HK1234924B - Key generation method and device - Google Patents
Key generation method and device Download PDFInfo
- Publication number
- HK1234924B HK1234924B HK17108597.1A HK17108597A HK1234924B HK 1234924 B HK1234924 B HK 1234924B HK 17108597 A HK17108597 A HK 17108597A HK 1234924 B HK1234924 B HK 1234924B
- Authority
- HK
- Hong Kong
- Prior art keywords
- key
- factor
- encryption
- encrypted
- data
- Prior art date
Links
Description
技术领域Technical Field
本申请涉及网络安全技术领域,尤其涉及一种密钥生成方法及装置。The present application relates to the field of network security technology, and in particular to a key generation method and device.
背景技术Background Art
为了确保数据在终端设备与网关设备之间、网关设备与公网服务器之间的安全传输,通常会在终端设备与网关设备之间、网关设备与公网服务器分别建立安全传输通道,网关设备将数据从一个安全通道转发至另一个安全通道,从而实现数据转发的功能,而网关设备在转发数据的过程中,需要用与终端设备的共享密钥解密经过终端设备加密的数据,再用与服务器的共享密钥加密后转发给服务器,因此网关设备会存在泄露数据信息的风险。In order to ensure the secure transmission of data between terminal devices and gateway devices, and between gateway devices and public network servers, secure transmission channels are usually established between terminal devices and gateway devices, and between gateway devices and public network servers respectively. The gateway device forwards data from one secure channel to another secure channel, thereby realizing the function of data forwarding. In the process of forwarding data, the gateway device needs to use the shared key with the terminal device to decrypt the data encrypted by the terminal device, and then encrypt it with the shared key with the server and forward it to the server. Therefore, there is a risk of data leakage in the gateway device.
发明内容Summary of the Invention
有鉴于此,本申请提供一种新的技术方案,可以使网关设备无法获取到两设备之间的共享密钥,从而降低数据在网络传输过程中被非法截获的风险。In view of this, the present application provides a new technical solution that can prevent the gateway device from obtaining the shared key between the two devices, thereby reducing the risk of data being illegally intercepted during network transmission.
为实现上述目的,本申请提供技术方案如下:To achieve the above objectives, this application provides the following technical solutions:
根据本申请的第一方面,提出了一种密钥生成方法,应用在第一设备上,包括:According to a first aspect of the present application, a key generation method is proposed, which is applied on a first device and includes:
采用初始密钥对所述第一设备生成的第一密钥因子进行加密并通过第一安全通道发送给第二设备,其中,所述初始密钥为所述第一设备与所述第二设备之间预设的密钥;Encrypting a first key factor generated by the first device using an initial key and sending the encrypted key factor to the second device through a first secure channel, wherein the initial key is a key preset between the first device and the second device;
通过所述第一安全通道接收经过所述初始密钥加密的第二密钥因子,其中,所述第二密钥因子由所述第二设备生成;receiving, through the first secure channel, a second key factor encrypted by the initial key, wherein the second key factor is generated by the second device;
对通过所述第一安全通道接收到的经过所述初始密钥加密的所述第二密钥因子进行解密,得到所述第二密钥因子;decrypting the second key factor encrypted with the initial key and received through the first secure channel to obtain the second key factor;
根据所述第一密钥因子、所述第二密钥因子生成所述第一设备与第二设备的共享密钥。A shared key between the first device and the second device is generated according to the first key factor and the second key factor.
根据本申请的第二方面,提出了一种密钥生成方法,应用在第二设备上,包括:According to a second aspect of the present application, a key generation method is proposed, which is applied on a second device and includes:
通过第二安全通道接收来自第一设备的经过初始密钥加密的第一密钥因子,其中,所述初始密钥为所述第一设备与所述第二设备之间预设的密钥;receiving, through a second secure channel, a first key factor encrypted by an initial key from a first device, wherein the initial key is a key preset between the first device and the second device;
对经过所述初始密钥加密的所述第一密钥因子进行解密,得到所述第一加密因子;decrypting the first key factor encrypted by the initial key to obtain the first encryption factor;
根据所述第一密钥因子、所述第二设备生成的第二密钥因子生成所述第一设备与第二设备的共享密钥。A shared key between the first device and the second device is generated according to the first key factor and a second key factor generated by the second device.
根据本申请的第三方面,提出了一种密钥生成装置,应用在第一设备上,包括:According to a third aspect of the present application, a key generation apparatus is provided, which is applied to a first device and includes:
第一加密模块,用于采用初始密钥对所述第一设备生成的第一密钥因子进行加密并通过第一安全通道发送给第二设备,其中,所述初始密钥为所述第一设备与所述第二设备之间预设的密钥;a first encryption module, configured to encrypt a first key factor generated by the first device using an initial key, and send the encrypted key factor to the second device through a first secure channel, wherein the initial key is a key preset between the first device and the second device;
第一接收模块,用于通过所述第一安全通道接收经过所述初始密钥加密的第二密钥因子,其中,所述第二密钥因子由所述第二设备生成;a first receiving module, configured to receive, through the first secure channel, a second key factor encrypted by the initial key, wherein the second key factor is generated by the second device;
第一解密模块,用于对通过所述第一接收模块通过所述第一安全通道接收到的经过所述初始密钥加密的所述第二密钥因子进行解密,得到所述第二密钥因子;a first decryption module, configured to decrypt the second key factor encrypted with the initial key and received by the first receiving module through the first secure channel to obtain the second key factor;
第一密钥生成模块,用于根据所述第一密钥因子、所述第一解密模块解密得到的所述第二密钥因子生成所述第一设备与第二设备的共享密钥。The first key generation module is configured to generate a shared key between the first device and the second device according to the first key factor and the second key factor obtained by decryption by the first decryption module.
根据本申请的第四方面,提出了一种密钥生成装置,应用在第二设备上,包括:According to a fourth aspect of the present application, a key generation device is provided, which is applied on a second device and includes:
第三接收模块,用于通过第二安全通道接收来自第一设备的经过初始密钥加密的第一密钥因子,其中,所述初始密钥为所述第一设备与所述第二设备之间预设的密钥;a third receiving module, configured to receive, from the first device through the second secure channel, a first key factor encrypted with an initial key, wherein the initial key is a key preset between the first device and the second device;
第三解密模块,用于对经过所述初始密钥加密的所述第一密钥因子进行解密,得到所述第一加密因子;a third decryption module, configured to decrypt the first key factor encrypted by the initial key to obtain the first encryption factor;
第二密钥生成模块,用于根据所述第一密钥因子、所述第二设备生成的第二密钥因子生成所述第一设备与第二设备的共享密钥。The second key generation module is configured to generate a shared key between the first device and the second device according to the first key factor and the second key factor generated by the second device.
由以上技术方案可见,由于第一密钥因子与第二密钥因子在网关设备的转发过程中都经过初始密钥加密,而初始密钥为第一设备与第二设备之间预设的密钥,因此网关设备并不能获知第一密钥因子与第二密钥因子;通过第一密钥因子与第二密钥因子生成第一设备与第二设备之间的共享密钥,可以实现最终协商的共享密钥只对第一设备和第二设备可知,网关设备仍无法获取协商的共享密钥,因此可以确保数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。It can be seen from the above technical solution that since the first key factor and the second key factor are both encrypted with the initial key during the forwarding process of the gateway device, and the initial key is the preset key between the first device and the second device, the gateway device cannot obtain the first key factor and the second key factor; the shared key between the first device and the second device is generated by the first key factor and the second key factor, so that the final negotiated shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, so it can ensure that data is transmitted more securely between the first device and the second device, and further reduce the risk of data being illegally intercepted during transmission.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1示出了根据本发明的一示例性实施例一的密钥生成方法的流程示意图;FIG1 shows a schematic flow chart of a key generation method according to an exemplary embodiment 1 of the present invention;
图2示出了根据本发明的一示例性实施例二的密钥生成方法的流程示意图;FIG2 shows a schematic flow chart of a key generation method according to a second exemplary embodiment of the present invention;
图3示出了根据本发明的一示例性实施例三的密钥生成方法的流程示意图;FIG3 shows a schematic flow chart of a key generation method according to a third exemplary embodiment of the present invention;
图4示出了根据本发明的一示例性实施例四的密钥生成方法的流程示意图;FIG4 shows a schematic flow chart of a key generation method according to a fourth exemplary embodiment of the present invention;
图5示出了根据本发明的一示例性实施例五的密钥生成方法的流程示意图;FIG5 shows a schematic flow chart of a key generation method according to a fifth exemplary embodiment of the present invention;
图6示出了根据本发明的一示例性实施例六的密钥生成方法的流程示意图;FIG6 shows a schematic flow chart of a key generation method according to a sixth exemplary embodiment of the present invention;
图7示出了根据本发明的一示例性实施例七的密钥生成方法的流程示意图;FIG7 shows a schematic flow chart of a key generation method according to a seventh exemplary embodiment of the present invention;
图8示出了根据本发明的一示例性实施例所适用的终端设备与服务器之间密钥协商的信令示意图;FIG8 shows a schematic diagram of signaling for key negotiation between a terminal device and a server according to an exemplary embodiment of the present invention;
图9示出了根据本发明的一示例性实施例所适用的终端设备与服务器之间进行数据传输的信令示意图;FIG9 shows a schematic diagram of signaling for data transmission between a terminal device and a server according to an exemplary embodiment of the present invention;
图10示出了根据本发明的一示例性实施例的终端设备的结构示意图;FIG10 shows a schematic structural diagram of a terminal device according to an exemplary embodiment of the present invention;
图11示出了根据本发明的一示例性实施例的服务器的结构示意图;FIG11 shows a schematic structural diagram of a server according to an exemplary embodiment of the present invention;
图12示出了根据本发明的一示例性实施例的密钥生成装置的结构示意图;FIG12 shows a schematic structural diagram of a key generation device according to an exemplary embodiment of the present invention;
图13示出了根据本发明的又一示例性实施例的密钥生成装置的结构示意图;FIG13 shows a schematic structural diagram of a key generation device according to another exemplary embodiment of the present invention;
图14示出了根据本发明的再一示例性实施例的密钥生成装置的结构示意图;FIG14 shows a schematic structural diagram of a key generation device according to yet another exemplary embodiment of the present invention;
图15示出了根据本发明的另一示例性实施例的密钥生成装置的结构示意图。FIG15 shows a schematic structural diagram of a key generation device according to another exemplary embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, with examples illustrated in the accompanying drawings. In the following description, when referring to the drawings, identical numerals in different figures represent identical or similar elements, unless otherwise indicated. The embodiments described in the following exemplary embodiments are not intended to represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in this application are for the purpose of describing specific embodiments only and are not intended to limit this application. As used in this application and the appended claims, the singular forms "a," "an," "the," and "the" are intended to include the plural forms, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
应当理解,尽管在本申请可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of this application, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "at the time of" or "when" or "in response to determining".
为对本申请进行进一步说明,提供下列实施例:To further illustrate this application, the following examples are provided:
根据本申请一个实施例,由于第一密钥因子与第二密钥因子在网关设备的转发过程中都经过初始密钥加密,而初始密钥为第一设备与第二设备之间预设的密钥,因此网关设备并不能获知第一密钥因子与第二密钥因子;通过第一密钥因子与第二密钥因子生成第一设备与第二设备之间的共享密钥,可以实现最终协商的共享密钥只对第一设备和第二设备可知,网关设备仍无法获取协商的共享密钥,因此可以确保数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。According to one embodiment of the present application, since the first key factor and the second key factor are both encrypted with the initial key during the forwarding process of the gateway device, and the initial key is a preset key between the first device and the second device, the gateway device cannot obtain the first key factor and the second key factor; the shared key between the first device and the second device is generated by the first key factor and the second key factor, so that the final negotiated shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring that data is transmitted more securely between the first device and the second device, further reducing the risk of data being illegally intercepted during transmission.
图1示出了根据本发明的一示例性实施例一的密钥生成方法的流程示意图;在一实施例中,第一设备可以为终端设备,第二设备可以为服务器,可替换地,第一设备可以为服务器,第二设备可以为终端设备,本实施例以应用在终端设备上为例进行示例性说明,如图1所示,密钥生成方法包括如下步骤:FIG1 shows a flow chart of a key generation method according to an exemplary embodiment 1 of the present invention. In one embodiment, the first device may be a terminal device, and the second device may be a server. Alternatively, the first device may be a server, and the second device may be a terminal device. This embodiment is described by taking application on a terminal device as an example. As shown in FIG1 , the key generation method includes the following steps:
步骤101,采用初始密钥对第一设备生成的第一密钥因子进行加密并通过第一安全通道发送给第二设备,其中,初始密钥为第一设备与第二设备之间预设的密钥;Step 101: Encrypt a first key factor generated by a first device using an initial key and send the encrypted key to a second device via a first secure channel. The initial key is a key preset between the first device and the second device.
步骤102,通过第一安全通道接收经过初始密钥加密的第二密钥因子,其中,第二密钥因子由第二设备生成;Step 102: Receive a second key factor encrypted with an initial key through a first secure channel, wherein the second key factor is generated by a second device;
步骤103,对通过第一安全通道接收到的经过初始密钥加密的第二密钥因子进行解密,得到第二密钥因子;Step 103: decrypt the second key factor encrypted with the initial key and received through the first secure channel to obtain the second key factor;
步骤104,根据第一密钥因子、第二密钥因子生成第一设备与第二设备的共享密钥。Step 104: Generate a shared key between the first device and the second device based on the first key factor and the second key factor.
在步骤101中,在一实施例中,初始密钥Kbasic可以在第一设备投入使用前,第二设备预先将Kbasic颁发给第一设备,可以通过硬件写入的方式颁发给第一设备。在一实施例中,第一设备与第二设备之间通过网关设备转发相关数据信息,其中,第一安全通道可以由第一设备与网关设备协商建立,并通过第一安全通道传输相关数据信息,第二安全通道可以由服务器与网关设备协商建立,并通过第二安全通道传输相关数据信息。本领域技术人员可以理解的是,第一安全通道和第二安全通道的建立过程可以参见现有技术的相关描述,例如,可以采用安全套接字层(Secure Socket Layer,简称SSL)、安全传输层协议(Transport Layer Security,简称TLS)的密钥协商机制。In step 101, in one embodiment, the initial key K basic can be issued in advance by the second device to the first device before the first device is put into use, and can be issued to the first device by hardware writing. In one embodiment, the first device and the second device forward relevant data information through a gateway device, wherein a first secure channel can be established by negotiation between the first device and the gateway device, and relevant data information is transmitted through the first secure channel, and a second secure channel can be established by negotiation between the server and the gateway device, and relevant data information is transmitted through the second secure channel. It will be understood by those skilled in the art that the establishment process of the first secure channel and the second secure channel can refer to the relevant description of the prior art. For example, the key negotiation mechanism of the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol can be adopted.
在一实施例中,在第一设备需要向第二设备发起密钥协商流程时,通过伪随机函数生成第一密钥因子,采用初始密钥对第一密钥因子进行加密,得到第一次加密后的第一密钥因子,采用第一安全通道的第一加密密钥对第一次加密后的第一密钥因子进行加密,得到第二次加密后的第一密钥因子。通过对第一密钥因子进行双重加密,可以使第一密钥因子在网关设备处不可知,避免第一密钥因子在网关设备侧被非法截获的风险。In one embodiment, when a first device needs to initiate a key negotiation process with a second device, it generates a first key factor using a pseudorandom function, encrypts the first key factor using an initial key, and then encrypts the first key factor using a first encryption key of a first secure channel to obtain a second encrypted first key factor. By doubly encrypting the first key factor, the first key factor is rendered unknown at the gateway device, thereby reducing the risk of the first key factor being illegally intercepted at the gateway device.
在步骤103中,采用第一加密密钥对经过双重加密的第二密钥因子进行解密,得到第一次解密后的第二密钥因子,采用初始密钥对第一次解密后的第二密钥因子进行解密,得到第二密钥因子。由于第二密钥因子在第二设备处已经进行了双重加密,因此第二密钥因子在网关设备处不可知,避免第二密钥因子在网关设备侧被非法截获的风险。In step 103, the doubly encrypted second key factor is decrypted using the first encryption key to obtain the first decrypted second key factor. The first decrypted second key factor is then decrypted using the initial key to obtain the second key factor. Because the second key factor has been doubly encrypted at the second device, it is unknown at the gateway device, thus reducing the risk of the second key factor being illegally intercepted at the gateway device.
在步骤104中如何根据第一密钥因子、第二密钥因子生成第一设备与第二设备的共享密钥的详细描述参见下述描述,在此先不详述。A detailed description of how to generate a shared key between the first device and the second device according to the first key factor and the second key factor in step 104 is provided below and will not be described in detail here.
由上述描述可知,由于第一密钥因子与第二密钥因子在网关设备的转发过程中都经过初始密钥加密,而初始密钥为第一设备与第二设备之间预设的密钥,因此网关设备并不能获知第一密钥因子与第二密钥因子;通过第一密钥因子与第二密钥因子生成第一设备与第二设备之间的共享密钥,可以实现最终协商的共享密钥只对第一设备和第二设备可知,网关设备仍无法获取协商的共享密钥,因此可以确保数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。From the above description, it can be seen that since the first key factor and the second key factor are both encrypted with the initial key during the forwarding process of the gateway device, and the initial key is the preset key between the first device and the second device, the gateway device cannot obtain the first key factor and the second key factor; by generating the shared key between the first device and the second device through the first key factor and the second key factor, the final negotiated shared key can be known only to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, so it can ensure that data is transmitted more securely between the first device and the second device, and further reduce the risk of data being illegally intercepted during transmission.
图2示出了根据本发明的一示例性实施例二的密钥生成方法的流程示意图,本实施例以上述图1所示实施例中的步骤105中如何通过第一密钥因子和第二密钥因子生成第一设备与第二设备之间的共享密钥为例进行示例性说明,如图2所示,密钥生成方法包括如下步骤:FIG2 is a flow chart of a key generation method according to a second exemplary embodiment of the present invention. This embodiment uses step 105 in the embodiment shown in FIG1 as an example to illustrate how a shared key between a first device and a second device is generated using a first key factor and a second key factor. As shown in FIG2 , the key generation method includes the following steps:
步骤201,确定第一设备与第二设备之间共享的初始密钥和第一设备的设备标识;Step 201: Determine an initial key shared between a first device and a second device and a device identifier of the first device;
步骤202,将初始密钥、设备标识、第一密钥因子、第二密钥因子依次连接,得到组合字串;Step 202: Concatenate the initial key, the device identifier, the first key factor, and the second key factor in sequence to obtain a combined string;
步骤203,将组合字串切分为长度相等的两个子字串;Step 203, dividing the combined string into two sub-strings of equal length;
步骤204,对两个子字串分别进行散列运算,得到两个散列结果;Step 204: performing hash operations on the two substrings respectively to obtain two hash results;
步骤205,将两个散列结果以位进行异或运算,得到第一设备与第二设备的共享密钥。Step 205: Perform a bitwise XOR operation on the two hash results to obtain a shared key between the first device and the second device.
在第一设备通过上述图1所示实施例中的步骤104得到第二密钥因子后,第一设备具有了第一密钥因子p和第二密钥因子q。第一设备可以将第一密钥因子和第二密钥因子作为输入,利用共享密钥的生成算法,得到密钥KAC。其中,密钥生成算法如下:After the first device obtains the second key factor through step 104 in the embodiment shown in FIG1 , the first device now has the first key factor p and the second key factor q. The first device can use the first key factor and the second key factor as inputs and utilize a shared key generation algorithm to obtain the key K AC . The key generation algorithm is as follows:
KAC=KeyGenerate(Kbasic,“Shared Key”,p,q);K AC =KeyGenerate(K basic , "Shared Key", p, q);
其中,Kbasic为初始密钥,Shared Key为第一设备的设备标识,该设备标识可以为第一设备的设备序列号,也可以为MAC地址,或者上述二者的组合,等等,只要能够使第二设备能够通过设备标识对第一设备与其它设备进行区分即可。Among them, K basic is the initial key, Shared Key is the device identifier of the first device, and the device identifier can be the device serial number of the first device, or the MAC address, or a combination of the above two, etc., as long as the second device can distinguish the first device from other devices through the device identifier.
此外,在通过函数KeyGenerate生成共享密钥的过程中,可以将第一加密密钥Kbasic对应的字串,“Shared Key”,p,q依次连接,得到组合字串,将组合字串利用函数KeyGenerate生成共享密钥KAC。In addition, when generating the shared key through the function KeyGenerate, the strings corresponding to the first encryption key K basic , "Shared Key", p, q may be sequentially connected to obtain a combined string, which is then used to generate the shared key K AC using the function KeyGenerate.
在一实施例中,函数KeyGenerate所实现的过程具体可以为:将输入的组合字串切分为长度相等的两个子字串(如果组合字串的长度为奇数,则在组合字串的最后一位补1),之后对两个子字串分别进行散列运算(例如,MD5),将得到的两个计算结果以位进行异或运算,得到的结果即是共享密钥KAC。In one embodiment, the process implemented by the function KeyGenerate may specifically be: dividing the input composite string into two substrings of equal length (if the length of the composite string is an odd number, the last bit of the composite string is padded with 1), then performing a hash operation (e.g., MD5) on each of the two substrings, and performing a bitwise XOR operation on the two calculation results to obtain the shared key K AC .
以MD5为例进行示例性说明,由于MD5可以将任意长度的输入转化为128位长度的结果,因此共享密钥KAC的长度为128位,简化了共享密钥计算的复杂度。由于共享密钥KAC的计算采用MD5,计算量对于计算能力受限的第一设备而言可以承受。Taking MD5 as an example, since MD5 can convert input of any length into a 128-bit result, the shared key K AC is 128 bits long, simplifying the complexity of the shared key calculation. Since MD5 is used to calculate the shared key K AC , the computational complexity is manageable for the first device with limited computing power.
本实施例中,通过第一密钥因子、第二密钥因子、初始密钥和第一设备的设备标识生成共享密钥KAC,因此实现了在第一设备与第二设备之间是通过安全协商并共享该共享密钥KAC,且该共享密钥KAC对作为中间节点的网关设备不可知,因此可以确保第一设备可以利用该共享密钥KAC对发送至第二设备的数据进行加密,确保数据在网络传输过程中的安全性。In this embodiment, a shared key K AC is generated using the first key factor, the second key factor, the initial key, and the device identifier of the first device. This ensures that the shared key K AC is shared between the first device and the second device through secure negotiation, and that the shared key K AC is unknown to the gateway device serving as an intermediate node. This ensures that the first device can use the shared key K AC to encrypt data sent to the second device, thereby ensuring the security of the data during network transmission.
图3示出了根据本发明的一示例性实施例三的密钥生成方法的流程示意图,在上述实施例的基础上,如图3所示,密钥生成方法包括如下步骤:FIG3 shows a schematic flow chart of a key generation method according to a third exemplary embodiment of the present invention. Based on the above embodiment, as shown in FIG3 , the key generation method includes the following steps:
步骤301,确定第一设备与第二设备的共享密钥的更换周期;Step 301: Determine a replacement period for a shared key between a first device and a second device;
步骤302,根据更换周期重新确定第一加密因子和第二加密因子;Step 302: re-determine the first encryption factor and the second encryption factor according to the replacement cycle;
步骤303,根据重新确定的第一加密因子和第二加密因子更换第一设备与第二设备的共享密钥。Step 303: Replace the shared key between the first device and the second device according to the newly determined first encryption factor and second encryption factor.
在一实施例中,第一设备与第二设备可以约定共享密钥KAC的更换周期,当共享密钥KAC使用了更换周期对应的时长后,第一设备与第二设备之间重新发起生成共享密钥KAC的流程,从而可以进一步保证共享密钥KAC的及数据在网络传输过程中的安全性,进一步降低该共享密钥KAC被破解的可能。In one embodiment, the first device and the second device may agree on a replacement cycle for the shared key K AC . When the shared key K AC has been used for a period corresponding to the replacement cycle, the first device and the second device re-initiate a process for generating the shared key K AC , thereby further ensuring the security of the shared key K AC and data during network transmission, and further reducing the possibility of the shared key K AC being cracked.
图4示出了根据本发明的一示例性实施例四的密钥生成方法的流程示意图,在上述图1所示实施例生成共享密钥后,可以通过共享密钥对第一设备待传输的数据加密,并传输给第二设备,如图4所示,对待传输的数据进行加密并传输的过程包括如下步骤:FIG4 is a flow chart of a key generation method according to a fourth exemplary embodiment of the present invention. After a shared key is generated in the embodiment shown in FIG1 , data to be transmitted by the first device can be encrypted using the shared key and transmitted to the second device. As shown in FIG4 , the process of encrypting and transmitting the data to be transmitted includes the following steps:
步骤401,确定第一设备需要向第二设备发送的待传输的数据;Step 401: Determine data to be transmitted that a first device needs to send to a second device;
步骤402,采用共享密钥对待传输的数据进行加密,并通过第一安全通道发送给第二设备;Step 402: Encrypt the data to be transmitted using the shared key and send it to the second device through the first secure channel;
步骤403,通过第一安全通过接收第二设备在接收到待传输的数据生成的响应数据,响应数据已经经过共享密钥加密;Step 403: receiving, through the first security channel, response data generated by the second device after receiving the data to be transmitted, where the response data has been encrypted using the shared key;
步骤404,采用共享密钥对经过共享密钥加密的响应数据进行解密,得到响应数据。Step 404: Decrypt the response data encrypted by the shared key using the shared key to obtain the response data.
在步骤401中,待传输的数据可以为第一设备上的传感器获取到的物联网数据。In step 401, the data to be transmitted may be IoT data acquired by a sensor on the first device.
步骤402和步骤403中的第一安全通道的相关描述可以参见上述图1所示实施例的相关描述,在此不再详述。The relevant description of the first security channel in step 402 and step 403 can be found in the relevant description of the embodiment shown in Figure 1 above, and will not be described in detail here.
在步骤404中,在通过第一安全通道接收到经过共享密钥加密的响应数据时,可以先通过第一安全通道的第一加密密钥对经过共享密钥加密的响应数据进行解密,然后通过共享密钥对响应数据进行第二次解密,从而得到原始的响应数据。In step 404, when the response data encrypted by the shared key is received through the first secure channel, the response data encrypted by the shared key can be first decrypted using the first encryption key of the first secure channel, and then the response data can be decrypted a second time using the shared key to obtain the original response data.
本实施例中,由于待传输的数据在网关设备的转发过程中都经过共享密钥加密,而共享密钥为第一设备与第二设备之间共同协商的密钥,因此网关设备并不能获知共享密钥,因此可以确保待传输的数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。In this embodiment, since the data to be transmitted is encrypted with a shared key during the forwarding process of the gateway device, and the shared key is a key jointly negotiated between the first device and the second device, the gateway device cannot obtain the shared key. Therefore, it can ensure that the data to be transmitted is transmitted more securely between the first device and the second device, further reducing the risk of data being illegally intercepted during the transmission process.
图5示出了根据本发明的一示例性实施例五的密钥生成方法的流程示意图,本实施例中,第一设备可以为终端设备,第二设备可以为服务器,本实施例可以应用在第二设备上,如图5所示,密钥生成方法包括如下步骤:FIG5 shows a flowchart of a key generation method according to a fifth exemplary embodiment of the present invention. In this embodiment, the first device may be a terminal device, and the second device may be a server. This embodiment may be applied to the second device. As shown in FIG5 , the key generation method includes the following steps:
步骤501,通过第二安全通道接收来自第一设备的经过初始密钥加密的第一密钥因子,其中,初始密钥为第一设备与第二设备之间预设的密钥;Step 501: Receive a first key factor encrypted with an initial key from a first device via a second secure channel, where the initial key is a key preset between the first device and the second device.
步骤502,对经过初始密钥加密的第一密钥因子进行解密,得到第一加密因子;Step 502: decrypt the first key factor encrypted with the initial key to obtain a first encryption factor;
步骤503,根据第一密钥因子、第二设备生成的第二密钥因子生成第一设备与第二设备的共享密钥。Step 503: Generate a shared key between the first device and the second device based on the first key factor and the second key factor generated by the second device.
步骤501中的第二安全通道的相关描述请参见上述图1所示实施例的相关描述,在此不再详述。For the relevant description of the second security channel in step 501, please refer to the relevant description of the embodiment shown in Figure 1 above, which will not be described in detail here.
在步骤502中,在通过第二安全通道接收到经过初始密钥加密的第一密钥因子后,可以先通过第二安全通道的第二加密密钥对经过初始密钥加密的第一密钥因子进行解密,然后通过初始密钥对第一密钥因子进行第二次解密,从而得到原始的第一密钥因子。In step 502, after receiving the first key factor encrypted with the initial key through the second secure channel, the first key factor encrypted with the initial key can be decrypted first using the second encryption key of the second secure channel, and then the first key factor can be decrypted a second time using the initial key to obtain the original first key factor.
步骤503中如何根据第一密钥因子、第二密钥因子生成第一设备与第二设备的共享密钥的详细描述可以参见上述图2所示实施例的描述,在此不再详述。A detailed description of how to generate a shared key between the first device and the second device according to the first key factor and the second key factor in step 503 can be found in the description of the embodiment shown in FIG. 2 , and will not be described in detail here.
由上述描述可知,由于第一密钥因子与第二密钥因子在网关设备的转发过程中都经过初始密钥加密,而初始密钥为第一设备与第二设备之间预设的密钥,因此网关设备并不能获知第一密钥因子与第二密钥因子;通过第一密钥因子与第二密钥因子生成第一设备与第二设备之间的共享密钥,可以实现最终协商的共享密钥只对第一设备和第二设备可知,网关设备仍无法获取协商的共享密钥,因此可以确保数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。From the above description, it can be seen that since the first key factor and the second key factor are both encrypted with the initial key during the forwarding process of the gateway device, and the initial key is the preset key between the first device and the second device, the gateway device cannot obtain the first key factor and the second key factor; by generating the shared key between the first device and the second device through the first key factor and the second key factor, the final negotiated shared key can be known only to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, so it can ensure that data is transmitted more securely between the first device and the second device, and further reduce the risk of data being illegally intercepted during transmission.
图6示出了根据本发明的一示例性实施例六的密钥生成方法的流程示意图,如图6所示,密钥生成方法包括如下步骤:FIG6 shows a flow chart of a key generation method according to a sixth exemplary embodiment of the present invention. As shown in FIG6 , the key generation method includes the following steps:
步骤601,采用初始密钥对第二设备生成的第二密钥因子进行加密;Step 601: Encrypt a second key factor generated by a second device using an initial key;
步骤602,通过第二安全通道将经过初始密钥加密后的第二密钥因子发送给第一设备。Step 602: Send the second key factor encrypted with the initial key to the first device through the second secure channel.
本实施例中,采用第二安全通道的第二加密密钥对经过初始密钥加密后的第二密钥因子进行第二次加密,从而可以使在发送至第一设备的过程中经由网关设备转发时第二密钥因子对网关设备是可不知的,避免第二密钥因子在网关设备侧被非法截获的风险。In this embodiment, the second encryption key of the second security channel is used to encrypt the second key factor after the initial key encryption for the second time, so that the second key factor is unknown to the gateway device when it is forwarded via the gateway device during the process of being sent to the first device, avoiding the risk of the second key factor being illegally intercepted on the gateway device side.
图7示出了根据本发明的一示例性实施例七的密钥生成方法的流程示意图,如图7所示,密钥生成方法包括如下步骤:FIG7 shows a flow chart of a key generation method according to a seventh exemplary embodiment of the present invention. As shown in FIG7 , the key generation method includes the following steps:
步骤701,通过第二安全通道接收来自第一设备的经过共享密钥加密的待传输的数据;Step 701: receiving data to be transmitted encrypted with a shared key from a first device through a second secure channel;
步骤702,采用共享密钥对待传输的数据进行解密;Step 702: Decrypt the data to be transmitted using the shared key;
步骤703,在接收到待传输的数据后,生成响应数据;Step 703, after receiving the data to be transmitted, generating response data;
步骤704,通过共享密钥对响应数据进行加密;Step 704: Encrypt the response data using the shared key;
步骤705,通过第二安全通道向第一设备发送经过共享密钥加密的响应数据。Step 705: Send response data encrypted with the shared key to the first device through the second secure channel.
步骤701中的第二安全通道的相关描述可以参见上述图1所示实施例的相关描述,在此不再详述。For the description of the second secure channel in step 701 , please refer to the description of the embodiment shown in FIG1 , which will not be described in detail here.
在步骤704中,在通过第二安全通道接收到来自第一设备的待传输的数据后,通过共享密钥对待传输的数据经过共享密钥解密后得到原始的数据,在需要对第一设备做出响应时,可以先通过第二安全通道的第二加密密钥对经过共享密钥加密的响应数据进行加密,从而使网关设备在转发响应数据的过程中不能够获取到原始的响应数据。In step 704, after receiving the data to be transmitted from the first device through the second secure channel, the data to be transmitted is decrypted using the shared key to obtain the original data. When a response to the first device is required, the response data encrypted by the shared key can be first encrypted using the second encryption key of the second secure channel, so that the gateway device cannot obtain the original response data during the process of forwarding the response data.
本实施例中,由于待传输的数据在网关设备的转发过程中都经过共享密钥加密,而共享密钥为第一设备与第二设备之间共同协商的密钥,因此网关设备并不能获知共享密钥,因此可以确保待传输的数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。In this embodiment, since the data to be transmitted is encrypted with a shared key during the forwarding process of the gateway device, and the shared key is a key jointly negotiated between the first device and the second device, the gateway device cannot obtain the shared key. Therefore, it can ensure that the data to be transmitted is transmitted more securely between the first device and the second device, further reducing the risk of data being illegally intercepted during the transmission process.
通过上述实施例,可以基于第一设备和第二设备之间预置的初始密钥,在各自对应的本地通过密钥生成算法生成共享密钥,最后利用共享密钥对待传输的数据进行加密,从而可以使网关设备在网络中转发数据时无法查看到原始的数据,从而达到了安全传输数据的目的。Through the above embodiment, based on the initial key preset between the first device and the second device, a shared key can be generated by a key generation algorithm in their respective local locations, and finally the shared key is used to encrypt the data to be transmitted, so that the gateway device cannot view the original data when forwarding data in the network, thereby achieving the purpose of secure data transmission.
图8示出了根据本发明的一示例性实施例所适用的终端设备与服务器之间密钥协商的信令示意图,以第一设备为终端设备,第二设备为服务器为例进行示例性说明,其中,终端设备在接入到网络前,服务器需要预先为终端设备颁发初始密钥(Kbasic),可以通过硬件写入等方式颁发给终端设备,如图8所示,终端设备和服务器之间进行密钥协商包括如下步骤:FIG8 shows a signaling diagram of key negotiation between a terminal device and a server according to an exemplary embodiment of the present invention. A first device is a terminal device, and a second device is a server. Before the terminal device accesses the network, the server needs to pre-issue an initial key (K basic ) to the terminal device. The initial key (K basic ) may be issued to the terminal device by hardware writing or other methods. As shown in FIG8 , key negotiation between the terminal device and the server includes the following steps:
步骤801,终端设备与网关设备协商第一安全通道的第一加密密钥(KAB),并建立终端设备与网关设备之间的第一安全通道。该第一安全通道的建立方法可以参见现有技术的相关描述。In step 801, the terminal device negotiates with the gateway device about a first encryption key (K AB ) of a first security channel and establishes a first security channel between the terminal device and the gateway device. The method for establishing the first security channel can be found in the related description of the prior art.
步骤802,网关设备与服务器协商第二安全通道的第二加密密钥(KBC),并建立第二安全通道。与上述步骤801类似,第二安全通道的建立过程可以参见现有技术的相关描述,同样可以采用SSL、TLS的密钥协商机制。本领域技术人员可以理解的是,步骤801和步骤802的顺序可以互换,可以根据实际执行的需求设定执行顺序。In step 802, the gateway device negotiates with the server for a second encryption key (K BC ) for the second secure channel and establishes the second secure channel. Similar to step 801, the process for establishing the second secure channel can be found in the relevant descriptions of the prior art, and key negotiation mechanisms such as SSL and TLS can also be employed. Those skilled in the art will appreciate that the order of steps 801 and 802 is interchangeable and can be set based on actual execution requirements.
步骤803,终端设备准备发起与服务器的密钥协商流程,终端设备生成第一密钥因子(p),该第一密钥因子用于生成终端设备与服务器的共享密钥。同时,利用初始密钥(Kbasic)加密第一密钥因子,得到Kbasic(p),再采用第一加密密钥KAB加密,得到KAB[Kbasic(p)]。In step 803, the terminal device prepares to initiate a key negotiation process with the server. The terminal device generates a first key factor (p), which is used to generate a shared key between the terminal device and the server. Simultaneously, the terminal device encrypts the first key factor using the initial key (K basic ) to obtain K basic (p), which is then encrypted using the first encryption key K AB to obtain K AB [K basic (p)].
步骤804,终端设备通过第一安全通道向网关设备发送经过双重加密的第一密钥因子KAB[Kbasic(p)]。Step 804: The terminal device sends the doubly encrypted first key factor K AB [K basic (p)] to the gateway device through the first secure channel.
步骤805,网关设备在接收到经过双重加密的第一密钥因子KAB[Kbasic(p)]后,采用第一安全通道的第一加密密钥KAB对经过双重加密的第一密钥因子KAB[Kbasic(p)]进行解密,得到Kbasic(p),之后再采用第二安全通道的第三加密密钥KBC进行加密,得到双重加密的KBC[Kbasic(p)]。In step 805, after receiving the doubly encrypted first key factor K AB [K basic (p)], the gateway device uses the first encryption key K AB of the first security channel to decrypt the doubly encrypted first key factor K AB [K basic (p)] to obtain K basic (p), and then uses the third encryption key K BC of the second security channel to encrypt it to obtain the doubly encrypted K BC [K basic (p)].
步骤806,将经过初始密钥和第二加密密钥双重加密的第一密钥因子KBC[Kbasic(p)]通过第二安全通道发送给服务器。Step 806: Send the first key factor K BC [K basic (p)] doubly encrypted by the initial key and the second encryption key to the server through the second secure channel.
步骤807,服务器接收到经过双重加密的第一密钥因子后,采用第二安全通道的第二加密密钥KBC对经过双重加密的第一密钥因子进行解密,得到Kbasic(p),之后利用初始密钥Kbasic对Kbasic(p)进行解密,得到第一密钥因子p。In step 807, after receiving the doubly encrypted first key factor, the server uses the second encryption key K BC of the second secure channel to decrypt the doubly encrypted first key factor to obtain K basic (p), and then uses the initial key K basic to decrypt K basic (p) to obtain the first key factor p.
步骤808,服务器通过伪随机函数生成第二密钥因子(q),该第二密钥因子q将与第一密钥因子p共同作为参数生成共享密钥KAC。Step 808: The server generates a second key factor (q) through a pseudo-random function. The second key factor q and the first key factor p are used as parameters to generate a shared key K AC .
步骤809,服务器采用初始密钥Kbasic加密第二加密因子q,得到Kbasic(q),再采用第二加密密钥KBC对Kbasic(q)加密,得到KBC[Kbasic(q)]。In step 809, the server encrypts the second encryption factor q using the initial key K basic to obtain K basic (q), and then encrypts K basic (q) using the second encryption key K BC to obtain K BC [K basic (q)].
步骤810,服务器通过第二安全通道向网关设备发送经过双重加密的第二密钥因子KBC[Kbasic(q)]。Step 810: The server sends the doubly encrypted second key factor K BC [K basic (q)] to the gateway device through the second secure channel.
步骤811,网关设备接收到经过双重加密的第二密钥因子KBC[Kbasic(q)]后,采用第二安全通道的第二加密密钥KBC对经过双重加密的第二加密因子进行解密,得到Kbasic(q),之后利用第一安全通道的第一加密密钥KAB进行加密,得到KAB[Kbasic(q)],之后将经过双重加密的第二加密因子通过第一安全通道发送至终端设备。In step 811, after receiving the doubly encrypted second key factor K BC [K basic (q)], the gateway device uses the second encryption key K BC of the second security channel to decrypt the doubly encrypted second encryption factor to obtain K basic (q), and then uses the first encryption key K AB of the first security channel to encrypt it to obtain K AB [K basic (q)]. The doubly encrypted second encryption factor is then sent to the terminal device through the first security channel.
步骤812,终端设备接收到该经过双重加密的第二加密因子后,采用第一安全通道的第一加密密钥KAB对经过双重加密的第二加密因子进行解密,得到Kbasic(q),之后利用第一加密密钥Kbasic对第一次解密后的Kbasic(q)进行二次解密,得到第二密钥因子q。In step 812, after receiving the doubly encrypted second encryption factor, the terminal device uses the first encryption key K AB of the first secure channel to decrypt the doubly encrypted second encryption factor to obtain K basic (q), and then uses the first encryption key K basic to perform a second decryption on the K basic (q) after the first decryption to obtain the second key factor q.
步骤813,终端设备与服务器均共享了第一密钥因子p和第二密钥因子q,终端设备与服务器均将第一密钥因子和第二密钥因子作为输入,采用密钥生成算法,得到终端设备和服务器之间的共享密钥KAC。其中,密钥生成算法的详细描述可以参见上述图2所示实施例的相关描述,在此不再详述。In step 813, the terminal device and the server share a first key factor p and a second key factor q. Each of the terminal device and the server uses the first key factor and the second key factor as inputs and employs a key generation algorithm to obtain a shared key K AC between the terminal device and the server. A detailed description of the key generation algorithm can be found in the description of the embodiment shown in FIG. 2 , and is not further elaborated here.
本实施例中,由此实现了共享密钥KAC在终端设备与公网服务器间的安全协商和共享,且该共享密钥对作为中间节点的网关设备不可知,之后终端设备可以利用该共享密钥,对发往公网服务器的物联网数据进行加密,从而保证了数据传输的安全性。In this embodiment, the shared key K AC is securely negotiated and shared between the terminal device and the public network server, and the shared key is unknown to the gateway device serving as the intermediate node. The terminal device can then use the shared key to encrypt the IoT data sent to the public network server, thereby ensuring the security of data transmission.
为了进一步保证共享密钥及数据传输的安全性,终端设备可以与服务器之间周期性地进行密钥协商流程来更换共享密钥KAC,从而可以进一步降低该共享密钥被破解的可能。In order to further ensure the security of the shared key and data transmission, the terminal device may periodically perform a key negotiation process with the server to replace the shared key K AC , thereby further reducing the possibility of the shared key being cracked.
图9示出了根据本发明的一示例性实施例一的数据传输方法的流程示意图,在通过上述图8所示实施例生成共享秘钥后,终端设备如果需要向服务器发送物联网数据(data),如图9所示,数据传输方法包括如下步骤:FIG9 is a flow chart of a data transmission method according to a first exemplary embodiment of the present invention. After a shared key is generated through the embodiment shown in FIG8 , if a terminal device needs to send IoT data to a server, the data transmission method includes the following steps, as shown in FIG9 :
步骤901,使用共享密钥KAC对物联网数据进行一次加密,得到密文KAC(data),之后使用第一安全通道的第一加密密钥KAB二次加密,得到密文KAB[KAC(data)]。Step 901: Use the shared key K AC to encrypt IoT data once to obtain ciphertext K AC (data), and then use the first encryption key K AB of the first secure channel to encrypt it again to obtain ciphertext K AB [K AC (data)].
步骤902,终端设备通过第一安全通道向网关设备发送密文KAB[KAC(data)]。Step 902: The terminal device sends a ciphertext K AB [K AC (data)] to the gateway device through the first secure channel.
步骤903,网关设备收到密文KAB[KAC(data)]后,使用第一安全密钥KAB解密,得到KAC(data),然后使用第二加密密钥KBC进行加密,得到密文KBC[KAC(data)]。In step 903, after receiving the ciphertext K AB [K AC (data)], the gateway device decrypts it using the first security key K AB to obtain K AC (data), and then encrypts it using the second encryption key K BC to obtain the ciphertext K BC [K AC (data)].
步骤904,网关设备通过第二安全通道向服务器发送密文KBC[KAC(data)]。Step 904: The gateway device sends the ciphertext K BC [K AC (data)] to the server through the second secure channel.
步骤905,服务器接收到经过双重加密的密文KBC[KAC(data)]后,使用第二加密密钥KBC解密,得到KAC(data),然后使用共享密钥KAC解密,得到原始的物联网数据data。In step 905, after receiving the double-encrypted ciphertext K BC [K AC (data)], the server decrypts it using the second encryption key K BC to obtain K AC (data), and then decrypts it using the shared key K AC to obtain the original IoT data data.
步骤906,服务器在得到原始的物联网数据后,生成响应数据(res),利用共享密钥KAC对响应数据加密,得到密文KAC(res),再使用第二加密密钥KBC进行二次加密,得到KBC[KAC(res)]。In step 906, after receiving the original IoT data, the server generates response data (res), encrypts the response data using the shared key K AC to obtain ciphertext K AC (res), and then uses the second encryption key K BC to perform secondary encryption to obtain K BC [K AC (res)].
步骤907,服务器通过第二安全通道向网关设备发送经过双重加密的密文KBC[KAC(res)]。Step 907: The server sends the double-encrypted ciphertext K BC [K AC (res)] to the gateway device through the second secure channel.
步骤908,网关设备收到经过双重加密的密文KBC[KAC(res)]后,使用第二加密密钥KBC解密,得到KAC(res),然后使用第一加密密钥KAB进行加密,得到密文KAB[KAC(res)]。In step 908, after receiving the double-encrypted ciphertext K BC [K AC (res)], the gateway device decrypts it using the second encryption key K BC to obtain K AC (res), and then encrypts it using the first encryption key K AB to obtain the ciphertext K AB [K AC (res)].
步骤909,网关设备通过第一安全通道向终端设备发送经过双重加密的密文KAB[KAC(res)]。Step 909: The gateway device sends the double-encrypted ciphertext K AB [K AC (res)] to the terminal device through the first secure channel.
步骤910,终端设备接收到经过双重加密的密文KAB[KAC(res]后,使用第一加密密钥KAB解密,得到KAC(res),然后使用共享密钥KAC解密,得到原始的响应数据(res)。In step 910, after receiving the double-encrypted ciphertext K AB [K AC (res]), the terminal device decrypts it using the first encryption key K AB to obtain K AC (res), and then decrypts it using the shared key K AC to obtain the original response data (res).
本实施例中,实现了终端设备通过中间节点的网关设备与服务器间的跨网域的密钥协商与共享,共享密钥对网关设备不可知,确保了物联网数据在终端设备与服务器间的端到端的安全传输;此外,除了保证终端设备与网关设备间的数据安全传输和网关设备与公网服务器间的数据安全传输,数据在传输路径上的网关设备内的转发过程也受到安全保护,即使网关设备被非法入侵,经由网关设备转发的物联网数据也依然由于被共享密钥加密而受到保护,避免物联网数据被非法截取。In this embodiment, cross-domain key negotiation and sharing between the terminal device and the server through the gateway device of the intermediate node is realized. The shared key is unknown to the gateway device, ensuring the end-to-end secure transmission of IoT data between the terminal device and the server. In addition, in addition to ensuring the secure transmission of data between the terminal device and the gateway device and the secure transmission of data between the gateway device and the public network server, the data forwarding process within the gateway device on the transmission path is also securely protected. Even if the gateway device is illegally invaded, the IoT data forwarded through the gateway device is still protected by being encrypted with the shared key, preventing the IoT data from being illegally intercepted.
对应于上述的密钥生成方法,本申请还提出了图10所示的根据本申请的一示例性实施例的终端设备的示意结构图。请参考图10,在硬件层面,该网络服务器包括处理器、内部总线、网络接口、内存以及非易失性存储器,当然还可能包括其他业务所需要的硬件。处理器从非易失性存储器中读取对应的计算机程序到内存中然后运行,在逻辑层面上形成密钥生成装置。当然,除了软件实现方式之外,本申请并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。Corresponding to the above-mentioned key generation method, the present application also proposes a schematic structural diagram of a terminal device according to an exemplary embodiment of the present application as shown in FIG10. Please refer to FIG10. At the hardware level, the network server includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and of course may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs it, forming a key generation device at the logical level. Of course, in addition to software implementation, the present application does not exclude other implementation methods, such as logic devices or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.
对应于上述的密钥生成方法,本申请还提出了图11所示的根据本申请的一示例性实施例的服务器的示意结构图。请参考图11,在硬件层面,该网络服务器包括处理器、内部总线、网络接口、内存以及非易失性存储器,当然还可能包括其他业务所需要的硬件。处理器从非易失性存储器中读取对应的计算机程序到内存中然后运行,在逻辑层面上形成密钥生成装置。当然,除了软件实现方式之外,本申请并不排除其他实现方式,比如逻辑器件抑或软硬件结合的方式等等,也就是说以下处理流程的执行主体并不限定于各个逻辑单元,也可以是硬件或逻辑器件。Corresponding to the above-mentioned key generation method, the present application also proposes a schematic structural diagram of a server according to an exemplary embodiment of the present application as shown in FIG11. Please refer to FIG11. At the hardware level, the network server includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and of course may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs it, forming a key generation device at the logical level. Of course, in addition to software implementation, the present application does not exclude other implementation methods, such as logic devices or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.
图12示出了根据本发明的一示例性实施例的密钥生成装置的结构示意图;如图12所示,该密钥生成装置可以包括:第一加密模块1201、第一接收模块1202、第一解密模块1203、第一密钥生成模块1204。其中:FIG12 shows a schematic structural diagram of a key generation device according to an exemplary embodiment of the present invention; as shown in FIG12 , the key generation device may include: a first encryption module 1201, a first receiving module 1202, a first decryption module 1203, and a first key generation module 1204. In particular:
第一加密模块1201,用于采用初始密钥对第一设备生成的第一密钥因子进行加密并通过第一安全通道发送给第二设备,其中,初始密钥为第一设备与第二设备之间预设的密钥;A first encryption module 1201 is configured to encrypt a first key factor generated by the first device using an initial key, and send the encrypted key factor to the second device through a first secure channel. The initial key is a key preset between the first device and the second device.
第一接收模块1202,用于通过第一安全通道接收经过初始密钥加密的第二密钥因子,其中,第二密钥因子由第二设备生成;A first receiving module 1202 is configured to receive, through a first secure channel, a second key factor encrypted with an initial key, where the second key factor is generated by a second device;
第一解密模块1203,用于对通过第一接收模块1202通过第一安全通道接收到的经过初始密钥加密的第二密钥因子进行解密,得到第二密钥因子;The first decryption module 1203 is configured to decrypt the second key factor encrypted with the initial key and received by the first receiving module 1202 through the first secure channel to obtain the second key factor;
第一密钥生成模块1204,用于根据第一密钥因子、第一解密模块1203解密得到的第二密钥因子生成第一设备与第二设备的共享密钥。The first key generation module 1204 is configured to generate a shared key between the first device and the second device according to the first key factor and the second key factor decrypted by the first decryption module 1203 .
图13示出了根据本发明的又一示例性实施例的密钥生成装置的结构示意图;如图13所示,在上述图12所示实施例的基础上,第一加密模块1201可包括:FIG13 shows a schematic structural diagram of a key generation device according to another exemplary embodiment of the present invention. As shown in FIG13 , based on the embodiment shown in FIG12 , the first encryption module 1201 may include:
第一因子生成单元12011,用于在第一设备需要向第二设备发起密钥协商流程时,通过伪随机函数生成第一密钥因子;A first factor generation unit 12011 is configured to generate a first key factor by using a pseudo-random function when the first device needs to initiate a key negotiation process with the second device;
第一加密单元12012,用于采用初始密钥对第一因子生成单元12011生成的第一密钥因子进行加密,得到第一次加密后的第一密钥因子;The first encryption unit 12012 is configured to encrypt the first key factor generated by the first factor generation unit 12011 using the initial key to obtain the first key factor after the first encryption;
第二加密单元12013,用于采用第一安全通道的第一加密密钥对第一加密单元12012第一次加密后的第一密钥因子进行加密,得到第二次加密后的第一密钥因子。The second encryption unit 12013 is used to encrypt the first key factor encrypted for the first time by the first encryption unit 12012 using the first encryption key of the first security channel to obtain the first key factor encrypted for the second time.
在一实施例中,第一解密模块1203包括:In one embodiment, the first decryption module 1203 includes:
第一解密单元12031,用于采用第一加密密钥对经过双重加密的第二密钥因子进行解密,得到第一次解密后的第二密钥因子;A first decryption unit 12031 is configured to decrypt the doubly encrypted second key factor using the first encryption key to obtain the first decrypted second key factor;
第二加密单元12032,用于采用初始密钥对第一解密单元12031第一次解密后的第二密钥因子进行解密,得到第二密钥因子。The second encryption unit 12032 is used to decrypt the second key factor after the first decryption by the first decryption unit 12031 using the initial key to obtain the second key factor.
在一实施例中,第一密钥生成模块1204可包括:In one embodiment, the first key generation module 1204 may include:
第一确定单元12041,用于确定第一设备与第二设备之间共享的第一加密密钥和第一设备的设备标识;A first determining unit 12041 is configured to determine a first encryption key shared between the first device and the second device and a device identifier of the first device;
第一因子生成单元12042,用于根据第一加密密钥、第一确定单元12041确定的设备标识、第一密钥因子、第一解密模块1203得到的第二密钥因子生成第一设备与第二设备的共享密钥。The first factor generation unit 12042 is configured to generate a shared key between the first device and the second device according to the first encryption key, the device identifier determined by the first determination unit 12041 , the first key factor, and the second key factor obtained by the first decryption module 1203 .
在一实施例中,第一因子生成单元具体用于:In one embodiment, the first factor generation unit is specifically configured to:
将第一加密密钥、设备标识、第一密钥因子、第二密钥因子依次连接,得到组合字串;Concatenate the first encryption key, the device identifier, the first key factor, and the second key factor in sequence to obtain a combined string;
将组合字串切分为长度相等的两个子字串;Split the combined string into two substrings of equal length;
对两个子字串分别进行散列运算,得到两个散列结果;Perform hash operations on the two substrings respectively to obtain two hash results;
将两个散列结果以位进行异或运算,得到第一设备与第二设备的共享密钥。The two hash results are subjected to a bitwise exclusive-OR operation to obtain a shared key between the first device and the second device.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第一确定模块1205,用于确定第一设备与第二设备的共享密钥的更换周期;A first determining module 1205 is configured to determine a replacement period for a shared key between the first device and the second device;
第二确定模块1206,用于根据第一确定模块1205确定的更换周期重新确定第一加密因子和第二加密因子;A second determining module 1206 is configured to redetermine the first encryption factor and the second encryption factor according to the replacement period determined by the first determining module 1205;
第一更换模块1207,用于根据第二确定模块1206重新确定的第一加密因子和第二加密因子更换第一设备与第二设备的共享密钥。The first replacing module 1207 is configured to replace the shared key between the first device and the second device according to the first encryption factor and the second encryption factor re-determined by the second determining module 1206 .
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第三确定模块1208,用于确定第一设备需要向第二设备发送的待传输的数据;A third determining module 1208 is configured to determine data to be transmitted that the first device needs to send to the second device;
数据加密模块1209,用于采用共享密钥对第三确定模块1208确定的待传输的数据进行加密,并通过第一安全通道发送给第二设备。The data encryption module 1209 is configured to encrypt the data to be transmitted determined by the third determination module 1208 using a shared key, and send the encrypted data to the second device through the first secure channel.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第二接收模块1210,用于通过第一安全通过接收第二设备在接收到待传输的数据生成的响应数据,响应数据已经经过共享密钥加密;The second receiving module 1210 is configured to receive, through the first security channel, response data generated by the second device after receiving the data to be transmitted, where the response data has been encrypted using the shared key;
第二解密模块1211,用于采用共享密钥对经过共享密钥加密的响应数据进行解密,得到响应数据。The second decryption module 1211 is configured to use the shared key to decrypt the response data encrypted by the shared key to obtain the response data.
图14示出了根据本发明的再一示例性实施例的密钥生成装置的结构示意图;如图14所示,该密钥生成装置可以包括:第三接收模块1401、第三解密模块1402、第二密钥生成模块1403。其中:FIG14 shows a schematic structural diagram of a key generation device according to another exemplary embodiment of the present invention; as shown in FIG14 , the key generation device may include: a third receiving module 1401, a third decryption module 1402, and a second key generation module 1403. Wherein:
第三接收模块1401,用于通过第二安全通道接收来自第一设备的经过初始密钥加密的第一密钥因子,其中,初始密钥为第一设备与第二设备之间预设的密钥;The third receiving module 1401 is configured to receive, from the first device through the second secure channel, a first key factor encrypted with an initial key, where the initial key is a key preset between the first device and the second device;
第三解密模块1402,用于对经过初始密钥加密的第一密钥因子进行解密,得到第一加密因子;A third decryption module 1402 is configured to decrypt the first key factor encrypted with the initial key to obtain a first encryption factor;
第二密钥生成模块1403,用于根据第一密钥因子、第二设备生成的第二密钥因子生成第一设备与第二设备的共享密钥The second key generation module 1403 is used to generate a shared key between the first device and the second device based on the first key factor and the second key factor generated by the second device.
图15示出了根据本发明的另一示例性实施例的密钥生成装置的结构示意图;如图15所示,在上述图14所示实施例的基础上,第二密钥生成模块1403具体用于:FIG15 shows a schematic structural diagram of a key generation device according to another exemplary embodiment of the present invention. As shown in FIG15 , based on the embodiment shown in FIG14 , the second key generation module 1403 is specifically configured to:
将第一加密密钥、第一设备的设备标识、第一密钥因子、第二密钥因子依次连接,得到组合字串;Concatenate the first encryption key, the device identifier of the first device, the first key factor, and the second key factor in sequence to obtain a combined string;
将组合字串切分为长度相等的两个子字串;Split the combined string into two substrings of equal length;
对两个子字串分别进行散列运算,得到两个散列结果;Perform hash operations on the two substrings respectively to obtain two hash results;
将两个散列结果以位进行异或运算,得到第一设备与第二设备的共享密钥。The two hash results are subjected to a bitwise exclusive-OR operation to obtain a shared key between the first device and the second device.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第二加密模块1404,用于采用初始密钥对第二设备生成的第二密钥因子进行加密;A second encryption module 1404 is configured to encrypt a second key factor generated by the second device using the initial key;
第一发送模块1405,用于通过第二安全通道将经过初始密钥加密后的第二密钥因子发送给第一设备。The first sending module 1405 is configured to send the second key factor encrypted with the initial key to the first device through the second secure channel.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第三确定模块1406,用于确定第一设备与第二设备的共享密钥的更换周期;A third determining module 1406 is configured to determine a replacement period for a shared key between the first device and the second device;
第四确定模块1407,用于根据更换周期重新确定第一加密因子和第二加密因子;A fourth determining module 1407 is configured to re-determine the first encryption factor and the second encryption factor according to a replacement cycle;
第二更换模块1408,用于根据重新确定的第一加密因子和第二加密因子更换第一设备与第二设备的共享密钥。The second replacement module 1408 is configured to replace the shared key between the first device and the second device according to the re-determined first encryption factor and second encryption factor.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
第四接收模块1409,用于通过第二安全通道接收来自第一设备的经过共享密钥加密的待传输的数据;A fourth receiving module 1409 is configured to receive data to be transmitted encrypted with the shared key from the first device through the second secure channel;
第四解密模块1410,用于采用共享密钥对待传输的数据进行解密。The fourth decryption module 1410 is configured to decrypt the data to be transmitted using the shared key.
在一实施例中,装置还可包括:In one embodiment, the apparatus may further include:
响应数据生成模块1411,用于在接收到待传输的数据后,生成响应数据;The response data generating module 1411 is configured to generate response data after receiving the data to be transmitted;
第三加密模块1412,用于通过共享密钥对响应数据进行加密;The third encryption module 1412 is used to encrypt the response data using the shared key;
第二发送模块1413,用于通过第二安全通道向第一设备发送经过共享密钥加密的响应数据。The second sending module 1413 is configured to send response data encrypted with the shared key to the first device through the second secure channel.
上述实施例可见,由于第一密钥因子与第二密钥因子在网关设备的转发过程中都经过初始密钥加密,而初始密钥为第一设备与第二设备之间预设的密钥,因此网关设备并不能获知第一密钥因子与第二密钥因子;通过第一密钥因子与第二密钥因子生成第一设备与第二设备之间的共享密钥,可以实现最终协商的共享密钥只对第一设备和第二设备可知,网关设备仍无法获取协商的共享密钥,因此可以确保数据在第一设备与第二设备之间更加安全的传输,进一步降低数据在传输过程中被非法截获的风险。It can be seen from the above embodiment that since the first key factor and the second key factor are both encrypted with the initial key during the forwarding process of the gateway device, and the initial key is the preset key between the first device and the second device, the gateway device cannot obtain the first key factor and the second key factor; the shared key between the first device and the second device is generated by the first key factor and the second key factor, so that the final negotiated shared key is only known to the first device and the second device, and the gateway device still cannot obtain the negotiated shared key, thereby ensuring that data is transmitted more securely between the first device and the second device, and further reducing the risk of data being illegally intercepted during transmission.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求指出。Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the present application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The description and examples are to be considered as exemplary only, and the true scope and spirit of the present application are indicated by the following claims.
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprises," "includes," or any other variations thereof are intended to encompass non-exclusive inclusion, such that a process, method, commodity, or apparatus that includes a series of elements includes not only those elements but also other elements not explicitly listed, or includes elements inherent to such process, method, commodity, or apparatus. In the absence of further limitations, an element defined by the phrase "comprises a ..." does not exclude the presence of other identical elements in the process, method, commodity, or apparatus that includes the element.
以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above description is only a preferred embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the scope of protection of the present application.
Claims (24)
Publications (3)
| Publication Number | Publication Date |
|---|---|
| HK1234924A1 HK1234924A1 (en) | 2018-02-23 |
| HK1234924A HK1234924A (en) | 2018-02-23 |
| HK1234924B true HK1234924B (en) | 2021-06-11 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11463243B2 (en) | Key generation method and apparatus using double encryption | |
| TWI683566B (en) | Quantum key output method, storage consistency verification method, device and system | |
| US9338150B2 (en) | Content-centric networking | |
| US20150229621A1 (en) | One-time-pad data encryption in communication channels | |
| US20170012949A1 (en) | Dynamic identity verification and authentication continuous, dynamic one-time-pad/one-time passwords and dynamic distributed key infrastructure for secure communications with a single key for any key-based network security controls | |
| US11063917B2 (en) | Communication network with rolling encryption keys and data exfiltration control | |
| CN103067158A (en) | Encryption and decryption method, terminal device, gateway device and key management system | |
| CN113239403A (en) | Data sharing method and device | |
| US10630466B1 (en) | Apparatus and method for exchanging cryptographic information with reduced overhead and latency | |
| US9391962B2 (en) | Multi-node encryption | |
| US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
| CN106452750A (en) | Quantum encryption communication method for mobile devices | |
| US11343089B2 (en) | Cryptography system and method | |
| CN111245834B (en) | A cross-domain access control method for the Internet of Things based on virtual identity | |
| Mosko et al. | Mobile sessions in content-centric networks | |
| CN119276468B (en) | Group key negotiation method, communication method and device based on double ratchet algorithm | |
| CN109995785A (en) | File security unlocking method in local area network based on quantum cryptography | |
| JPWO2020157928A5 (en) | ||
| US20130283363A1 (en) | Secure data transfer over an arbitrary public or private transport | |
| TWI724091B (en) | Method and device for generating key | |
| HK1234924B (en) | Key generation method and device | |
| EP4088438B1 (en) | Provision of digital content via a communication network | |
| CN118523964B (en) | A multi-level link encryption transmission system for privacy data | |
| US12406075B1 (en) | System and method for scalable stream encryption and decryption | |
| CN111431846A (en) | Method, device and system for data transmission |