WO2024041498A1 - Secret communication processing method, first terminal, and storage medium - Google Patents

Abstract

The present disclosure provides a secret communication processing method, a first terminal, and a computer readable storage medium. The method comprises: sending a first message to a first device, wherein the first message comprises identifier information related to a first terminal and identifier information related to a second terminal; receiving a second message sent by the first device, wherein the second message comprises a first key for secret communication between the first terminal and the second terminal; and sending the first key to the second terminal.

Description

A secure communication processing method, first terminal and storage medium

Cross-references to related applications

This application claims priority from Chinese Patent Application No. 202211009120.9 filed in China on August 22, 2022, the entire content of which is incorporated herein by reference.

Technical field

The present disclosure relates to but is not limited to the field of communications, and in particular, to a secure communication processing method, a first terminal and a computer-readable storage medium.

Background technique

As society enters the era of comprehensive informationization, information security has attracted more and more attention. Several parties involved in communication often transmit information based on keys; among them, quantum random number generator generation or quantum key distribution (Quantum key distribution, The quantum keys generated by QKD) network negotiation are inherently random and non-replicable. Compared with keys generated through traditional methods (such as physical noise sources, pseudo-randomness, etc.), they are more secure and more difficult to be cracked by attackers. Therefore, using quantum keys instead of traditional keys in secure communication systems can ensure the security of the keys themselves, thereby improving the overall security level of the system.

In traditional secure communication systems and quantum key-based secure communication systems, several devices participating in the communication need to negotiate to obtain a consistent session key, which is used to cryptographically protect the data information transmitted between users to prevent attackers from accessing the information. The content launches illegal eavesdropping, tampering, replay and other attacks, causing information leakage.

It should be noted that the key agreement scheme based on the digital envelope mechanism uses an asymmetric cryptographic algorithm. In the face of potential quantum computing security risks, the asymmetric cryptographic algorithm can be cracked in polynomial time. Therefore, the digital encryption algorithm based on the asymmetric cryptographic system The key agreement scheme of the envelope mechanism has the risk of key leakage. However, in the key agreement scheme based on the central key distribution mechanism of the symmetric cryptography system, both parties in the confidential communication need to obtain the session key from the key management center respectively, and the key management center has a large processing overhead. In addition, if one party fails to obtain the session key successfully, the encrypted communication service will fail and bring a bad experience to the user.

Contents of the invention

Embodiments of the present disclosure provide a secure communication processing method, a first terminal and a computer-readable storage medium, and provide a new solution for obtaining a session key based on a symmetric cryptography system.

In the first aspect, a secure communication processing method is provided, applied to the first terminal, including:

Send a first message to the first device; wherein the first message includes identification information related to the first terminal and identification information related to the second terminal;

Receive a second message sent by the first device; wherein the second message includes a first key for secure communication between the first terminal and the second terminal;

Send the first key to the second terminal.

In a second aspect, a first terminal is provided, where the first terminal includes:

A sending module, configured to send a first message to the first device; wherein the first message includes identification information related to the first terminal and identification information related to the second terminal;

A receiving module, configured to receive a second message sent by the first device; wherein the second message includes a first key for secure communication between the first terminal and the second terminal;

The sending module is also used to send the first key to the second terminal.

A third aspect, a first terminal, the first terminal includes:

Memory, used to store executable instructions;

The processor is configured to implement the above secure communication processing method when executing executable instructions stored in the memory.

In a fourth aspect, embodiments of the present disclosure provide a chip for implementing the above-mentioned secure communication processing method; the chip includes: a processor for calling and running a computer program from a memory, so that a device equipped with the chip executes the above-mentioned method. Confidential communication processing methods.

In a fifth aspect, embodiments of the present disclosure provide a computer-readable storage medium for storing a computer program. The computer program causes the computer to execute the above secure communication processing method.

In a sixth aspect, embodiments of the present disclosure provide a computer program product, including computer program instructions, which cause a computer to execute the above secure communication processing method.

In a seventh aspect, embodiments of the present disclosure provide a computer program that, when run on a computer, causes the computer to execute the above secure communication processing method.

In the method provided by the embodiment of the present disclosure, in a scenario where the first terminal needs to conduct secure communication with the second terminal, the first terminal sends a first message including the identities of multiple parties in secure communication to the first device, such as a key request message, The first device will allocate a first key, such as a session key, to the multiple parties in secure communication, and feedback the session key to the first terminal; obviously, the first device directly provides a session for the multiple terminals in secure communication based on the key request message. key, each terminal of multiple communication parties does not need to interact with the first device to obtain the session key. Therefore, the establishment of a confidential communication service in a harsh network environment is guaranteed, the success rate of establishing a confidential communication service is improved, and at the same time, it saves money. network transmission resources. The present disclosure provides a new scheme for obtaining session keys based on a symmetric cryptosystem, which avoids the risk of the asymmetric cryptographic algorithm being cracked by quantum computing in polynomial time based on the asymmetric cryptosystem, and improves the security of the system.

Description of drawings

Figure 1 is a schematic diagram of a secure communication system according to an embodiment of the present disclosure;

Figure 2 is a schematic flowchart 1 of a secure communication processing method provided by an embodiment of the present disclosure;

Figure 3 is a schematic flowchart 2 of a secure communication processing method provided by an embodiment of the present disclosure;

Figure 4 is a schematic block diagram of a first terminal provided by an embodiment of the present disclosure;

Figure 5 is a schematic structural diagram of a communication device provided by an embodiment of the present disclosure;

Figure 6 is a schematic structural diagram of a chip provided by an embodiment of the present disclosure;

Figure 7 is a schematic block diagram of a secure communication system provided by an embodiment of the present disclosure.

Detailed ways

The technical solutions in the embodiments of the present disclosure will be described below with reference to the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are part of the embodiments of the present disclosure, but not all of the embodiments. Based on the embodiments in this disclosure, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this disclosure.

Figure 1 is a schematic diagram of a secure communication system provided by an embodiment of the present disclosure.

As shown in FIG. 1 , the secure communication system 100 may include a terminal device 110 and a key management device 120 . The key management device 120 may communicate with the terminal device 110 through the air interface. Multi-service transmission is supported between the terminal device 110 and the key management device 120.

It should be understood that the embodiment of the present disclosure is only exemplified by using the secure communication system 100, but the embodiment of the present disclosure is not limited thereto. That is to say, the technical solutions of the embodiments of the present disclosure can be applied to various communication systems to encrypt and transmit business data in various communication systems; for example, various communication systems include but are not limited to Long Term Evolution (Long Term Evolution) Evolution, LTE) system, LTE Time Division Duplex (TDD), Universal Mobile Telecommunication System (UMTS), Internet of Things (IoT) system, Narrow Band Internet of Things (Narrow Band Internet of Things, NB-IoT) system, enhanced Machine-Type Communications (eMTC) system, fifth generation mobile communication technology (5th Generation Mobile Communication Technology, 5G) communication system, also known as New Radio (New Radio) , NR) communication system, or future communication system.

In the secure communication system 100 shown in Figure 1, the key management device 120 is a device that communicates with each terminal device 110 in the secure communication system 100, and provides keys or key management services for services in the secure communication system 100. . For example, the key management device 120 can be a unified (quantum) security service platform that provides unified key management services for a variety of different businesses; it can also be a key management platform for a specific business, for example, (quantum) ) Key management platform for Voice over Long-Term Evolution (VoLTE) encrypted call services, specifically providing key management services for VoLTE encrypted call services.

Exemplarily, the key management device 120 can be implemented as a laptop computer, a tablet computer, a desktop computer, a mobile device (eg, a mobile phone, a portable music player, a personal digital assistant, a portable gaming device), or an intelligent robot capable of providing key management The terminal of the service can also be implemented as a server. Here, the server may be a single server, or a server cluster, a cloud computing center, etc. composed of multiple servers.

The terminal device 110 includes, but is not limited to, any terminal device that is wired or wirelessly connected to the key management device 120 or other terminal devices.

Exemplarily, the terminal equipment 110 may refer to an access terminal, user equipment (User Equipment, UE), user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication Device, user agent, or user device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, an IoT device, a satellite handheld terminal, a Wireless Local Loop (WLL) station, Personal Digital Assistant (PDA), handheld devices with wireless communication capabilities, computing devices or other processing devices connected to wireless modems, vehicle-mounted devices, wearable devices, terminal devices in 5G networks or in future evolution networks Terminal equipment, etc.

The terminal device 110 can be used for device to device (Device to Device, D2D) communication.

Figure 1 exemplarily shows one key management device 120 and two terminal devices 110. Optionally, the secure communication system 100 may include multiple key management devices 120 and the management scope of each key management device 120. may include other numbers of terminal devices, which are not specifically limited in this embodiment of the disclosure.

It should be noted that FIG. 1 only illustrates the system to which the present disclosure is applicable in the form of an example. Of course, the methods shown in the embodiments of the present disclosure can also be applied to other systems. Additionally, the terms "system" and "network" are often used interchangeably herein. The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship. It should also be understood that the "instruction" mentioned in the embodiments of the present disclosure may be a direct instruction, an indirect instruction, or an association relationship. For example, A indicates B, which can mean that A directly indicates B, for example, B can be obtained through A; it can also mean that A indirectly indicates B, for example, A indicates C, and B can be obtained through C; it can also mean that there is an association between A and B. relation. It should also be understood that the "correspondence" mentioned in the embodiments of the present disclosure can mean that there is a direct correspondence or indirect correspondence between the two, it can also mean that there is an associated relationship between the two, or it can mean indicating and being instructed. , configuration and configured relationship. It should also be understood that the "predefined" or "predefined rules" mentioned in the embodiments of the present disclosure can be obtained by pre-saving corresponding codes, tables or other available codes in devices (for example, including terminal devices and network devices). This disclosure does not limit the specific implementation method. For example, predefined can refer to what is defined in the protocol. It should also be understood that in the embodiments of the present disclosure, the "protocol" may refer to a standard protocol in the communication field, which may include, for example, LTE protocol, NR protocol, and related protocols applied in future communication systems. This disclosure does not limit this. .

In order to facilitate understanding of the technical solutions of the embodiments of the present disclosure, the relevant technologies of the embodiments of the present disclosure are described below. The following related technologies can be optionally combined with the technical solutions of the embodiments of the present disclosure, and they all belong to the embodiments of the present disclosure. protected range.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. The terminology used herein is for the purpose of describing embodiments of the disclosure only and is not intended to limit the disclosure.

Before explaining the disclosure, here is a description of the key agreement scheme in related technologies:

Key agreement scheme based on digital envelope mechanism under asymmetric cryptography: terminals use digital envelopes to negotiate shared session keys between communicating parties to achieve confidential communication. Digital envelopes are implemented based on asymmetric cryptography mechanisms and are widely used in secure communication systems.

For example, in a secure telephone system, both the calling terminal and the called terminal A and B hold legal digital certificates issued by the certification authority CA. In an architecture with a key management center, the key management center generates a shared session key for both the caller and the called party during the call establishment process, and encrypts the key using the public keys of A's and B's respective certificates. , sent to the corresponding terminal. The terminal uses the private key corresponding to the certificate to decrypt to obtain the session key, and then uses a symmetric encryption algorithm to encrypt and decrypt the user's voice information to protect it. Alternatively, in an architecture without a key management center, terminals A and B can authenticate each other based on digital certificates, and then terminal A independently generates a session key and sends the session key to terminal B through a digital envelope. , thus enabling both parties to obtain the same session key for encrypted communication.

However, with the development of quantum computing technology, traditional asymmetric cryptographic algorithms (such as Shor's algorithm) based on complex mathematical problems of large number decomposition and discrete logarithms can be cracked in polynomial time, so they are based on digital envelopes. The traditional key agreement mechanism faces security threats and cannot ensure the security of the session key agreement process. It can be seen that unilateral use of quantum key technology to improve the security of the key itself cannot ensure that the quantum session key will not be leaked during the negotiation process, which will lead to the destruction of the overall security of the system. Therefore, in order to resist potential quantum Computational attacks, secure communication systems, especially quantum secure communication systems, should not use this method. Instead, asymmetric cryptography should be avoided as much as possible when designing cryptographic schemes to avoid "security shortcomings" in the session key negotiation process. Appear.

Key acquisition scheme based on central key distribution mechanism under symmetric cryptography: A secure communication system based on symmetric cryptography requires a key management center to distribute session keys used for secure communication between its terminal devices. In order to ensure the security of the session key distribution process, the key management center usually uses offline filling to pre-place several symmetric keys in the secure medium of the terminal device. /Secure storage space used to encrypt and protect distributed session keys.

For example, in a secure telephone system, when a terminal establishes an encrypted call, the key management center generates a shared session key for calling terminal A and calling terminal B, and uses the symmetric keys pre-shared with terminals A and B respectively. This session key is encrypted and sent to the appropriate terminal. The terminal uses the corresponding symmetric key to decrypt and obtain the shared session key, thereby realizing encrypted communication between A and B.

For systems using quantum key technology, the quantum key management center pre-charges the quantum symmetric key for the terminal, and generates a quantum session key for the called terminal during the encrypted call. In each encrypted call, the calling terminal A and the called terminal B will each use a pre-filled quantum symmetric key to communicate with the quantum key management center to encrypt and obtain the session key.

In the above solution, the calling and called terminals need to access the key management center respectively to obtain the session key, which requires that both the calling and called terminals and the key management center maintain good network connections. If the network connection status of one end is poor, the establishment of the secure communication service will fail. Although this situation is usually not easy to happen, in order to improve the success rate of the service and ensure the establishment of confidential communication services in harsh network environments, this method that requires the establishment of dual connections should be avoided.

Figure 2 is a schematic flowchart of a secure communication processing method provided by an embodiment of the present disclosure. As shown in Figure 2, this method is applied to the terminal device 110 in the secure communication system 100 shown in Figure 1. The method includes:

Step 201: Send the first message to the first device.

The first message includes identification information related to the first terminal and identification information related to the second terminal.

In this embodiment of the present disclosure, the first terminal can perform confidential communication with at least one second terminal. There may be one second terminal or multiple second terminals. When there are multiple second terminals, multi-party secure communication is required.

It should be noted that confidential communications include but are not limited to encrypted calls, encrypted short messages, encrypted instant messages, encrypted audio and video conferencing, encrypted 5th Generation Mobile Communication Technology (5G) messages (for example, rich media services (Rich Communication Services, RCS) messages), encrypted intercom messages, encrypted emails, etc.

In the embodiment of the present disclosure, the identification information may be the identification information of the terminal. For example, the identification information includes but is not limited to Mobile Station International Integrated Services Digital Network number (MSISDN), International Mobile Subscriber Identity code (International Mobile Subscriber Identity, IMSI), International Mobile Equipment Identity (IMEI), service identification (such as the domain name of the terminal, etc.), the service number of an application of the user (such as the chat software installed on the terminal) , communication software and other software user IDs, etc.).

In the embodiment of the present disclosure, the first device is a device that provides keys or key management services for at least two terminals performing secure communications under a secure communication system, that is, the first device is the key management device 120 in Figure 1 . The first device includes but is not limited to Key Management Center (KMC), Key Management System (KMS), Key Service Center, Security Service Center, and keys that provide services for a specific business. Management platform/facilities, etc.

For example, KMC/KMS can be a (quantum) key management center; it can also be a (quantum) security service platform that provides unified key management services for a variety of different businesses. The brackets here indicate optional.

By way of example, the key management platform for a specific service includes a key management platform for (quantum) encrypted call services that provides key management services for VoLTE/VoNR encrypted call services.

It should be noted that the first device may also be called a (quantum) cryptographic security service center, a (quantum) cryptographic service center, a (quantum) security service center, a (quantum) security center, etc.

In some embodiments, KMC/KMS can be deployed on the operator side or on the user side. When deployed on the operator side, the operator manages the passwords used by users; when deployed on the user side, it is a resident deployment method. At this time, the users manage the passwords themselves, which can improve the user experience. Control over passwords.

It should be noted that, regardless of whether the first device is deployed on the operator side or the user side, the first device has nothing to do with the mobile communication network managed by the operator and can support independent access by the terminal. In this way, since the first device has nothing to do with the mobile communication network managed by the operator, when the terminal device initiates communication, it can access the KMC/KMS to apply for the corresponding session key for this communication without going through the operator's network processing. This parallel approach is more efficient.

In addition, this method has no impact or modification on the operator's network, and there is no need to set up a special server within the operator's network to manage confidential communication services, nor does it need to set up a special server to interface with the first device, simplifying system implementation. complexity and the cost of operator construction and operation and maintenance.

In this disclosed embodiment, the method of sending the first key is: in-band, out-of-band, media, signaling, data Data, message, control plane, user plane, etc. Among them, the existing encrypted call service is implemented through the media channel based on the in-band method. Therefore, it is preferable to send the first key in the in-band method through the media plane to be better compatible with the existing system and reduce system modification. the cost of. In addition, when multi-party secure communication is performed, the established media plane communication channel is a one-to-many multicast/broadcast communication channel. In this way, the first key is only sent once through the established multicast/broadcast communication channel, and other terminals can be received, effectively reducing the number of messages sent.

In the embodiment of the present disclosure, the first message may be a request, a response, an instruction, a response, etc.

In this embodiment of the present disclosure, the first message may also include a session identifier, a timestamp, or a sequence number.

Here, the session identifier is used to distinguish different secure communication service requests, and is used as an index to associate related information of the same service request. Session IDs can be ordered or unordered, obtained according to certain rules, or randomly generated without rules. The session identifier may be generated by the first terminal or the first device.

Here, the first message may carry a timestamp or a sequence number to prevent the first message from being replayed.

Step 202: Receive the second message sent by the first device.

The second message includes a first key for secure communication between the first terminal and the second terminal.

In this disclosed embodiment, after receiving the first message, the first device generates the first key and sends the second message carrying the first key to the first terminal. The first terminal receives the second message sent by the first device. It should be noted that the first key may be a quantum key or an ordinary key generated by a pseudo-random number generator/physical noise source generator. If the first key is a quantum key, the quantum key can be generated through a quantum random number generator, or it can be generated through negotiation with the peer through the Quantum Key Distribution (QKD) network, and then through the QKD network node or quantum The key security service center provides the first device.

In the embodiment of the present disclosure, the first key may be directly generated by the first device; it may also be generated by other devices associated with the first device.

In the embodiment of the present disclosure, the second message includes but is not limited to a request message, an instruction message, a response message, an acknowledgment (ACK) message, and the like.

In some embodiments, the second message may also include a session identification. If the first message carries a session identifier, the session identifier in the second message may be the same as the session identifier in the first message; if the first message does not carry a session identifier, the first device may assign a session identifier to this service. ,and carried in the second message and sent to the first terminal. The session ID can also be called a business ID, etc.

The second message may also include a timestamp or sequence number to prevent the second message from being replayed.

Step 203: Send the first key to the second terminal.

In this disclosed embodiment, the first terminal parses the second message to obtain the first key; and sends the first key to at least one second terminal. That is to say, when using the secure communication method provided by the present disclosure to process the secure communication services of at least two terminals, the terminal devices of both parties of the secure communication do not need to access the first device, but obtain the third device through a secure single connection of one of the terminals. One key can improve the success rate of establishing secure communication services.

In the embodiment of the present disclosure, when there are multiple second terminals, the first terminal can send the first key to multiple second terminals at the same time; it can also send the first key to multiple second terminals one after another.

It should be noted that the method of sending the first key includes but is not limited to in-band, out-of-band, media, signaling, data, message, control plane and user plane. Among them, the encrypted call service in the related art is based on the in-band method and distributes the session key in the media channel. Therefore, the present disclosure can send the first key in the in-band method through the media channel. In this way, it can better It is compatible with related systems and reduces the cost of system modification. In addition, when multi-party secure communication is performed, the established media plane communication channel is a one-to-many multicast/broadcast communication channel. In this way, the first key is only sent once through the established multicast/broadcast communication channel, and other terminals can be received, effectively reducing the number of messages sent.

In the method provided by the embodiment of the present disclosure, in a scenario where the first terminal needs to conduct secure communication with the second terminal, the first terminal sends a first message including the identities of multiple parties in secure communication to the first device, such as a key request message, The first device will allocate a first key, such as a session key, to the multiple parties in secure communication, and feedback the session key to the first terminal; obviously, the first device directly provides a session for the multiple terminals in secure communication based on the key request message. key, each terminal of multiple communication parties does not need to interact with the first device to obtain the session key. Therefore, the establishment of a confidential communication service in a harsh network environment is guaranteed, the success rate of establishing a confidential communication service is improved, and at the same time, it saves money. network transmission resources.

The present disclosure provides a new scheme for obtaining session keys based on a symmetric cryptosystem, which avoids the risk of the asymmetric cryptographic algorithm being cracked by quantum computing in polynomial time based on the asymmetric cryptosystem, and improves the security of the system.

In some embodiments, after both the first terminal and the second terminal receive the first key, the first terminal performs secure communication with the second terminal based on the first key.

In some embodiments, the methods provided by the embodiments of the present disclosure include the following:

Step A1: Send the first message to the first device through the first secure channel.

In this embodiment of the present disclosure, the first secure channel may be a secure channel for data transmission between the first terminal and the first device. The secure channel here can be understood as a communication channel that uses a shared key between two devices to encrypt information, protect integrity, etc., so that information can be transmitted securely between the two devices.

In some embodiments, step A1 sends the first message to the first device through the first secure channel, which can be implemented by the following steps:

Part or all of the first message is encrypted and/or integrity protected using the second key and sent.

Here, the second key is a symmetric key shared between the first terminal and the first device or a symmetric key derived based on the shared symmetric key. The symmetric key may be preset in the first terminal by the first device in an offline filling manner for subsequent secure communication between the first terminal and the first device. The symmetric key can be one pair or multiple pairs. Symmetric keys can be generated using a (quantum) random number generator.

In the embodiment of the present disclosure, when it is agreed to use a derived key, the derived key can be obtained through formula (1).

K’＝KDF(K, String,…) (1)

Among them, KDF is the key derivation function (Key Derivation Function); K is the original symmetric key; K' is the symmetric key derived based on the original symmetric key; String is a string indicating the purpose of the derived key. For example, the character string of the encryption key is "Encryption", and the character string of the integrity protection key is "Integrity". It should be noted that the key derivation function can also have other input parameters, such as the identification of the terminal and/or (quantum) key management center, etc.

In some embodiments, part or all of the first message is encrypted and/or integrity protected using the second key, including:

Encrypt part or all of the first message based on the second key to obtain the encrypted first message; calculate a message verification code for part or all of the first message based on the second key.

Obviously, using the second key to encrypt and/or integrity protect part or all of the first message can prevent the content of the first message from being eavesdropped and tampered with, ensuring the security of the first message.

It should be noted that the encryption and message verification code calculation steps here can be performed at the same time, or the message verification code can be encrypted first and then the message verification code is calculated, or the message verification code can be calculated first and then encrypted. There is no specific limitation on this. Encrypting the first message may include: encrypting at least one of the identification information related to the first terminal, the identification information related to the second terminal, the session identification (optional), the timestamp and the sequence number in the first message. Integrity protection of the first message may include: identification information of the first terminal, identification information of the second terminal, session identification (optional), key identification of the second key, and timestamp in the first message. At least one of the serial numbers is integrity protected.

After receiving the first message, the first device uses the second key to decrypt and/or integrity-protect the partially or fully encrypted and/or integrity-protected first message, and learns that the first message is for A key request is made for the encrypted call between the first terminal and the second terminal. The first device then assigns a session key to this encrypted call. The session key is then carried in the second message, and part or all of the second message is encrypted and/or integrity protected using the second key before being sent to the first terminal.

Step A2: The first terminal receives the second message sent by the first device through the first secure channel, including; further, the first terminal receives the second message; wherein part or all of the second message uses the third The second key is encrypted and/or integrity protected.

The first terminal then uses the second key to decrypt and/or verify the integrity of part or all of the second message to obtain the first key. The first key is then sent to the second terminal.

Further, in order to protect the security of the transmission of the first key between the first terminal and the second terminal. After receiving the first message and allocating the first key, the first device separately encrypts and/or integrity protects the first key, including: using the second key to encrypt and/or integrity protect the first key. protecting, and/or encrypting and/or integrity protecting the first key with a third key. Wherein, here, the second key is a shared key between the first terminal and the first device, and the third key is a shared key between the second terminal and the first device.

Furthermore, the second message sent by the first device includes: a first key using the second key for encryption and/or integrity protection, and/or a third key for encryption and/or integrity protection using a third key. A key. Of course, the second message may also include other information, such as: session identification (optional), key identification, first terminal identification, second terminal identification, timestamp, sequence number, etc.

In this way, after the first terminal receives the second message, the second key can be used to decrypt and/or integrity check the first key that is encrypted and/or integrity protected using the second key, and obtain the second message. one keys and other information. However, because the first terminal does not have the third key, and the third key is the shared key between the first device and the second terminal, the first terminal cannot encrypt and/or integrity protect the first device using the third key. Key for decryption and/or integrity check.

Furthermore, when the first terminal sends the first key to the second terminal, it sends the first key that uses the third key for encryption and/or integrity protection. After receiving it, the second terminal uses the pre-shared third key to decrypt and/or integrity check the first key that uses the third key to encrypt and/or integrity protect, and obtains the first key. key. Of course, when the first terminal sends the first key to the second terminal, it will also send other information, such as session identification (optional), key identification, first terminal identification, second terminal identification, timestamp, and sequence number. wait. After performing decryption and/or integrity verification, the second terminal can also obtain other information in addition to obtaining the first key.

Through the above method, the security of the transmission of the first key between the first device and the first terminal can be cleverly protected, and the security of the transmission of the first key between the first terminal and the second terminal can also be protected. For the first terminal, no additional processing overhead is introduced.

It should be noted that the third key may be a symmetric key shared between the second terminal and the first device or a symmetric key derived based on the shared symmetric key. The symmetric key may be preset in the second terminal by the first device in an offline filling manner for subsequent secure communication between the second terminal and the first device. The symmetric key can be one pair or multiple pairs. Symmetric keys can be generated using a (quantum) random number generator.

In the embodiment of the present disclosure, when it is agreed to use a derived key, the derived key can be obtained through formula (1).

K’＝KDF(K, String,…) (1)

Among them, KDF is the key derivation function (Key Derivation Function); K is the original symmetric key; K' is the symmetric key derived based on the original symmetric key; String is a string indicating the purpose of the derived key. For example, the character string of the encryption key is "Encryption", and the character string of the integrity protection key is "Integrity". It should be noted that the key derivation function can also have other input parameters, such as the identification of the terminal and/or (quantum) key management center, etc.

In addition, the shared key in the embodiment of the present disclosure may also be called a symmetric key, a basic key, a working key, a key protection key, an authentication key, an access key, etc.

It is not difficult to understand that if there are multiple terminals communicating with the first terminal, that is, the first terminal wants to communicate with the third terminal. The second terminal, the third terminal, the fourth terminal, ..., the Nth terminal perform confidential communication, the second message may also include: a first key using a fourth key for encryption and/or integrity protection, and /or, the first key using the fifth key for encryption and/or integrity protection,..., and/or the first key using the N+1th key for encryption and/or integrity protection.

Among them, the fourth key is the shared key between the third terminal and the first device, the fifth key is the shared key between the fourth terminal and the first device,..., the N+1th key is The shared key between the Nth terminal and the first device; N is a positive integer greater than 4.

The fourth key, the fifth key...the N+1th key are similar to the second key and the third key, and will not be described again here.

It should be noted that in the scenario of multi-party secure communication, the second message includes the first key encrypted using the shared key between the corresponding terminal and the first device; then, the first terminal forwards the first key to other terminals. When the key is generated, since the first key is separately encrypted by the shared key between the corresponding terminal and the first device, it is ensured that the first key can be correctly received by other terminals and the security of the first key distribution process is ensured.

It should be noted that when the first terminal forwards the first key for encryption and/or integrity protection to each terminal, it may be sent uniformly or separately. Further, each terminal decrypts and/or integrity verifies the received encrypted and/or integrity protected first key, and obtains the first key. The secure communication processing method provided by the present disclosure can be applied to secure communication services involving two terminal devices, and can also be applied to secure communication services involving multiple terminal devices. For example, it can be applied to secure multi-party calls, multi-party secure voice/video conferences, In business applications such as confidential group messaging and confidential multi-party intercom.

In some embodiments, after step 203 sends the first key to the second terminal, the method further includes:

Receive the third message sent by the second terminal.

The third message is used to indicate that the second terminal receives the first key. The indication here may be that the third message includes a specific indication field, or the third message itself may indicate that the second terminal has received the first key, etc.

In this embodiment of the present disclosure, part or all of the third message may be encrypted and/or integrity protected using the first key, and then sent to the first terminal.

In the embodiment of the present disclosure, the first message, the second message, and the third message include but are not limited to feedback messages, instruction messages, response information, response messages, confirmation messages, and the like.

In some embodiments, in a scenario where multiple parties conduct secure communication, in addition to the second terminal, the third terminal, the fourth terminal, ..., and the Nth terminal will also return a message indicating successful receipt of the first key. information. Of course, in a scenario where multiple parties conduct secure communication, the second terminal to the Nth terminal may not reply with a message indicating successful receipt of the first key.

Figure 3 is a schematic flowchart of implementing a secure communication processing method provided by an embodiment of the present disclosure in the scenario of encrypted voice phone service.

Step 301: Terminal A initiates an encrypted telephone call request.

In this disclosed embodiment, when the user makes an encrypted phone call, the calling terminal A initiates an encrypted phone call request.

Step 302: Encrypt the phone call connection process.

In this disclosed embodiment, the calling terminal A and the called terminal B perform call connection through an application server (Application Server, AS). For encrypted telephone services based on Voice over Internet Protocol (VoIP), the AS is the Session Initialization Protocol (SIP) server responsible for implementing telephone service functions; The AS is responsible for the long-term evolution voice bearer (Voice over Long-Term Evolution, VoLTE) or the new air interface bearer voice (Voice over New Radio, VoNR) or the encrypted telephone service of the fixed line. AS is responsible for the IP Multimedia Subsystem (IP Multimedia Subsystem, IMS). Telephone service server.

Step 303: Terminal A sends a key request (terminal A identification, terminal B identification, session identification, K _{ID_A} , timestamp, HMAC ₁ ) to the (quantum) key management center.

In this disclosed embodiment, during the call connection process, the calling terminal A sends a key request message to the (quantum) key management center to apply for obtaining a (quantum) session key for this encrypted phone call, which is used for the user The voice messages are encrypted and protected. The request message should carry the identification information of the calling terminal A and the called terminal B to indicate the communicating parties.

It should be noted that the request message can also carry a session identifier, which is used to distinguish different confidential communication service requests and serves as an index to associate related information of the same service request. Session IDs can be ordered or unordered, obtained according to certain rules, or randomly generated without rules. this In addition, the request message can also carry timestamp or sequence number information to prevent message replay.

In order to prevent the content of the key request message from being eavesdropped and tampered with and ensure the security of the message, terminal A obtains an unused preconfigured (quantum) symmetric key K _A and its key identification K _ID _A locally. Afterwards, all or part of the content of the key request message is encrypted and/or integrity protected using _KA or the symmetric key _KA ' derived based on _KA . For example, the identification, session identification (optional), timestamp or sequence number of the calling terminal A and/or the called terminal B are encrypted; the identification and session of the calling terminal A and/or the called terminal B are encrypted. Identity (optional), key identification K _{ID_A} , timestamp or sequence number for integrity protection, and obtain integrity protection verification results, for example, Hash-based Message Authentication Code (HMAC) The function calculates the integrity protection verification result HMAC ₁ . The calling terminal A carries the key identification K _ID _A and the integrity protection verification result HMAC ₁ in the key request message and sends it.

It should be noted that in step 303, the calling terminal A sends a key request to the (quantum) key management center; here, step 303 may also be the called terminal B sending a key request to the (quantum) key management center. In other words, sending a key request to the (quantum) key management center can be any terminal in secure communication.

When it is agreed to use a derived key, the key derivation method is: K'=KDF(K, String,...). Where KDF is the key derivation function; K is the original key, such as K _A ; K' is the derived key result, such as K _A '; String is a string indicating the purpose of the derived key, such as "Encryption" for encryption Key, "Integrity" is the integrity protection key, etc.; in addition, the KDF function can also have other input parameters, such as the identification of the terminal and/or (quantum) key management center, etc.

Step 304: The (quantum) key management center obtains the preconfigured shared symmetric key _KA , verifies and decrypts the key request message, and generates the session key Ks.

In this disclosed embodiment, after the (quantum) key management center receives the key request message, the (quantum) key management center queries and obtains the information and shares it with terminal A through preconfiguration based on the calling terminal identification and key identification. (quantum) symmetric key _KA , and use _KA or the symmetric key _KA ' derived based on _KA to perform integrity protection verification and decryption of the key request message. Afterwards, the freshness of the key request message is verified based on the timestamp or sequence number (if any) carried in the request message.

In this disclosed embodiment, after the integrity and freshness of the request message are verified, the (quantum) key Based on the called terminal identification, the management center queries and obtains a (quantum) symmetric key K B shared with terminal _B in a preconfigured manner and the key identification K _{ID_B} corresponding to K _B. At the same time, the (quantum) key management center generates the (quantum) session key Ks for this call. For the case where a quantum session key is used, the quantum session key Ks can be generated by a quantum random number generator or negotiated with the peer through the QKD network. The specific method should be determined according to the situation of this call.

Step 305: The (quantum) key management center sends a key response (Msg_A, HMAC _A , Msg_B, HMAC _B ) to the calling terminal A.

In this disclosed embodiment, for the calling terminal A, the information to be provided by the (quantum) key management center to the calling terminal A includes: (quantum) session key Ks, session identifier (received from the key request message) ), key identification K _{ID_A} , calling terminal identification and called terminal identification, and/or timestamp or sequence number. In order to prevent this part of the message content from being eavesdropped and tampered with and ensure the security of the transmission process, the (quantum) key management center uses _KA or the symmetric key _KA ' derived based on _KA to encrypt all or part of the message content and /or integrity protection. For example, the (quantum) session key Ks, session identification (optional) or key identification, calling terminal identification, timestamp or sequence number, etc. are encrypted; for the (quantum) session key Ks, session identification (optional) Select), key identification K _ID _A, calling terminal identification, called terminal identification, timestamp or sequence number, etc. for integrity protection, and obtain integrity protection verification results, such as HMAC _A.

For the called terminal B, the information to be provided by the (quantum) key management center to B includes: (quantum) session key Ks, session identification (received from the key request message), key identification K _{ID_B} , Calling and called terminal identification, and/or timestamp or sequence number. In order to prevent this part of the message content from being eavesdropped and tampered with and ensure the security of the transmission process, the (quantum) key management center uses K _B or the symmetric key K _B ' derived based on K _B to encrypt all or part of the message content and /or integrity protection. For example, the (quantum) session key Ks, session ID (optional), calling terminal ID, called terminal ID, timestamp or sequence number, etc. are encrypted; the (quantum) session key Ks, session ID (optional), encryption Key identifier K _ID _B, calling terminal identifier, timestamp or sequence number, etc. are used for integrity protection, and the verification result of integrity protection is obtained, such as HMAC _B.

Afterwards, the (quantum) key management center returns a key response message to the calling terminal A. The response message includes: the encrypted and/or integrity protected session key Ks provided to A, and related information (the related information may be with encryption and/or integrity protection, or without) (Ks and related information Denoted as Msg_A), HMAC _A , the encrypted and/or integrity protected session key Ks provided to B, and related information (the related information may or may not be encrypted and/or integrity protected) (Ks and related information are recorded as Msg_B), HMAC _B , etc.

In this disclosed embodiment, the (quantum) key management center destroys the used K _A and K _B.

Step 306: Terminal A verifies Msg_A in the key response message and decrypts it to obtain the session key Ks.

In this disclosed embodiment, according to the session identifier or key identifier in Msg_A, the calling terminal A confirms that the Msg_A in the key response message is integrity protected using _KA or the symmetric key _KA ' derived based on _KA Verification and decryption. Afterwards, verify the freshness of the Msg_A part of the key response message based on the timestamp or sequence number (if any) in Msg_A.

In this disclosed embodiment, after the integrity and freshness of the Msg_A part are verified, the calling terminal A obtains the (quantum) session key Ks allocated by the (quantum) key management center for this encrypted call.

In this disclosed embodiment, the calling terminal A destroys the used _KA locally.

Step 307: Terminal A sends the session key Ks(Msg_B, HMAC _B ) to terminal B.

In this disclosed embodiment, the calling terminal A sends the session key Ks to the called terminal B, and the message carries relevant information provided by the (quantum) key management center to the called terminal B, including Msg_B, HMAC _B, etc., so that The called terminal B obtains the session key Ks based on Msg_B and HMAC _B.

If step 303 is that the called terminal B sends a key request to the (quantum) key management center, then step 307 is for the called terminal B to forward Msg_A and HMAC _A provided by the (quantum) key management center to the calling terminal A, so that It can obtain the session key Ks and related information.

Step 308: Terminal B verifies Msg_B in the message and decrypts it to obtain the session key Ks.

In this disclosed embodiment, according to the key identification K _ID _B in Msg_B, the called terminal B queries locally to obtain the corresponding preconfigured (quantum) symmetric key K _B , and uses K _B or derives it based on K _B The symmetric key K _B ' performs integrity protection verification and decryption of Msg_B carried in the message. Afterwards, verify the freshness of Msg_B based on the timestamp or sequence number (if any) in Msg_B.

In this disclosed embodiment, after the integrity and freshness of Msg_B are verified, the called terminal B obtains the (quantum) session key Ks, Session ID (optional) and other information.

In this disclosed embodiment, the called terminal B destroys the used K _B locally.

Step 309: Terminal B sends a confirmation session key (session identifier, HMAC ₂ ) to terminal A.

In this disclosed embodiment, the called terminal B returns a session key confirmation message to confirm to the calling terminal A that the (quantum) session key Ks has been successfully received. The message can carry the session ID of this encrypted call (received from Msg_B), and uses Ks for encryption and/or integrity protection. In the case of integrity protection, the message should carry the corresponding integrity protection verification result HMAC ₂ .

In some embodiments, the sending and confirming process of the session key Ks in steps 307 and 309 can be completed through any information channel method. For example, it can be a signaling channel, a data channel, a media channel, etc. For example, for encrypted calls based on VoLTE/VoNR/VoIP/IMS fixed phone systems, the session key can be generated in-band through the transmission channel of the user's voice information established by the network after the called user answers. Sending and confirming; it can also be done by carrying the sending and confirming information of the session key in SIP signaling and in-band through the signaling channel; it can also be done by sending short messages, instant messages, SIP messages, etc. The method uses an out-of-band channel to complete the sending and confirmation of the session key.

Step 310: Verify the message to confirm that the called terminal's session key is successfully obtained.

In this disclosed embodiment, the calling terminal A confirms that the called terminal B has successfully obtained the (quantum) session key Ks. It can be understood that the calling terminal A uses the local Ks to decrypt and/or perform integrity protection verification on the session identifier in the confirmation message. By comparing whether the decrypted session ID is consistent with the original session ID recorded locally or checking whether the integrity protection verification result is correct, the calling terminal A confirms whether the called terminal B successfully obtains the (quantum) session key Ks.

Step 311: Terminal A and terminal B conduct an encrypted call.

In this disclosed embodiment, after the (quantum) session key Ks of this call is successfully obtained, the calling terminal A and the called terminal B use Ks to encrypt and protect the voice information exchanged between the users, and start an encrypted call. After the call ends, the calling and called terminals destroy the (quantum) session key Ks used this time.

In some embodiments, a certain number of shared (quantum) symmetric keys, such as _KA , K _B , are pre-configured between the (quantum) key management center and the terminal. The shared symmetric key can be generated by the (quantum) key management center using a local (quantum) random number generator and installed through offline filling. Fully written into the secure media/secure storage space of the terminal for subsequent use by the terminal. The shared symmetric key is used to encrypt, protect the integrity of the relevant information (such as session identification, (quantum) session key Ks, etc.) The role of security protection such as source authentication.

Embodiments of the present disclosure provide a first terminal, which can be used to implement a secure communication processing method provided by the embodiment corresponding to Figure 2. Referring to Figure 4, the first terminal 40 includes:

The sending module 401 is configured to send a first message to the first device; wherein the first message includes identification information related to the first terminal and identification information related to the second terminal;

The receiving module 402 is configured to receive a second message sent by the first device; wherein the second message includes a first key for secure communication between the first terminal and the second terminal;

The sending module 401 is also used to send the first key to the second terminal.

In other embodiments of the present disclosure, the first terminal 40 further includes a processing module 403;

The processing module 403 is used to conduct secure communication with the second terminal based on the first key.

In other embodiments of the present disclosure, the sending module 401 is configured to send the first message to the first device through the first secure channel; and/or,

The receiving module 402 is configured to receive the second message sent by the first device through the first secure channel.

In other embodiments of the present disclosure, the processing module 403 is configured to use the second key to encrypt and/or integrity protect part or all of the first message; and/or,

The receiving module 402 is used to receive the second message sent by the first device; wherein part or all of the second message is encrypted and/or integrity protected using the second key; wherein the second key is the first terminal A shared secret key with the first device.

In other embodiments of the present disclosure, the processing module 403 is configured to use the second key to decrypt and/or verify the integrity of part or all of the second message to obtain the first key.

In other embodiments of the present disclosure, the second message includes: a first key using a second key for encryption and/or integrity protection, and/or a third key for encryption and/or integrity protection using a third key. A key; wherein the second key is a shared key between the first terminal and the first device, and the third key is a shared key between the second terminal and the first device.

In other embodiments of the present disclosure, the sending module 401 is also configured to send the first key encrypted and/or integrity protected using the third key to the second terminal.

In other embodiments of the present disclosure, the receiving module 402 is configured to receive a third message sent by the second terminal; wherein the third message is used to indicate that the second terminal has received the first key.

The description of the above device embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the device embodiments of the disclosure, please refer to the description of the method embodiments of the disclosure for understanding.

It should be noted that in the embodiments of the present disclosure, if the above secure communication processing method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present disclosure are essentially or the parts that contribute to related technologies can be embodied in the form of software products. The computer software products are stored in a storage medium and include a number of instructions to enable A terminal device executes all or part of the methods of various embodiments of the present disclosure. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), magnetic disk or optical disk and other media that can store program code. As such, disclosed embodiments are not limited to any specific combination of hardware and software.

Figure 5 is a schematic structural diagram of a communication device 500 provided by an embodiment of the present disclosure. The communication device can be a terminal device or a key management device. The communication device 500 shown in Figure 5 includes a first processor 510. The first processor 510 can call and run a computer program from the memory to implement the method in the embodiment of the present disclosure.

Optionally, as shown in FIG. 5 , the communication device 500 may further include a first memory 520 . The first processor 510 can call and run the computer program from the first memory 520 to implement the method in the embodiment of the present disclosure.

The first memory 520 may be a separate device independent of the first processor 510 , or may be integrated into the first processor 510 .

Optionally, as shown in Figure 5, the communication device 500 may also include a transceiver 530, and the first processor 510 may control the transceiver 530 to communicate with other devices, specifically, may send information or data to other devices, or Receive information or data from other devices.

Among them, the transceiver 530 may include a transmitter and a receiver. The transceiver 530 may further include an antenna, and the number of antennas may be one or more.

Optionally, the communication device 500 may specifically be the first terminal/second terminal in the embodiment of the present disclosure, And the communication device 500 can implement the corresponding processes implemented by the first terminal/the second terminal in each method of the embodiment of the present disclosure. For the sake of brevity, details will not be described here.

Optionally, the communication device 500 may specifically be the first device in the embodiment of the present disclosure, and the communication device 500 may implement the corresponding processes implemented by the first device in the various methods of the embodiment of the present disclosure. For the sake of brevity, they are not described here. Again.

Figure 6 is a schematic structural diagram of a chip according to an embodiment of the present disclosure. The chip 600 shown in FIG. 6 includes a second processor 610, and the second processor 610 can call and run a computer program from the memory to implement the method in the embodiment of the present disclosure.

Optionally, as shown in FIG. 6 , the chip 600 may also include a second memory 620 . The second processor 610 can call and run the computer program from the second memory 620 to implement the method in the embodiment of the present disclosure.

The second memory 620 may be a separate device independent of the second processor 610 , or may be integrated into the second processor 610 .

Optionally, the chip 600 may also include an input interface 630. The second processor 610 can control the input interface 630 to communicate with other devices or chips. Specifically, it can obtain information or data sent by other devices or chips.

Optionally, the chip 600 may also include an output interface 640. The second processor 610 can control the output interface 640 to communicate with other devices or chips. Specifically, it can output information or data to other devices or chips.

Optionally, the chip can be applied to the first device in the embodiment of the present disclosure, and the chip can implement the corresponding processes implemented by the first device in the various methods of the embodiment of the present disclosure. For the sake of brevity, details will not be described here.

Optionally, the chip can be applied to the first terminal/second terminal in the embodiment of the present disclosure, and the chip can implement the corresponding processes implemented by the first terminal/second terminal in the various methods of the embodiment of the present disclosure, in order to It’s concise and I won’t go into details here.

It should be understood that the chip mentioned in the embodiments of the present disclosure may also be called a system-on-chip, a system-on-a-chip, a system-on-a-chip or a system-on-chip, etc.

Figure 7 is a schematic block diagram of a secure communication system 70 provided by an embodiment of the present disclosure. As shown in FIG. 7 , the secure communication system 70 includes a terminal device 110 and a key management device 120 .

Among them, the terminal device 110 can be used to implement the corresponding functions implemented by the first terminal/second terminal in the above method, and the key management device 120 can be used to implement the corresponding functions implemented by the first device in the above method. For the sake of brevity, no further details will be given here.

It should be understood that the processor in the embodiment of the present disclosure may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor can be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other available processors. Programmed logic devices, discrete gate or transistor logic devices, discrete hardware components. Each disclosed method, step and logical block diagram in the embodiment of the present disclosure can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

As an embodiment, the processor may include one or more general-purpose central processing units (Central Processing Units, CPUs). Each of these processors may be a single-CPU processor or a multi-CPU processor. A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer execution instructions).

It can be understood that the memory in the embodiments of the present disclosure may be volatile memory or non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory can be ROM, programmable ROM (PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM). ,EEPROM) or flash memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic Random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous connected dynamic random access memory Access memory (Synchlink DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.

It should be understood that the above memory is illustrative but not restrictive. For example, the memory in the embodiment of the present disclosure can also be static random access memory (static RAM, SRAM), dynamic random access memory (dynamic RAM, DRAM), Synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous connection Dynamic random access memory (synch link DRAM, SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DR RAM) and so on. That is, memory in embodiments of the present disclosure is intended to include, but not be limited to, these and any other suitable types of memory.

Embodiments of the present disclosure also provide a computer-readable storage medium for storing computer programs.

Optionally, the computer-readable storage medium can be applied to the first device in the embodiment of the present disclosure, and the computer program causes the computer to execute the corresponding processes implemented by the first device in the various methods of the embodiment of the present disclosure. For the sake of simplicity, I won’t go into details here.

Optionally, the computer-readable storage medium can be applied to the first terminal/second terminal in the embodiment of the present disclosure, and the computer program causes the computer to perform the various methods of the embodiment of the present disclosure by the first terminal/second terminal The corresponding process of implementation will not be repeated here for the sake of brevity.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product.

A computer program product includes one or more computer instructions. When computer program instructions are loaded and executed on a computer, processes or functions according to embodiments of the present disclosure are produced, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. Computer instructions may be stored in or retrieved from a computer-readable storage medium. For example, computer instructions may be transmitted from a website, computer, server, or data center to another computer-readable storage medium via wired (e.g., coaxial cable, optical fiber, Digital Subscriber Line (DSL)) or wirelessly. (such as infrared, wireless, microwave, etc.) to another website, computer, server or data center. Computer-readable storage media can be any available media that a computer can store, or a data storage device such as a server or data center integrated with one or more available media. Available media may be magnetic media (for example, floppy disks, hard disks, magnetic tapes), optical media (for example, Digital Video Disc (DVD)), or semiconductor media (for example, Solid State Disk (SSD)), etc. .

The method of secure communication processing, the first terminal, the equipment and the storage medium provided by the embodiments of the present disclosure have been introduced in detail above. This article uses specific examples to illustrate the principles and implementation methods of the present disclosure. The description of the above embodiments It is only used to help understand the methods and core ideas of the present disclosure; at the same time, for those of ordinary skill in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present disclosure. In summary, The content of this specification should not be construed as limiting the disclosure.

It should be understood that references throughout the specification to "one embodiment" or "an embodiment" or "embodiments of the present disclosure" or "previous embodiments" or "some implementations" or "some embodiments" mean the same as implementation. Specific features, structures, or characteristics related to the present disclosure are included in at least one embodiment of the present disclosure. Therefore, appearances of “in one embodiment” or “in an embodiment” or “embodiments of the present disclosure” or “previous embodiments” or “some embodiments” or “some embodiments” appearing throughout this specification do not necessarily mean Must refer to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that in various embodiments of the present disclosure, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present disclosure. The implementation process constitutes any limitation. The above serial numbers of the embodiments of the present disclosure are only for description and do not represent the advantages and disadvantages of the embodiments.

Unless otherwise specified, the first terminal/second terminal/first device performs any step in the embodiment of the present disclosure, and the processor of the first terminal/second terminal/first device may perform the step. . Unless otherwise specified, the embodiments of the present disclosure do not limit the order in which the first terminal/second terminal/first device performs the following steps. In addition, the methods used to process data in different embodiments may be the same method or different methods.

In the several embodiments provided in this disclosure, it should be understood that the disclosed devices and methods can be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as: multiple units or components may be combined, or can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling, direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be electrical, mechanical, or other forms. of.

The units described above as separate components may or may not be physically separated; the components shown as units may or may not be physical units; they may be located in one place or distributed to multiple network units; Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present disclosure can be all integrated into one processing unit, or each unit can be separately used as a unit, or two or more units can be integrated into one unit; the above-mentioned integration The unit can be implemented in the form of hardware or in the form of hardware plus software functional units.

The methods disclosed in several method embodiments provided in this disclosure can be combined arbitrarily without conflict to obtain new method embodiments.

The features disclosed in several product embodiments provided in this disclosure can be combined arbitrarily without conflict to obtain new product embodiments.

The features disclosed in several method or device embodiments provided in this disclosure can be combined arbitrarily without conflict to obtain new method embodiments or device embodiments.

Those of ordinary skill in the art can understand that all or part of the steps to implement the above method embodiments can be completed through hardware related to program instructions. The aforementioned program can be stored in a computer storage medium. When the program is executed, the execution includes implementation of the above method. The aforementioned steps include: removable storage devices, ROMs, magnetic disks, optical disks, and other media that can store program codes.

Alternatively, if the above-mentioned integrated units of the present disclosure are implemented in the form of software function modules and sold or used as independent products, they can also be stored in a computer storage medium. Based on this understanding, the technical solutions of the embodiments of the present disclosure can essentially or contribute to related technologies. Embodied in the form of a software product, the computer software product is stored in a storage medium and includes a number of instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute various embodiments of the present disclosure. all or part of the method described. The aforementioned storage media include: mobile storage devices, ROMs, magnetic disks or optical disks and other media that can store program codes.

As used in the embodiments of this disclosure and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise.

It should be noted that in various embodiments involved in the present disclosure, all steps may be performed or part of the steps may be performed, as long as a complete technical solution can be formed.

The above are only embodiments of the present disclosure, but the protection scope of the present disclosure is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present disclosure, and should are covered by the protection scope of this disclosure. Therefore, the protection scope of the present disclosure should be subject to the protection scope of the claims.

Claims (11)

1. A secure communication processing method, applied to a first terminal, the method includes:

   Send a first message to the first device; wherein the first message includes identification information related to the first terminal and identification information related to the second terminal;

   Receive a second message sent by the first device; wherein the second message includes a first key for secure communication between the first terminal and the second terminal;

   Send the first key to the second terminal.
2. The method of claim 1, further comprising:

   Secure communication is performed with the second terminal based on the first key.
3. The method of claim 1, wherein,

   The sending the first message to the first device includes:

   sending the first message to the first device through the first secure channel;

   and / or,

   The receiving the second message sent by the first device includes:

   Receive the second message sent by the first device through the first secure channel.
4. The method according to claim 3, wherein sending the first message to the first device through the first secure channel includes:

   Encrypting and/or integrity protecting part or all of the first message using the second key and sending;

   and / or,

   The receiving the second message sent by the first device through the first secure channel includes;

   Receive a second message sent by the first device; wherein part or all of the second message is encrypted and/or integrity protected using a second key;

   Wherein, the second key is a shared key between the first terminal and the first device.
5. The method of claim 1, further comprising:

   Use the second key to decrypt and/or verify integrity of part or all of the second message to obtain the first key.
6. The method of claim 1, wherein the second message includes: using a second password a first key for encryption and/or integrity protection, and/or a first key for encryption and/or integrity protection using a third key;

   Wherein, the second key is a shared key between the first terminal and the first device, and the third key is a shared key between the second terminal and the first device.
7. The method according to claim 6, wherein sending the first key to the second terminal includes:

   The first key that is encrypted and/or integrity protected using the third key is sent to the second terminal.
8. The method of claim 1, further comprising:

   Receive a third message sent by the second terminal, where the third message is used to indicate that the second terminal has received the first key.
9. A first terminal, the first terminal includes:

   A sending module, configured to send a first message to the first device; wherein the first message includes identification information related to the first terminal and identification information related to the second terminal;

   A receiving module, configured to receive a second message sent by the first device; wherein the second message includes a first key for secure communication between the first terminal and the second terminal;

   The sending module is also used to send the first key to the second terminal.
10. A first terminal, the first terminal includes:

    Memory, used to store executable instructions;

    A processor, configured to implement the secure communication processing method described in any one of claims 1 to 8 when executing executable instructions stored in the memory.
11. A computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement claims 1 to 8 The secure communication processing method described in any one of the above.