a request for a call with the second terminal to the registration server.
- the first terminal performs secure communication with the second terminal by using a session private key of the second terminal.
- the secure communication process can be divided into the following stages:
- the first terminal and the second terminal perform secure communication by using a session private key of the other party.
- the present invention can include three stages of user registration, generation of session private keys, and secure communication.
- the user sends an incoming network registration request to the registration server by using the terminal including the eSIM card, and the registration server generates a random number and sends it to the eSIM card terminal, and the eSIM card terminal verifies the authenticity of the registration server certificate, and performs verification.
- the relevant keys are randomly generated and stored in their own secure area.
- the eSIM card terminal then sends a generation session key generation request to the registration server.
- the registration server After the complex encryption and decryption and identity authentication operations, the registration server generates a temporary mobile subscriber identity TMSI and Generating a session private key TK according to the TMSI, wherein the TMSI is associated with an international mobile subscriber identity IMSI of the eSIM card terminal, each time temporarily moving the user Both the identification code TMSI and the session private key TK are varied.
- the registration server when a first terminal communicates with a second terminal, the registration server generates a session public key TKC of the first terminal and the second terminal, and the first terminal can obtain the private key TKA of the first terminal.
- the second terminal can obtain the session private key of the first terminal by using its own private key TKB. In this way, the first terminal and the second terminal can perform secure communication by using the session private key of the other party.
- the IMSI of the eSIM card terminal is encrypted, and the user identity is transmitted in the network in a ciphertext manner.
- the user identity is identified by the association between the IMSI and the TMSI stored in the registration server, so the eavesdropper cannot know the identity of the user and ensure the confidentiality of the user identity.
- each session private key is generated according to the random numbers RN1, RN2, KRN and the temporary mobile subscriber identity TMSI, and the eavesdropper cannot obtain any communication content through multiple comparisons, thus ensuring User's untrackability. Even if a session private key is stolen, it is impossible to continue to obtain a future session private key because each time the random numbers RN1, RN2, KRN and the temporary mobile subscriber identity TMSI are regenerated.
- FIG. 1 to FIG. 8 describe in detail the registration method, the session key generation method and the secure communication method of the terminal of the present invention, and the hardware system architecture and implementation of the communication method for realizing the above terminal are respectively described below with reference to FIGS. 9-11.
- the functional modules of the software system of the communication method of the terminal are introduced.
- FIG. 9 it is a hardware system architecture diagram of a preferred embodiment of the communication method of the terminal.
- the implementation of the communication method of the terminal consists of two major parts:
- the terminal 1 can be a mobile communication device such as a mobile phone or the like.
- the terminal 1 is installed with a Subscriber Identity Module (SIM) card.
- SIM Subscriber Identity Module
- the SIM card is an eSIM card 14.
- the eSIM card 14 is a conventional SIM card embedded directly on the chip of the terminal 1, rather than being added as a separate removable component to the terminal 1, thereby allowing the user to select the operator package in a more flexible manner, or It is not necessary to unlock the terminal 1 and purchase the new terminal 1 to replace the operator at any time.
- IMSI International Mobile Subscriber Identification Number
- GSM Global System for Mobile Communications
- the total length of the IMSI is no more than 15 digits, and the number of 0-9 is also used, wherein the MCC is the country code of the mobile subscriber, which is 3 digits, and the MCC of China is 460; the MNC is the mobile network number, by two digits or Three digits, China Mobile's Mobile Network Coding (MNC) is 00; it is used to identify the mobile communication network to which the mobile subscriber belongs; MSIN is the mobile subscriber identity to identify mobile subscribers in a mobile communication network.
- MCC country code of the mobile subscriber, which is 3 digits, and the MCC of China is 460
- the MNC is the mobile network number, by two digits or Three digits, China Mobile's Mobile Network Coding (MNC) is 00; it is used to identify the mobile communication network to which the mobile subscriber belongs
- MSIN is the mobile subscriber identity to identify mobile subscribers in a mobile communication network.
- the terminal 1 further includes a communication system 10, a communication unit 11, a memory 12, and a processor 13. It should be understood that the terminal 1 may also include other hardware or software, such as a display screen, a camera, a control circuit, etc., and is not limited to the components listed above.
- the communication unit 11 is used for information exchange between the terminal 1 and other devices, such as other terminals 1 or servers.
- the communication unit 11 may be a wireless communication module, including a Wi-Fi module, a WiMax (World Interoperability for Microwave Access) module, and a GSM (Global System for Mobile Communication) module.
- CDMA Code Division Multiple Access
- CDMA2000 Code Division Multiple Access
- CDMA2000 1x evdo WCDMA
- TD-SCDMA Time Division Multiple Access
- LTE Long Term Evolution
- HiperLAN high-performance radio
- the memory 12 is configured to store programs and various data, and during the operation of the terminal 1 Achieve high-speed, automatic access to programs or data.
- the memory 12 may be an external memory and/or an internal memory of the terminal 1. Further, the memory 12 may be a circuit having a storage function in a physical form, such as a RAM (Random-Access Memory), a FIFO (First In First Out), or the like. Alternatively, the memory 12 may also be a storage device having a physical form, such as a memory stick, a TF card (Trans-flash Card), or the like.
- the processor 13 also known as a central processing unit (CPU), is a very large-scale integrated circuit, and is a computing core (Core) and a control unit of the terminal 1.
- the function of the processor 11 is mainly to interpret program instructions and data in the processing software.
- the communication system 10 can include a plurality of functional modules consisting of program segments (see Figure 11 for details).
- the program codes of the respective program segments in the communication system 10 may be stored in the memory 12 and executed by the processor 13 to perform operations such as secure communication with other terminals 1 (see FIG. 11 for details). ).
- the server may include a registration server 2 and a certificate authority (CA) server 3.
- CA certificate authority
- the CA server 3 is an authority, a server of the CA center, and is configured to perform operations such as issuing, managing, and canceling digital certificates.
- the CA server 3 can check the identity legality of the terminal 1 and the registration server 2, and issue a digital certificate (signally signed on the certificate by mathematical means) to the terminal 1 and the registration server 2, and can authenticate the terminal 1 and the registration server 2 The legality of the digital certificate.
- the registration server 2 also includes the communication system 10 for accepting registration of each terminal 1 and implementing secure communication between the respective terminals 1.
- the registration server 2 accepts the network registration request of the terminal 1, randomly generates the registration code of the terminal 1, and generates and allocates the session private for the terminal 1 according to the random number such as the registration code generated by the terminal 1 and the registration server 2.
- Key and when communicating between the two terminals 1, generate session public keys of the two terminals 1, so that each terminal 1 can acquire the session private key of the other party according to the session public key, so as to utilize the session private key of the other party. Perform secure communication between the two terminals 1.
- the communication system 10 can be divided into a plurality of functional modules according to the functions performed by the communication system 10.
- the function module includes: a registration module 100, a session key generation module 101, and a communication module 102.
- the registration module 100 is configured to send an incoming network registration request to a registration server (hereinafter referred to as: server) 2, and receive a registration code transmitted by the server, and store the registration code after verifying that the server is legal.
- server a registration server
- the registration module 100 after the registration module 100 sends the registration request to the registration server 2, the registration module 100 receives the request for acquiring the identification code of the terminal 1 transmitted by the registration server 2, and receives the registration server. a digital certificate of 2 and a registration code; further, the registration module 100 verifies the authenticity of the digital certificate of the received registration server 2 by using the public key of the authentication center, when the digital certificate verification of the registration server 2 is successful, The registration module 100 generates a random verification code and a random private key, and generates a signature private key of the terminal by using the private key of the terminal and a signature function according to the registration code and the random verification code; further, Registration mode The block 100 calculates an encrypted information packet by using the random private key and a symmetric encryption function according to the signature private key of the terminal, the identification code of the terminal, and the digital certificate of the terminal, and uses the registration server according to the random private key.
- the public key of 2 and the asymmetric encryption function calculate the encryption key package, and store the digital certificate, the registration code, the random verification code and the random private key of the registration server 2 in the secure storage area of the terminal 1, such as the terminal 1
- the eSIM card 14 is in the secure area.
- the session key generation module 101 is configured to send a session key generation request to the registration server 2, and receive the session private key transmitted by the registration server 2.
- the session key generation module 101 transmits the encrypted information packet and the encryption key packet of the terminal 1 to the registration server 2, and receives the signature private key of the registration server 2 and the encrypted information packet of the registration server 2. Decrypting the encrypted information packet of the registration server 2 using the random private key of the terminal 1 and the symmetric decryption function to obtain a terminal identification code and a temporary identification code, using the authentication function and the public key of the registration server 2, for the registration Decrypting the signature private key of the server 2, obtaining the registration code and the random verification code, determining the legality of the registration server 2 according to the decrypted identification code and the random verification code, and decrypting the obtained identification code and random When the verification code matches the identification code of the terminal 1 and the random verification code, the session private key of the terminal 1 is generated according to the registration code, the random verification code, the random private key, and the temporary identification code.
- the registration server 2 uses the asymmetric encryption function and the private key of the registration server 2 to perform the encryption key package. Decrypting to obtain the random private key of the terminal 1, decrypting the encrypted information packet using a symmetric encryption function and the random private key of the terminal 1, to obtain the signature private key of the terminal 1, and the terminal 1 Identification code and digital certificate of the terminal 1, and using the publicity of the authentication server 3 Key, verifying whether the digital certificate of the terminal 1 is authentic; if the digital certificate verification of the terminal 1 is successful, decrypting the signature private key of the terminal 1 by using the verification function and the public key of the terminal 1 Obtaining the registration code of the terminal 1 and the random verification code, and further determining whether the terminal 1 is legal according to the registration code of the terminal 1.
- the terminal 1 When the terminal 1 is legal, the terminal 1 is generated according to the identification code of the terminal 1. a temporary identification code, associating the identification code of the terminal 1 with a temporary identification code, and calculating a signature private key of the server by using a server private key and a signature function according to the registration code and the random verification code, and according to the registration
- the signature private key of the server 2, the identification code of the terminal 1, and the temporary identification code are used to calculate the encrypted information packet of the registration server 2 by using the random private key of the terminal 1 and a symmetric encryption function.
- the registration server 2 further generates a session private key of the terminal 1 according to the registration code, the random verification code, the random private key, and the temporary identification code.
- the communication module 102 is configured to send a request for communication with the second terminal to the registration server 2, receive the session public key sent by the registration server 2, and acquire a session private key of the second terminal according to the session public key, thereby The second terminal performs secure communication.
- the disclosed system, terminal and The method can be implemented in other ways.
- the terminal embodiment described above is only illustrative.
- the division of the module is only a logical function division, and the actual implementation may have another division manner.
- each functional module in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software function modules.
- the above-described integrated unit implemented in the form of a software function module can be stored in a computer readable storage medium.
- the software function modules described above are stored in a storage medium and include instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) or a processor to perform portions of the methods described in various embodiments of the present invention. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Multimedia (AREA)
- General Business, Economics & Management (AREA)
- Business, Economics & Management (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
一种终端通信方法,用于实现终端之间的安全通信,包括:向服务器发送入网注册请求,并接收所述服务器产生并传送的注册码;向服务器发送会话密钥产生请求,接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、临时识别码以及所述终端产生的随机数产生会话私钥;及向服务器发送与第二终端通信的请求,接收所述服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥,从而与第二终端进行安全通信。本发明还提供一种终端通信系统。本发明可以确保通信过程中的身份机密性、位置机密性以及不可跟踪性,从而保证用户的通信安全。
Description
本发明涉及网络安全技术领域,具体地,涉及一种终端通信的方法及系统。
随着科技水平的不断提升,手机己成为人们随身携带的生活必需品,逐渐地改变了人们的工作和生活方式。人们在利用手机获得了移动通信便利的同时,对通信中的信息安全也有了更高的要求。
目前,在移动通信系统中,为了确保用户间信息的安全保密性,保密通信的实现是非常重要的,这就需要对所传输的数据进行加密保护。对数据进行加密保护就是在通信双方采用加密算法,发送方将要传输的数据按选定的加密算法加密后传输,接收方收到数据后再按选定的解密算法解密后分析使用。通常,传统移动通信系统中大多数采用对称加密算法。
所述对称加密(也叫私钥加密)算法指加密和解密使用相同密钥的加密算法,有时也叫传统密码算法。在对称加密算法中,加密密钥能够从解密密钥中推算出来,同时解密密钥也可以从加密密钥中推算出来。而在大多数的对称加密算法中,加密密钥和解密密钥是相同的,所以也称这种加密算法为
秘密密钥算法或单密钥算法。对称加密算法要求发送方和接收方在安全通信之前,商定一个密钥,因此,对称加密算法的安全性依赖于密钥,泄漏密钥就意味着任何人都可以对他们发送或接收的消息解密,所以密钥的保密性对通信的安全性至关重要。
因此,传统的对称加密方式存在管理密钥困难,可扩展性差,无法提供防止抵赖功能等问题。
发明内容
鉴于以上内容,有必要提出一种终端通信方法,其可以确保通信过程中的身份机密性、位置机密性以及不可跟踪性,从而保证用户的通信安全。
一种终端通信方法,应用于终端中,所述通信方法包括:
向服务器发送入网注册请求,以执行终端在所述服务器中的注册,并接收所述服务器产生并传送的注册码;
向所述服务器发送会话密钥产生请求,接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、所述临时识别码以及所述终端产生的随机数产生会话私钥;及
向所述服务器发送与第二终端通信的请求,接收所述服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取所述第二终端的会话私钥,从而与所述第二终端进行安全通信。
本发明较佳实施例中,所述执行终端在所述服务器中的注册包括:
接收所述服务器的数字证书;及
当验证所述服务器的数字证书合法时,存储所述注册码。
本发明较佳实施例中,所述向所述服务器发送会话密钥产生请求之前还包括:
通过加密函数,对所述终端的识别码以及代表所述终端身份的数据进行加密运算,其中,所述终端的识别码为所述终端的国际移动用户识别码,以及所述代表终端身份的数据包括所述终端的数字证书以及所述注册码。
本发明较佳实施例中,所述对所述终端的识别码以及代表所述终端身份的数据进行加密运算包括:
产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;
根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;
将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
本发明较佳实施例中,所述接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、临时识别码以及所述终端产生的随机数产生会话私钥包括:
将所述终端计算出来的加密信息包以及加密密钥包传送给所述服务器;
接收所述服务器根据所述终端的加密信息包以及加密密钥包产生的所述服
务器的签名私钥以及所述服务器的加密信息包;
使用所述终端的随机私钥和对称解密函数解密所述服务器的加密信息包,得到识别码以及临时识别码;
使用验名函数和所述服务器的公钥,对所述服务器的签名私钥进行解密,得到注册码及随机验证码;
在解密得到的识别码与所述终端的识别码相同以及解密得到的随机验证码与所述终端产生的随机验证码相同时,根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端的会话私钥。
本发明较佳实施例中,所述服务器的签名私钥以及服务器的加密信息包通过下述方法得到:
所述服务器在收到所述终端的加密信息包及加密密钥包后,使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;
所述服务器使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;
所述服务器利用认证中心的公钥,验证所述终端的数字证书;
若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;
所述服务器根据所述终端的注册码判断所述终端是否合法;
在所述终端合法时,所述服务器根据所述终端的识别码生成终端的临时识
别码,并将所述终端的识别码与临时识别码相关联;
所述服务器根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包。
本发明较佳实施例中,所述服务器发送的会话公钥是将所述终端的会话私钥以及所述第二终端的会话私钥进行异或运算得到。
本发明较佳实施例中,根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥包括:
利用所述终端的会话私钥与所述会话公钥执行异或运算,得到所述第二终端的会话私钥。
一种终端通信方法,应用于服务器中,所述终端通信方法包括:
接收终端发送的入网注册请求,根据所述入网注册请求生成随机的注册码,并将所述注册码发送给所述终端;
接收所述终端发送的会话密钥产生请求,向所述终端发送根据所述终端的识别码产生的临时识别码,以及根据所述注册码,所述终端产生并传送的随机数以及所述临时识别码生成所述终端的会话私钥;及
接收所述终端发送的与第二终端通信的请求,向所述终端发送会话公钥,其中,所述会话公钥为根据所述终端以及所述第二终端的会话私钥通过异或运算得到。
本发明较佳实施例中,所述通信方法还包括产生所述临时识别码的步骤:
接收所述终端的加密信息包及加密密钥包;
使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;
使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;
利用认证中心的公钥,验证所述终端的数字证书;
若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;
根据所述终端的注册码判断所述终端的合法性;
在所述终端合法时,根据所述终端的识别码生成所述终端的临时识别码,并将所述终端的识别码与临时识别码相关联;
根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包;及
传送所述加密信息包给所述终端。
本发明较佳实施例中,所述终端的加密信息包及加密密钥包通过下述方法得到:
产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名
私钥;
根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;
将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
鉴于以上内容,还有必要提出一种终端通信系统,其可以确保通信过程中的身份机密性、位置机密性以及不可跟踪性,从而保证用户的通信安全。
一种终端通信系统,应用于终端中,所述通信系统包括:
注册模块,用于向服务器发送入网注册请求,以执行终端在所述服务器中的注册,并接收所述服务器产生并传送的注册码;
会话密钥生成模块,用于向服务器发送会话密钥产生请求,接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、所述临时识别码以及所述终端产生的随机数产生会话私钥;及
通信模块,用于向所述服务器发送与第二终端通信的请求,接收所述服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取所述第二终端的会话私钥,从而与所述第二终端进行安全通信。
本发明较佳实施例中,所述注册模块还用于:
接收所述服务器的数字证书;及
当验证所述服务器的数字证书合法时,存储所述注册码。
本发明较佳实施例中,所述的注册模块还用于:
通过加密函数,对所述终端的识别码以及代表所述终端身份的数据进行加密运算,其中,所述终端的识别码为所述终端的国际移动用户识别码,以及所述代表终端身份的数据包括所述终端的数字证书以及所述注册码。
本发明较佳实施例中,所述对所述终端的识别码以及代表所述终端身份的数据进行加密运算包括:
产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;
根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;
将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
本发明较佳实施例中,所述接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、临时识别码以及所述终端产生的随机数产生会话私钥包括:
将所述终端计算出来的加密信息包以及加密密钥包传送给所述服务器;
接收所述服务器根据所述终端的加密信息包以及加密密钥包产生的所述服务器的签名私钥以及所述服务器的加密信息包;
使用所述终端的随机私钥和对称解密函数解密所述服务器的加密信息包,得到识别码以及临时识别码;
使用验名函数和所述服务器的公钥,对所述服务器的签名私钥进行解密,得到所述注册码及随机验证码;
在解密得到的识别码与所述终端的识别码相同以及解密得到的随机验证码与所述终端产生的随机验证码相同时,根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端的会话私钥。
本发明较佳实施例中,所述服务器的签名私钥以及服务器的加密信息包通过下述方法得到:
所述服务器在收到所述终端的加密信息包及加密密钥包后,使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;
所述服务器使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;
所述服务器利用所述认证中心的公钥,对所述终端的数字证书进行验证;
若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;
所述服务器根据所述终端的注册码判断所述终端是否合法;
在所述终端合法时,所述服务器根据所述终端的识别码生成终端的临时识别码,并将所述终端的识别码与临时识别码相关联;
所述服务器根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述
终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包。
本发明较佳实施例中,所述服务器发送的会话公钥是将所述终端的会话私钥以及所述第二终端的会话私钥进行异或运算得到。
本发明较佳实施例中,所述根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥包括:
利用所述终端的会话私钥与所述会话公钥执行异或运算,得到所述第二终端的会话私钥。
一种终端通信系统,应用于服务器中,所述通信系统包括:
注册模块,用于接收终端发送的入网注册请求,根据所述入网注册请求生成随机的注册码,并将所述注册码发送给终端;
会话密钥生成模块,用于接收所述终端发送的会话密钥产生请求,向所述终端发送根据所述终端的识别码产生的临时识别码,以及根据所述注册码,所述终端产生并传送过来的随机数以及所述临时识别码生成所述终端的会话私钥;及
通信模块,用于接收终端发送的与第二终端通信的请求,向所述终端发送会话公钥,其中,所述会话公钥为所述终端以及所述第二终端的会话私钥通过异或运算得到。
本发明较佳实施例中,所述会话密钥生成模块还用于:
接收所述终端的加密信息包及加密密钥包;
使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,
以得到所述终端的随机私钥;
使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;
利用所述认证中心的公钥,对所述终端的数字证书进行验证;
若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;
根据所述终端的注册码判断所述终端的合法性;
在所述终端合法时,根据所述终端的识别码生成所述终端的临时识别码,并将所述终端的识别码与临时识别码相关联;
根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包;及
传送所述加密信息包给所述终端。
本发明较佳实施例中,所述终端的加密信息包及加密密钥包通过下述方法得到:
产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;
根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所
述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;
将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
相较于现有技术,在本发明中,每次的会话私钥都是由随机数所生成,窃听者无法通过多次比较获得任何通信的内容,保证了用户的不可跟踪性。即使某一次的会话私钥被窃取了,也无法继续获得以后的会话私钥,并可以有效防范重放攻击。
图1所示是本发明终端通信方法较佳实施例的方法流程图。
图2所示是本发明终端通信方法较佳实施例的注册阶段的方法流程图。
图3所示是本发明所述终端通信方法较佳实施例的注册阶段的数据交互示例图。
图4及图5所示是本发明终端通信方法较佳实施例的会话私钥生成阶段的方法流程图。
图6所示是本发明所述终端通信方法较佳实施例的会话私钥生成阶段的数据交互示例图。
图7所示是本发明终端通信方法较佳实施例的安全通信阶段的方法流程图。
图8所示是本发明所述终端通信方法较佳实施例的安全通信阶段的示例
图。
图9所示是本发明终端通信系统较佳实施例的应用环境示意图。
图10所示是本发明终端的硬件架构图。
图11所示是本发明终端通信系统较佳实施例的功能模块图。
主要元件符号说明
终端 1
注册服务器 2
认证中心服务器 3
通信系统 10
通信单元 11
存储器 12
处理器 13
eSIM卡 14
注册模块 100
会话密钥生成模块 101
通信模块 102
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明的一部分实施例,
而不是全部的实施例。
基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。
下面首先对本发明所使用的一些函数和符号进行说明:
签名函数SIGN-enc(message,key),其表示为使用私钥key对消息message进行签名操作函数;
验名函数SIGN-dec(message,key),其表示为使用公钥key对消息message进行验名操作函数;
非对称加密函数RSA-enc(message,key),其表示为使用公钥key对消息message进行非对称加密操作函数;
非对称解密函数RSA-dec(message,key),其表示为使用私钥key对消息message进行非对称解密操作函数;
对称加密函数AES-enc(message,key),其表示为使用私钥key对消息message进行对称加密操作函数;
对称解密函数AES-dec(message,key),其表示为使用私钥key对消息message进行对称解密操作函数;
※符号表示和的意思,如SIGN-enc(A※B,key)表示使用私钥key对A和B进行签名;
下面,请参考图1,是本发明终端通信方法较佳实施例的方法流程图。根据不同的需求,本图所示流程中的执行顺序可以改变,某些可以省略。
本发明较佳实施例中,所述终端可以为移动通信设备,如手机等。所述终端安装有客户识别模块(Subscriber Identity Module,SIM)卡。本发明较佳实施例中,所述SIM卡为嵌入式用户身份模块(Embedded Subscriber Identity Module,eSIM)卡。
所述eSIM卡是将传统SIM卡直接嵌入到终端设备的芯片上,而不是作为独立的可移除零部件加入终端设备中,从而,允许用户以更加灵活的方式选择运营商套餐,或者在无需解锁终端设备、购买新终端设备的前提下随时更换运营商。
所述eSIM卡中存储有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)。所述IMSI是为了在无线路径和整个全球移动通信系统(Global System for Mobile Communications,GSM)移动通信网络上正确地识别某个移动客户,而给移动客户分配的一个特定的识别码。
S1,终端向注册服务器发送入网注册请求,以执行在所述注册服务器中的注册。
在本发明较佳实施例中,所述注册服务器收到所述终端发送的入网注册请求后,根据所述入网注册请求会生成随机的注册码,并将所述注册码连同所述注册服务器的数字证书CertRS发送给所述终端。
在本发明较佳实施例中,所述S1还可包括:所述终端根据所述注册服
务器的数字证书CertRS验证所述注册服务器是否合法。
应该了解,所述数字证书就是互联网通信中标志通信各方身份信息的一串数字,提供了一种在Internet上验证通信实体身份的方式,由权威机构——认证(Certificate Authority,CA)中心发行的,可以在网上识别通信对方的身份。
在本发明较佳实施例中,所述终端通过利用所述认证中心的公钥,验证所述注册服务器的数字证书CertRS的真实性,来验证所述注册服务器是否合法。
在其他实施例中,所述S1还可包括:在验证所述注册服务器合法之后,所述终端进一步通过加密函数,对所述终端的识别码以及代表所述终端身份的数据进行加密运算。
在本实施例中,所述终端的识别码可以为所述终端的IMSI,以及所述代表终端身份的数据可以为所述终端的数字证书以及所述注册服务器分配给所述终端的注册码。
所述S1的详细实施流程图可以参阅图2以及图3以及下述对图2以及图3的描述。
S2,所述终端向所述注册服务器发送会话密钥产生请求,并根据所述注册服务器传送过来的数据产生会话私钥,其中,所述会话私钥是根据所述注册服务器以及所述终端产生的随机数以及根据所述终端的识别码产生的临时识别码而生成的。
在本发明较佳实施例中,所述S2还包括:所述终端向所述注册服务器
发送会话密钥产生请求的同时,进一步将所述经过加密运算的终端的识别码以及代表所述终端身份的数据传送给所述注册服务器。
所述注册服务器通过对应的解密算法对所述终端的识别码以及所述代表终端身份的数据进行解密后,首先进行终端的身份认证操作,当根据所述代表终端身份的数据确定终端的用户身份合法后,会根据所述终端的识别码生成临时识别码,如临时移动用户识别码(Temporary Mobile Subscriber Identity,TMSI),其中,所述生成的TMSI与所述终端的IMSI是相关联的,并根据所述TMSI生成终端的会话私钥,并经过加密运算后,将所述会话私钥传送给所述终端。
所述S2的详细流程图可以参阅图4至图6以及下述对图4至图6的描述。
S3,所述终端向所述注册服务器发送与第二终端通信的请求,接收所述注册服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥,从而与第二终端进行安全通信。
本发明较佳实施例中,当终端A与终端B进行通信时,所述终端A利用自己的会话私钥TKA从所述注册服务器获得终端B的会话私钥TKB。同理,终端B用自己的会话私钥TKB可以获得终端A的会话私钥TKA。于是,终端A与终端B就可以利用对方的会话私钥进行安全通信。
所述S3的详细流程图可以参阅图7以及图8以及下述对图7以及图8的描述。
参阅图2所示,是本发明终端的通信方法较佳实施例中的注册阶段的方
法流程图。根据不同的需求,本图所示流程图中的执行顺序可以改变,某些可以省略。
在图1所示的S1中,所述终端向所述注册服务器发送入网注册请求,以执行在所述注册服务器中的注册之后,S10,所述终端接收所述注册服务器传送过来的获取终端识别码的请求,以及接收所述注册服务器的数字证书以及随机的注册码。
S11,所述终端利用认证中心的公钥,验证所接收到的所述注册服务器的数字证书的真实性,并在S12中,判断所述注册服务器的数字证书是否验证成功。当所述注册服务器的数字证书验证不成功时,直接结束流程。
当所述注册服务器的数字证书验证成功时,执行S13,所述终端产生随机验证码及随机私钥,并在S14中,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥。
S15,所述终端根据所述终端的签名私钥、终端的识别码以及所述终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述注册服务器的公钥以及非对称加密函数计算加密密钥包。
S16,所述终端将所述注册服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中,如所述终端的eSIM卡的安全区域中。
所述注册阶段的示例,请参阅如图3所示的示意图。
所述终端的注册过程,分为以下几个阶段:
1:用户使用所述终端向所述注册服务器发送入网注册请求;
2:所述注册服务器接收到入网注册请求后,产生随机的注册码RN1;
3:服务器向终端发送请求获取终端IMSI的请求,并将所述随机的注册码RN1和所述注册服务器的证书CertRS发送到所述终端中;
4:所述终端使用认证中心的公钥验证所述注册服务器证书CertRS的真实性,如果验证成功,则产生随机验证码RN2和随机私钥KRN;否则,若注册服务器证书CertRS验证不成功,则结束此次流程;
5:在所述注册服务器证书CertRS验证成功的前提下,所述终端使用签名函数SIGN-enc(message,key)和终端私钥SKsim计算终端的签名函数SignKsim=SIGN-enc((RN1※RN2),SKsim);使用对称加密函数AES-enc(message,key)和终端产生的随机私钥KRN计算终端的加密信息包AKsim=AES-enc((SignKsim※IMSI※CertSIM),KRN);以及使用非对称加密函数RSA-enc(message,key)和服务器公钥PKrs计算终端的加密密钥包的RKrs=RSA-enc(KRN,PKrs);
6:所述终端将注册码RN1、随机验证码RN2、随机私钥KRN和所述注册服务器证书CertRS存储于所述终端的eSIM卡的安全区域中。
至此,完成一个终端的注册过程。应该可以理解,其他终端的注册过程与上述描述过程相同。
参阅图4及图5所示,是本发明终端通信方法较佳实施例中会话私钥生成阶段的方法流程图。根据不同的需求,本图所示流程图中的执行顺序可以改变,某些可以省略。
参阅图4所示:
S20,所述终端向所述注册服务器发送会话密钥产生请求,并将所述终端的加密信息包以及加密密钥包发送给所述注册服务器。
S21,所述注册服务器使用非对称加密函数和服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥。
S22,所述注册服务器使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书。
S23,所述注册服务器利用所述认证中心的公钥,验证所述终端的数字证书是否真实,并在S24中,判断所述终端的数字证书是否验证成功。若终端的数字证书验证不成功,则直接结束流程。
若所述终端的数字证书验证成功,则执行S25,所述注册服务器向所述认证中心获取所述终端的公钥。
S26,所述注册服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码。
S27,所述注册服务器进一步根据所述终端的注册码判断所述终端的合法性,并于S28中,判断所述终端是否合法。
若所述注册码并不是所述注册服务器发送的,则所述终端不合法,此时直接结束流程。
若所述注册码是所述注册服务器发送的,则所述终端合法,执行下述的图5中的S29。
参阅图5所示:
S29,所述注册服务器根据所述终端的识别码生成终端的临时识别码,并将所述终端识别码与临时识别码相关联,并将所述临时识别码及所述随机验证码存储于所述注册服务器中。
S30,所述注册服务器根据所述注册码及随机验证码,利用所述注册服务器私钥以及签名函数,计算所述注册服务器的签名私钥,根据所述所述注册服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述注册服务器的加密信息包。
S31,所述注册服务器将所述注册服务器的签名私钥以及所述注册服务器的加密信息包传送给所述终端,并根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端的会话私钥。
S32,所述终端使用终端的随机私钥和对称解密函数解密所述注册服务器的加密信息包,得到所述注册服务器的签名私钥、所述终端的识别码以及临时识别码。
S33,所述终端使用验名函数和所述注册服务器的公钥,对所述注册服务器的签名私钥进行解密,得到所述注册码及随机验证码。
S34,所述终端根据所述解密得到的识别码以及随机验证码判断所述注册服务器的合法性,并于S35中,判断所述注册服务器是否合法。当解密得到的识别码以及随机验证码与所述终端的识别码以及随机验证码不匹配时,所述注册服务器不合法,直接结束流程。
当解密得到的识别码以及随机验证码与所述终端的识别码以及随机验
证码都匹配时,所述注册服务器合法,执行S36,所述终端根据所述注册码、随机验证码、随机私钥以及临时识别码生成会话私钥。
至此,完成一个终端的会话私钥生成操作。应该理解,其他终端的会话私钥生成操作采用上述描述的相同流程执行。
所述会话私钥生成阶段的示例,请参阅图6所示的示意图。
如图6所示,生成会话私钥的过程可以分为以下几个阶段:
1:所述终端向所述注册服务器发送生成会话密钥请求,并将AKsim和RKrs发送给所述注册服务器;
2:所述注册服务器使用非对称解密函数RSA-dec(message,key)和所述注册服务器私钥SKrs计算终端的随机私钥KRN=RSA-dec(RKrs,SKrs);使用对称解密函数AES-dec(message,key)和终端生成的随机私钥KRN计算终端的密钥包SignKsim※IMSI※CertSIM=AES-dec(AKsim,KRN);
3:所述注册服务器使用认证中心CA的公钥验证所述终端的数字证书CertSIM的真实性,如果验证成功,向认证中心CA获取所述终端的公钥PKsim,否则,若验证不成功,则结束此次流程;
4:在所述终端的数字证书CertSIM验证成功后,所述注册服务器使用验名函数SIGN-dec(message,key)和终端公钥PKsim计算注册码RN1和随机验证码RN2:RN1※RN2=SIGN-dec(SignKsim,PKsim);
5:所述注册服务器判断上述解密出来的注册码RN1的真实性,如果验证成功,所述注册服务器就根据所述终端的国际移动用户识别码IMSI产生临时移动用户识别码TMSI,且将所述TMSI与IMSI相关联,进一步,将TMSI
和随机验证码RN2存储于所述注册服务器中;如果RN1的真实性验证失败,就结束此次流程;
6:在解密出来的注册码RN1验证成功后,所述注册服务器使用签名函数SIGN-enc(message,key)和所述注册服务器私钥SKrs计算SignKrs=SIGN-enc(RN1※RN2,SKrs);使用对称加密函数AES-enc(message,key)和所述终端生成的随机私钥KRN计算AKrs=AES-enc((SignKrs※IMSI※TMSI),KRN)。
7:所述注册服务器将SignKrs和AKrs发送给所述终端,并且所述注册服务器生成所述终端的会话私钥TK=RN1⊕RN2⊕KRN⊕TMSI。
8:所述终端使用对称解密函数AES-dec(message,key)和所述终端生成的随机私钥KRN计算密钥包:SignKrs※IMSI※TMSI=AES-dec(AKrs,KRN);使用验名函数SIGN-dec(message,key)和所述注册服务器公钥PKrs计算RN1※RN2=SIGN-dec(SignKrs,PKrs)。
9:所述终端判断上述解密出来的RN2和IMSI的真实性,如果RN2和IMSI验证成功,则产生会话私钥TK=RN1⊕RN2⊕KRN⊕TMSI,否则,若RN2和IMSI验证不成功,则结束此次流程。
参阅图7所示,是本发明终端通信方法较佳实施例中安全通信阶段的方法流程图。根据不同的需求,本图所示流程图中的执行顺序可以改变,某些可以省略。
S40,第一终端向注册服务器发送与第二终端通话的请求。
S41,接收所述注册服务器传送的会话公钥,并根据所述第一终端的会
话私钥以及所述会话公钥获取所述第二终端的会话私钥。
S42,所述第一终端通过所述第二终端的会话私钥与所述第二终端进行安全通信。
所述安全通信阶段的示例,请参阅图8所示的示意图。
所述安全通信过程可以分为以下几个阶段:
1:在所述第一终端与所述第二终端通话时,所述注册服务器生成会话公钥TKC=TKA⊕TKB;
2:所述第一终端用自己的私钥TKA可以获得所述第二终端的会话私钥TKB=TKC⊕TKA;
3:所述第二终端用自己的私钥TKB可以获得所述第一终端的会话私钥TKA=TKC⊕TKB;
4:所述第一终端与所述第二终端利用对方的会话私钥执行安全通信。
根据上述描述的方法流程图以及示例图可以看出,本发明可包括用户注册、生成会话私钥和安全通信三个阶段。首先,用户使用包括有eSIM卡的终端对注册服务器发送入网注册请求,所述注册服务器会生成随机数,并发送给eSIM卡终端,eSIM卡终端会验证所述注册服务器证书的真实性,当验证成功时,会随机生成相关的密钥并存储在自己的安全区域中。然后eSIM卡终端再向所述注册服务器发送生成会话密钥产生请求,所述注册服务器在经过复杂的加解密和身份认证操作后,当确定用户身份合法后,会生成临时移动用户识别码TMSI和根据所述TMSI生成会话私钥TK,其中所述TMSI与eSIM卡终端的国际移动用户识别码IMSI是相关联的,每次临时移动用户
识别码TMSI和会话私钥TK都是变化的。最后,当一个第一终端与一个第二终端进行通信时,所述注册服务器会生成所述第一终端和第二终端的会话公钥TKC,所述第一终端用自己的私钥TKA可以获得所述第二终端的会话私钥。同理,所述第二终端用自己的私钥TKB可以获得所述第一终端的会话私钥。这样所述第一终端与所述第二终端就可以利用对方的会话私钥进行安全通信。
对本发明方法的安全性进行分析:
在本发明的方法中,对eSIM卡终端的IMSI进行了加密,用户身份是以密文方式在网络中传输。当用户在获取了TMSI之后,通过保存在所述注册服务器中的IMSI与TMSI的关联对用户身份进行识别,因此窃听者无法获知用户的身份,保证用户身份的机密性。
在本发明的方法中,每次的会话私钥都是根据随机数RN1、RN2、KRN和临时移动用户识别码TMSI所生成,窃听者无法通过多次比较获得任何通信的内容,这样就保证了用户的不可跟踪性。即使某一次的会话私钥被窃取了,也无法继续获得以后的会话私钥,因为每次随机数RN1、RN2、KRN和临时移动用户识别码TMSI都重新生成。
使用本发明的方法,即使攻击者事先获得CertSIM,RN1,RN2和SignKsim,但是对于新的随机数RN1无法生成对应的新的SignKsim,因此本方法可以有效抗重放攻击。
以上所述,仅是本发明的具体实施方式,但本发明的保护范围并不局限于此,对于本领域的普通技术人员来说,在不脱离本发明创造构思的前提下,
还可以做出改进,但这些均属于本发明的保护范围。
上述图1至图8详细介绍了本发明的终端的注册方法、会话密钥生成方法以及安全通信方法,下面结合第9~11图,分别对实现上述终端的通信方法的硬件系统架构以及实现所述终端的通信方法的软件系统的功能模块进行介绍。
应该了解,所述实施例仅为说明之用,在专利申请范围上并不受此结构的限制。
如图9所示,为本发明实现所述终端的通信方法较佳实施例的硬件系统架构图。
在本发明的其中一个较佳实施例中,所述终端的通信方法的实现由两大部分构成:
一、多台终端
终端1可以为移动通信设备,如手机等。所述终端1安装有客户识别模块(Subscriber Identity Module,SIM)卡。本发明较佳实施例中,所述SIM卡为eSIM卡14。
所述eSIM卡14是将传统SIM卡直接嵌入到终端1的芯片上,而不是作为独立的可移除零部件加入终端1中,从而,允许用户以更加灵活的方式选择运营商套餐,或者在无需解锁终端1、购买新终端1的前提下随时更换运营商。
所述eSIM卡14中存储有国际移动用户识别码(International Mobile Subscriber Identification Number,IMSI)。所述IMSI是为了在无线路径和整
个全球移动通信系统(Global System for Mobile Communications,GSM)移动通信网络上正确地识别某个移动客户,而给移动客户分配的一个特定的识别码。所述IMSI的总长度不超过15位,同样使用0~9的数字,其中MCC是移动用户所属国家代号,占3位数字,中国的MCC规定为460;MNC是移动网号码,由两位或者三位数字组成,中国移动的移动网络编码(MNC)为00;用于识别移动用户所归属的移动通信网;MSIN是移动用户识别码,用以识别某一移动通信网中的移动用户。
如图10所示,所述终端1还包括通信系统10、通信单元11、存储器12以及处理器13。应该了解,所述终端1也可以包括其他硬件或者软件,例如,显示屏幕、摄像头、控制电路等,而并不限制于上述列举的部件。
所述通信单元11用于所述终端1与其他设备,如其他终端1或者服务器之间的信息交换。
所述通信单元11可以是无线通信模块,包括Wi-Fi模块,WiMax(World Interoperability for Microwave Access,即全球微波接入互操作性)模块,GSM(Global System for Mobile Communication,全球移动通信系统)模块,CDMA(Code Division Multiple Access,码分多址)模块,包括CDMA2000,CDMA,CDMA2000 1x evdo,WCDMA,TD-SCDMA等等),LTE(Long Term Evolution,长期演进)模块,HiperLAN(high-performance radio local area network,高性能无线局域网)模块、以及短距离无线传输模块,如蓝牙、Zigbee、RF等等。
所述存储器12用于存储程序和各种数据,并在所述终端1运行过程中
实现高速、自动地完成程序或数据的存取。所述存储器12可以是终端1的外部存储器和/或内部存储器。进一步地,所述存储器12可以是集成电路中没有实物形式的具有存储功能的电路,如RAM(Random-Access Memory,随机存取存储器)、FIFO(First In First Out,)等。或者,所述存储器12也可以是具有实物形式的存储设备,如内存条、TF卡(Trans-flash Card)等等。
所述处理器13又称中央处理器(CPU,Central Processing Unit),是一块超大规模的集成电路,是终端1的运算核心(Core)和控制核心(Control Unit)。处理器11的功能主要是解释程序指令以及处理软件中的数据。
所述通信系统10可以包括多个由程序段所组成的功能模块(详见图11)。所述通信系统10中的各个程序段的程序代码可以存储于所述存储器12中,并由所述处理器13所执行,以执行与其他终端1的安全通信等操作(详见图11中描述)。
二、服务器
本发明较佳实施例中,所述服务器可以包括注册服务器2以及认证(Certificate Authority,CA)服务器3。
其中,所述CA服务器3是权威机构——CA中心的服务器,用于执行数字证书的发放、管理、取消等操作。所述CA服务器3可以检查终端1以及注册服务器2的身份合法性,并签发数字证书(用数学方法在证书上签字)给终端1以及注册服务器2,并可以鉴定所述终端1以及注册服务器2的数字证书的合法性。
在本发明较佳实施例中,所述注册服务器2也包括所述通信系统10,用于接受各个终端1的注册,并实现各个终端1之间的安全通信。详细地,所述注册服务器2接受终端1的入网注册请求,随机地生成所述终端1的注册码,并根据终端1及注册服务器2产生的注册码等随机数为终端1生成并分配会话私钥,并在两个终端1之间进行通信时,生成两个终端1的会话公钥,以便每个终端1可以根据所述会话公钥获取对方的会话私钥,以利用对方的会话私钥执行两个终端1之间的安全通信。
参阅图10所示,为本发明终端通信较佳实施例的功能模块图。本实施例中,所述通信系统10根据其所执行的功能,可以被划分为多个功能模块。本实施例中,所述功能模块包括:注册模块100、会话密钥生成模块101及通信模块102。
所述注册模块100用于向注册服务器(下称:服务器)2发送入网注册请求,并接收所述服务器传送的注册码,并在验证所述服务器合法之后,存储所述注册码。
本发明较佳实施例中,所述注册模块100向注册服务器2发送入网注册请求后,会接收到所述注册服务器2传送过来的获取终端1的识别码的请求,以及接收到所述注册服务器2的数字证书以及注册码;进一步,所述注册模块100利用认证中心的公钥,验证所接收到的注册服务器2的数字证书的真实性,当所述注册服务器2的数字证书验证成功时,所述注册模块100产生随机验证码及随机私钥,并根据所述注册码、所述随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;进一步地,所述注册模
块100根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述注册服务器2的公钥以及非对称加密函数计算加密密钥包,并存储所述注册服务器2的数字证书、注册码、随机验证码及随机私钥于终端1的安全存储区域中,如所述终端1的eSIM卡14的安全区域中。
所述会话密钥生成模块101用于向注册服务器2发送会话密钥产生请求,并接收所述注册服务器2传送过来的会话私钥。
详细地,所述会话密钥生成模块101将所述终端1的加密信息包及加密密钥包发送给注册服务器2,并接收所述注册服务器2的签名私钥以及注册服务器2的加密信息包,使用终端1的随机私钥和对称解密函数解密所述注册服务器2的加密信息包,得到终端识别码以及临时识别码,使用验名函数和所述注册服务器2的公钥,对所述注册服务器2的签名私钥进行解密,得到所述注册码及随机验证码,根据所述解密得到的识别码以及随机验证码判断所述注册服务器2的合法性,并在解密得到的识别码以及随机验证码与所述终端1的识别码以及随机验证码都匹配时,根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端1的会话私钥。
本发明较佳实施例中,所述注册服务器2在收到终端1的加密信息包及加密密钥包后,使用非对称加密函数和注册服务器2的私钥,对所述加密密钥包进行解密,以得到所述终端1的随机私钥,使用对称加密函数和所述终端1的随机私钥,对所述加密信息包进行解密,以得到所述终端1的签名私钥、终端1的识别码以及终端1的数字证书,并利用所述认证服务器3的公
钥,验证所述终端1的数字证书是否真实;若所述终端1的数字证书验证成功,则使用验名函数和所述终端1的公钥,对所述终端1的签名私钥进行解密,得到所述终端1的注册码及随机验证码,进一步根据所述终端1的注册码判断所述终端1是否合法,在所述终端1合法时,根据所述终端1的识别码生成终端1的临时识别码,将所述终端1的识别码与临时识别码相关联,并根据所述注册码及随机验证码,利用服务器私钥以及签名函数,计算服务器的签名私钥,以及根据所述注册服务器2的签名私钥、所述终端1的识别码以及临时识别码,利用所述终端1的随机私钥以及对称加密函数,计算所述注册服务器2的加密信息包。
进一步地,所述注册服务器2还会根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端1的会话私钥。
所述通信模块102用于向注册服务器2发送与第二终端通信的请求,接收所述注册服务器2发送的会话公钥,并根据所述会话公钥获取第二终端的会话私钥,从而与第二终端进行安全通信。
详细地,在第一终端1与第二终端1通话时,注册服务器2生成会话公钥TKC=TKA⊕TKB;第一终端1用自己的私钥TKA可以获得第二终端1的会话私钥TKB=TKC⊕TKA,以及第二终端1用自己的私钥TKB也可以获得第一终端1的会话私钥TKA=TKC⊕TKB,于是第一终端1与第二终端1就可以利用对方的会话私钥执行安全通信。
在本发明所提供的几个实施例中,应该理解到,所揭露的系统,终端和
方法,可以通过其它的方式实现。例如,以上所描述的终端实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
另外,在本发明各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。
上述以软件功能模块的形式实现的集成的单元,可以存储在计算机可读取存储介质中。上述软件功能模块存储在存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例所述方法的部分。
对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本发明内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或,单数不排除复数。系统权利要求中陈述的多个单元或装置也可以由一个单元或装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。
最后应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,
尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或等同替换,而不脱离本发明技术方案的精神和范围。
Claims (22)
- 一种终端通信方法,应用于终端中,其特征在于,所述终端通信方法包括:向服务器发送入网注册请求,以执行终端在所述服务器中的注册,并接收所述服务器产生并传送的注册码;向所述服务器发送会话密钥产生请求,接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、所述临时识别码以及所述终端产生的随机数产生会话私钥;及向所述服务器发送与第二终端通信的请求,接收所述服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取所述第二终端的会话私钥,从而与所述第二终端进行安全通信。
- 如权利要求1所述的终端通信方法,其特征在于,所述执行终端在所述服务器中的注册包括:接收所述服务器的数字证书;及当验证所述服务器的数字证书合法时,存储所述注册码。
- 如权利要求2所述的终端通信方法,其特征在于,所述向所述服务器发送会话密钥产生请求之前还包括:通过加密函数,对所述终端的识别码以及代表所述终端身份的数据进行加密运算,其中,所述终端的识别码为所述终端的国际移动用户识别码,以及所述代表终端身份的数据包括所述终端的数字证书以及所述注册码。
- 如权利要求3所述的终端通信方法,其特征在于,所述对所述终端的识别码以及代表所述终端身份的数据进行加密运算包括:产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及所述随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
- 如权利要求4所述的终端通信方法,其特征在于,所述接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、临时识别码以及所述终端产生的随机数产生会话私钥包括:将所述终端计算出来的加密信息包以及加密密钥包传送给所述服务器;接收所述服务器根据所述终端的加密信息包以及加密密钥包产生的所述服务器的签名私钥以及所述服务器的加密信息包;使用所述终端的随机私钥和对称解密函数解密所述服务器的加密信息包,得到识别码以及临时识别码;使用验名函数和所述服务器的公钥,对所述服务器的签名私钥进行解密,得到注册码及随机验证码;在解密得到的识别码与所述终端的识别码相同以及解密得到的随机验证 码与所述终端产生的随机验证码相同时,根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端的会话私钥。
- 如权利要求5所述的终端通信方法,其特征在于,所述服务器的签名私钥以及服务器的加密信息包通过下述方法得到:所述服务器在收到所述终端的加密信息包及加密密钥包后,使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;所述服务器使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;所述服务器利用认证中心的公钥,验证所述终端的数字证书;若所述终端的数字证书验证成功,则所述服务器使用验名函数及所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;所述服务器根据所述终端的注册码判断所述终端是否合法;在所述终端合法时,所述服务器根据所述终端的识别码生成终端的临时识别码,并将所述终端的识别码与临时识别码相关联;所述服务器根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包。
- 如权利要求1所述的终端通信方法,其特征在于,所述服务器发送的会 话公钥是将所述终端的会话私钥以及所述第二终端的会话私钥进行异或运算得到。
- 如权利要求7所述的终端通信方法,其特征在于,所述根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥包括:利用所述终端的会话私钥与所述会话公钥执行异或运算,得到所述第二终端的会话私钥。
- 一种终端通信系统,应用于终端中,其特征在于,所述终端通信系统包括:注册模块,用于向服务器发送入网注册请求,以执行终端在所述服务器中的注册,并接收所述服务器产生并传送的注册码;会话密钥生成模块,用于向服务器发送会话密钥产生请求,接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、所述临时识别码以及所述终端产生的随机数产生会话私钥;及通信模块,用于向所述服务器发送与第二终端通信的请求,接收所述服务器发送的会话公钥,并根据所述终端的会话私钥以及所述会话公钥获取所述第二终端的会话私钥,从而与所述第二终端进行安全通信。
- 如权利要求9所述的终端通信系统,其特征在于,所述注册模块还用于:接收所述服务器的数字证书;及当验证所述服务器的数字证书合法时,存储所述注册码。
- 如权利要求10所述的终端通信系统,其特征在于,所述的注册模块还用于:通过加密函数,对所述终端的识别码以及代表所述终端身份的数据进行加密运算,其中,所述终端的识别码为所述终端的国际移动用户识别码,以及所述代表终端身份的数据包括所述终端的数字证书以及所述注册码。
- 如权利要求11所述的终端通信系统,其特征在于,所述对所述终端的识别码以及代表所述终端身份的数据进行加密运算包括:产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及所述随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算出加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
- 如权利要求12所述的终端通信系统,其特征在于,所述接收所述服务器产生并传送的根据所述终端的识别码生成的临时识别码,并根据所述注册码、临时识别码以及所述终端产生的随机数产生会话私钥包括:将所述终端计算出来的加密信息包以及加密密钥包传送给所述服务器;接收所述服务器根据所述终端的加密信息包以及加密密钥包产生的所述服务器的签名私钥以及所述服务器的加密信息包;使用所述终端的随机私钥和对称解密函数解密所述服务器的加密信息包,得到识别码以及临时识别码;使用验名函数和所述服务器的公钥,对所述服务器的签名私钥进行解密,得到注册码及随机验证码;在解密得到的识别码与所述终端的识别码相同以及解密得到的随机验证码与所述终端产生的随机验证码相同时,根据所述注册码、随机验证码、随机私钥以及临时识别码生成所述终端的会话私钥。
- 如权利要求13所述的终端通信系统,其特征在于,所述服务器的签名私钥以及服务器的加密信息包通过下述方法得到:所述服务器在收到所述终端的加密信息包及加密密钥包后,使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;所述服务器使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;所述服务器利用所述认证中心的公钥,对所述终端的数字证书进行验证;若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;所述服务器根据所述终端的注册码判断所述终端是否合法;在所述终端合法时,所述服务器根据所述终端的识别码生成终端的临时识别码,并将所述终端的识别码与临时识别码相关联;所述服务器根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述 终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包。
- 如权利要求9所述的终端通信系统,其特征在于,所述服务器发送的会话公钥是将所述终端的会话私钥以及所述第二终端的会话私钥进行异或运算得到。
- 如权利要求15所述的终端通信系统,其特征在于,所述根据所述终端的会话私钥以及所述会话公钥获取第二终端的会话私钥包括:利用所述终端的会话私钥与所述会话公钥执行异或运算,得到所述第二终端的会话私钥。
- 一种终端通信方法,应用于服务器中,其特征在于,所述终端通信方法包括:接收终端发送的入网注册请求,根据所述入网注册请求生成随机的注册码,并将所述注册码发送给所述终端;接收所述终端发送的会话密钥产生请求,向所述终端发送根据所述终端的识别码产生的临时识别码,以及根据所述注册码,所述终端产生并传送的随机数以及所述临时识别码生成所述终端的会话私钥;及接收所述终端发送的与第二终端通信的请求,向所述终端发送会话公钥,其中,所述会话公钥为根据所述终端以及所述第二终端的会话私钥通过异或运算得到。
- 如权利要求17所述的终端通信方法,其特征在于,所述终端通信方法还包括产生所述临时识别码的步骤:接收所述终端的加密信息包及加密密钥包;使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;利用认证中心的公钥,验证所述终端的数字证书;若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;根据所述终端的注册码判断所述终端的合法性;在所述终端合法时,根据所述终端的识别码生成所述终端的临时识别码,并将所述终端的识别码与临时识别码相关联;根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包;及传送所述加密信息包给所述终端。
- 如权利要求18所述的终端通信方法,其特征在于,所述终端的加密信息包及加密密钥包通过下述方法得到:产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名 私钥;根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥,利用所述服务器的公钥以及非对称加密函数计算加密密钥包;将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
- 一种终端通信系统,应用于服务器中,其特征在于,所述通信系统包括:注册模块,用于接收终端发送的入网注册请求,根据所述入网注册请求生成随机的注册码,并将所述注册码发送给终端;会话密钥生成模块,用于接收所述终端发送的会话密钥产生请求,向所述终端发送根据所述终端的识别码产生的临时识别码,以及根据所述注册码,所述终端产生并传送过来的随机数以及所述临时识别码生成所述终端的会话私钥;及通信模块,用于接收终端发送的与第二终端通信的请求,向所述终端发送会话公钥,其中,所述会话公钥为所述终端以及所述第二终端的会话私钥通过异或运算得到。
- 如权利要求20所述的终端通信系统,其特征在于,所述会话密钥生成模块还用于:接收所述终端的加密信息包及加密密钥包;使用非对称加密函数和所述服务器的私钥,对所述加密密钥包进行解密,以得到所述终端的随机私钥;使用对称加密函数和所述终端的随机私钥,对所述加密信息包进行解密,以得到所述终端的签名私钥、终端的识别码以及终端的数字证书;利用所述认证中心的公钥,对所述终端的数字证书进行验证;若所述终端的数字证书验证成功,则所述服务器使用验名函数和所述终端的公钥,对所述终端的签名私钥进行解密,得到所述终端的注册码及随机验证码;根据所述终端的注册码判断所述终端的合法性;在所述终端合法时,根据所述终端的识别码生成所述终端的临时识别码,并将所述终端的识别码与临时识别码相关联;根据所述注册码及随机验证码,利用所述服务器的私钥以及签名函数,计算所述服务器的签名私钥,以及根据所述服务器的签名私钥、所述终端的识别码以及临时识别码,利用所述终端的随机私钥以及对称加密函数,计算所述服务器的加密信息包;及传送所述加密信息包给所述终端。
- 如权利要求21所述的终端通信方法,其特征在于,所述终端的加密信息包及加密密钥包通过下述方法得到:产生随机数,所述随机数包括随机验证码及随机私钥,根据所述注册码以及随机验证码,利用所述终端的私钥以及签名函数,生成所述终端的签名私钥;根据所述终端的签名私钥、终端的识别码以及终端的数字证书,利用所述随机私钥以及对称加密函数,计算加密信息包,以及根据所述随机私钥, 利用所述服务器的公钥以及非对称加密函数计算加密密钥包;将所述服务器的数字证书、注册码、随机验证码及随机私钥存储于所述终端的安全存储区域中。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610368125.9 | 2016-05-27 | ||
CN201610368125.9A CN106101068B (zh) | 2016-05-27 | 2016-05-27 | 终端通信方法及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017201809A1 true WO2017201809A1 (zh) | 2017-11-30 |
Family
ID=57229424
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2016/087576 WO2017201809A1 (zh) | 2016-05-27 | 2016-06-29 | 终端通信方法及系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106101068B (zh) |
WO (1) | WO2017201809A1 (zh) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111132167A (zh) * | 2019-12-30 | 2020-05-08 | 全链通有限公司 | 5g用户终端接入5g网络的方法、用户终端设备及介质 |
CN111148098A (zh) * | 2019-12-30 | 2020-05-12 | 江苏全链通信息科技有限公司 | 5g终端设备注册方法、设备及存储介质 |
CN111615107A (zh) * | 2020-05-18 | 2020-09-01 | 南京南瑞信息通信科技有限公司 | 一种数据交互方法、终端及系统 |
CN112866237A (zh) * | 2021-01-15 | 2021-05-28 | 广州Tcl互联网小额贷款有限公司 | 数据通讯方法、装置、设备和存储介质 |
CN114026820A (zh) * | 2021-03-09 | 2022-02-08 | 深圳市汇顶科技股份有限公司 | 数据上传方法、数据下载方法及相关设备 |
CN115134177A (zh) * | 2022-09-02 | 2022-09-30 | 国网瑞嘉(天津)智能机器人有限公司 | 连网加密通信方法及装置、服务端设备和终端设备 |
CN115278312A (zh) * | 2022-07-21 | 2022-11-01 | 中山亿联智能科技有限公司 | 一种机顶盒信息安全传输加密方法 |
CN116132986A (zh) * | 2022-12-16 | 2023-05-16 | 中国铁塔股份有限公司 | 一种数据传输方法、电子设备及存储介质 |
CN118075036A (zh) * | 2024-04-25 | 2024-05-24 | 江西省外经贸融资担保有限公司 | 一种电子函证的认证方法、系统及计算机可读存储介质 |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108206739A (zh) * | 2016-12-16 | 2018-06-26 | 乐视汽车(北京)有限公司 | 密钥生成方法及装置 |
CN107277017A (zh) * | 2017-06-22 | 2017-10-20 | 北京洋浦伟业科技发展有限公司 | 基于加密密钥和设备指纹的权限认证方法、装置及系统 |
CN107204985A (zh) * | 2017-06-22 | 2017-09-26 | 北京洋浦伟业科技发展有限公司 | 基于加密密钥的权限认证方法、装置及系统 |
CN109698815B (zh) * | 2017-10-23 | 2021-08-31 | 中国电信股份有限公司 | 嵌入式芯片卡、卡应用服务器及应用数据传输系统和方法 |
CN109362073A (zh) * | 2018-08-29 | 2019-02-19 | 江苏龙虎网信息科技股份有限公司 | App应用防止恶意注册的方法 |
CN110896390B (zh) * | 2018-09-12 | 2021-05-11 | 华为技术有限公司 | 一种发送消息的方法、验证消息的方法、装置及通信系统 |
CN109842489B (zh) * | 2018-12-24 | 2022-07-19 | 福建联迪商用设备有限公司 | 一种实现安全通信的方法、终端及系统 |
CN110493222A (zh) * | 2019-08-20 | 2019-11-22 | 云南电网有限责任公司电力科学研究院 | 一种电力自动化终端远程管理方法及系统 |
CN110856170B (zh) * | 2019-11-18 | 2022-12-06 | 中国联合网络通信集团有限公司 | 数据传输方法、装置及物联网通信系统 |
CN111132156B (zh) * | 2019-12-30 | 2023-04-14 | 全链通有限公司 | 5g用户终端的注册方法、用户终端设备及介质 |
CN111050324B (zh) * | 2019-12-30 | 2023-04-14 | 江苏全链通信息科技有限公司 | 5g终端设备接入方法、设备及存储介质 |
CN117957813A (zh) * | 2022-08-30 | 2024-04-30 | 京东方科技集团股份有限公司 | 安全管理系统及安全管理方法 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102474509A (zh) * | 2009-07-07 | 2012-05-23 | 阿尔卡特朗讯公司 | 高效密钥管理系统和方法 |
CN105337969A (zh) * | 2015-10-19 | 2016-02-17 | 朱建龙 | 两个移动终端之间的安全通信方法 |
US20160080327A1 (en) * | 2014-09-12 | 2016-03-17 | Panasonic Intellectual Property Corporation Of America | Terminal apparatus, gateway apparatus, and relay apparatus connected to content-centric network, and communication method |
CN105450406A (zh) * | 2014-07-25 | 2016-03-30 | 华为技术有限公司 | 数据处理的方法和装置 |
CN105491076A (zh) * | 2016-01-28 | 2016-04-13 | 西安电子科技大学 | 一种面向空天信息网的异构网络端到端认证密钥交换方法 |
CN105577377A (zh) * | 2014-10-13 | 2016-05-11 | 航天信息股份有限公司 | 带密钥协商的基于身份的认证方法和系统 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101488945B (zh) * | 2008-01-14 | 2012-09-19 | 北京大唐高鸿数据网络技术有限公司 | 一种面向会话初始化协议的鉴权方法 |
CN102761870B (zh) * | 2012-07-24 | 2015-06-03 | 中兴通讯股份有限公司 | 一种终端身份验证和服务鉴权的方法、系统和终端 |
CN102882685A (zh) * | 2012-09-27 | 2013-01-16 | 东莞宇龙通信科技有限公司 | 身份认证系统及其方法 |
KR102124413B1 (ko) * | 2013-12-30 | 2020-06-19 | 삼성에스디에스 주식회사 | 아이디 기반 키 관리 시스템 및 방법 |
-
2016
- 2016-05-27 CN CN201610368125.9A patent/CN106101068B/zh active Active
- 2016-06-29 WO PCT/CN2016/087576 patent/WO2017201809A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102474509A (zh) * | 2009-07-07 | 2012-05-23 | 阿尔卡特朗讯公司 | 高效密钥管理系统和方法 |
CN105450406A (zh) * | 2014-07-25 | 2016-03-30 | 华为技术有限公司 | 数据处理的方法和装置 |
US20160080327A1 (en) * | 2014-09-12 | 2016-03-17 | Panasonic Intellectual Property Corporation Of America | Terminal apparatus, gateway apparatus, and relay apparatus connected to content-centric network, and communication method |
CN105577377A (zh) * | 2014-10-13 | 2016-05-11 | 航天信息股份有限公司 | 带密钥协商的基于身份的认证方法和系统 |
CN105337969A (zh) * | 2015-10-19 | 2016-02-17 | 朱建龙 | 两个移动终端之间的安全通信方法 |
CN105491076A (zh) * | 2016-01-28 | 2016-04-13 | 西安电子科技大学 | 一种面向空天信息网的异构网络端到端认证密钥交换方法 |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111148098A (zh) * | 2019-12-30 | 2020-05-12 | 江苏全链通信息科技有限公司 | 5g终端设备注册方法、设备及存储介质 |
CN111132167A (zh) * | 2019-12-30 | 2020-05-08 | 全链通有限公司 | 5g用户终端接入5g网络的方法、用户终端设备及介质 |
CN111615107B (zh) * | 2020-05-18 | 2022-07-01 | 南京南瑞信息通信科技有限公司 | 一种数据交互方法、终端及系统 |
CN111615107A (zh) * | 2020-05-18 | 2020-09-01 | 南京南瑞信息通信科技有限公司 | 一种数据交互方法、终端及系统 |
CN112866237B (zh) * | 2021-01-15 | 2023-02-03 | 广州Tcl互联网小额贷款有限公司 | 数据通讯方法、装置、设备和存储介质 |
CN112866237A (zh) * | 2021-01-15 | 2021-05-28 | 广州Tcl互联网小额贷款有限公司 | 数据通讯方法、装置、设备和存储介质 |
CN114026820A (zh) * | 2021-03-09 | 2022-02-08 | 深圳市汇顶科技股份有限公司 | 数据上传方法、数据下载方法及相关设备 |
CN115278312A (zh) * | 2022-07-21 | 2022-11-01 | 中山亿联智能科技有限公司 | 一种机顶盒信息安全传输加密方法 |
CN115278312B (zh) * | 2022-07-21 | 2023-11-14 | 中山亿联智能科技有限公司 | 一种机顶盒信息安全传输加密方法 |
CN115134177A (zh) * | 2022-09-02 | 2022-09-30 | 国网瑞嘉(天津)智能机器人有限公司 | 连网加密通信方法及装置、服务端设备和终端设备 |
CN115134177B (zh) * | 2022-09-02 | 2022-11-18 | 国网瑞嘉(天津)智能机器人有限公司 | 连网加密通信方法及装置、服务端设备和终端设备 |
CN116132986A (zh) * | 2022-12-16 | 2023-05-16 | 中国铁塔股份有限公司 | 一种数据传输方法、电子设备及存储介质 |
CN118075036A (zh) * | 2024-04-25 | 2024-05-24 | 江西省外经贸融资担保有限公司 | 一种电子函证的认证方法、系统及计算机可读存储介质 |
Also Published As
Publication number | Publication date |
---|---|
CN106101068A (zh) | 2016-11-09 |
CN106101068B (zh) | 2019-06-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2017201809A1 (zh) | 终端通信方法及系统 | |
US10638321B2 (en) | Wireless network connection method and apparatus, and storage medium | |
CN106161032B (zh) | 一种身份认证的方法及装置 | |
US8837741B2 (en) | Systems and methods for encoding exchanges with a set of shared ephemeral key data | |
KR101485230B1 (ko) | 안전한 멀티 uim 인증 및 키 교환 | |
US7966000B2 (en) | Secure bootstrapping for wireless communications | |
CN101406021B (zh) | 基于sim的认证 | |
CN104754581B (zh) | 一种基于公钥密码体制的lte无线网络的安全认证方法 | |
Saxena et al. | Authentication protocol for an IoT-enabled LTE network | |
CN1929371B (zh) | 用户和外围设备协商共享密钥的方法 | |
WO2017185450A1 (zh) | 终端的认证方法及系统 | |
CN103037366B (zh) | 基于非对称密码技术的移动终端用户认证方法及移动终端 | |
CN101621794A (zh) | 一种无线应用服务系统的安全认证实现方法 | |
CN113556227B (zh) | 网络连接管理方法、装置、计算机可读介质及电子设备 | |
CN108880813A (zh) | 一种附着流程的实现方法及装置 | |
TWI568234B (zh) | 全球移動通訊網路的匿名認證方法 | |
Nikooghadam et al. | A provably secure ECC-based roaming authentication scheme for global mobility networks | |
CN105141629A (zh) | 一种基于WPA/WPA2 PSK多密码提升公用Wi-Fi网络安全性的方法 | |
CN106992866B (zh) | 一种基于nfc无证书认证的无线网络接入方法 | |
Saxena et al. | BVPSMS: A batch verification protocol for end-to-end secure SMS for mobile users | |
CN110572825A (zh) | 一种可穿戴设备认证装置及认证加密方法 | |
CN213938340U (zh) | 5g应用接入认证网络架构 | |
US9876774B2 (en) | Communication security system and method | |
CN115348578B (zh) | 一种接触者追踪方法及装置 | |
TWI514189B (zh) | 網路認證系統及其方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16902797 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16902797 Country of ref document: EP Kind code of ref document: A1 |