HK40045503A - Information processing method and device for secure communication - Google Patents
Information processing method and device for secure communication Download PDFInfo
- Publication number
- HK40045503A HK40045503A HK42021036019.4A HK42021036019A HK40045503A HK 40045503 A HK40045503 A HK 40045503A HK 42021036019 A HK42021036019 A HK 42021036019A HK 40045503 A HK40045503 A HK 40045503A
- Authority
- HK
- Hong Kong
- Prior art keywords
- algorithm
- encryption
- target
- security domain
- decryption
- Prior art date
Links
Description
Technical Field
The embodiment of the specification relates to the technical field of information security, in particular to an information processing method and device for secure communication.
Background
Currently, a terminal device may be installed with a client application having a secure communication requirement (hereinafter, referred to as a target application), and may also be configured with a security domain (hereinafter, referred to as a first security domain), such as a TEE (Trusted Execution Environment) or the like. When the target application needs to communicate with the application on the server or other terminal devices, a secure channel between the target application and the second security domain can be established through the first security domain, and message transmission is performed through the secure channel. And the second security domain is a security domain corresponding to the application on the server or other terminal equipment.
In practice, the terminal environment is realized based on various different chip platforms, has different algorithm capabilities and encryption capabilities, has security channel protocols which are not matched with each other, and cannot meet the uniform requirements of interactive services between a client and between the client and a server if one set of encryption algorithm protocol is used.
Therefore, a reasonable and reliable scheme is urgently needed, which not only can realize the secure communication between the first security domain and the second security domain, but also can meet the unified requirements of the interactive services between the client and the client, and between the client and the server.
Disclosure of Invention
The embodiment of the specification provides an information processing method and device for secure communication.
In a first aspect, an embodiment of the present specification provides an information processing method for secure communication, which is applied to a first security domain in a terminal device, and includes: receiving a secure channel establishment request from a target application on the terminal device, wherein the establishment request comprises a domain identifier of a second secure domain; sending algorithm information to the second security domain in response to the establishment request, wherein the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, and the plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by a secure channel; receiving an encryption policy from the second security domain, the encryption policy showing algorithm identifications of a plurality of target algorithms, and the plurality of target algorithms being respectively designated for data types for encryption and decryption, wherein the plurality of target algorithms correspond to the plurality of algorithm types and are encryption and decryption algorithms supported by both the target application and the second security domain; and executing the initialization operation of the secure channel according to the encryption strategy.
In some embodiments, the plurality of algorithm types includes at least a symmetric encryption algorithm and a cryptographic hash function; and the executing of the secure channel initialization operation according to the encryption policy comprises: acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located; and for a data type corresponding to a first target algorithm in the multiple target algorithms, generating an encryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, wherein the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the second security domain generates a decryption key which is the same as the encryption key for the data type.
In some embodiments, the multiple algorithm types further include an asymmetric encryption algorithm, the terminal device is preset with a public and private key pair corresponding to a second target algorithm, the second security domain holds a first public key in the public and private key pair, and the second target algorithm belongs to the asymmetric encryption algorithm; and the executing the initialization operation of the secure channel according to the encryption policy further comprises: and for the data type corresponding to the second target algorithm, determining a first private key in the public and private key pair as an encryption key corresponding to the data type, wherein the second security domain determines the first public key as a decryption key corresponding to the data type.
In some embodiments, prior to said sending algorithm information to the second security domain, the method further comprises: sending first identity information to the second security domain, wherein the first identity information comprises device feature information of the terminal device; and receiving second identity information from the second security domain, wherein the second identity information comprises equipment characteristic information of equipment where the second security domain is located.
In some embodiments, the first identity information further comprises information to be verified; and said receiving second identity information from said second security domain, comprising: receiving second identity information returned from the second security domain in response to the information to be verified being authenticated.
In some embodiments, the information to be verified comprises a public key of the first security domain or a device certificate.
In some embodiments, the respective data types in the encryption policy include: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and after the secure channel initialization operation is performed according to the encryption policy, the method further comprises: in response to obtaining target service data of the target application, encrypting the target service data by using a target algorithm corresponding to the first data type according to an encryption key corresponding to the first data type to obtain encrypted data, wherein a target receiving party of the target service data is the second security domain; generating a transmission message including the encrypted data; encrypting the transmission message by using a target algorithm corresponding to the second data type according to an encryption key corresponding to the second data type to obtain an encrypted message; generating a signature of the encrypted message according to an encryption key corresponding to the third data type by using a target algorithm corresponding to the third data type; sending the encrypted message and the signature to the second security domain.
In some embodiments, after the receiving a secure channel establishment request from a target application on the terminal device and before the acquiring target service data of the target application in response, the method further includes: receiving a data transmission request from the target application, wherein the data transmission request comprises the target service data and the domain identifier.
In some embodiments, after said generating a signature of said encrypted message, said method further comprises: and regenerating an encryption key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
In a second aspect, an embodiment of the present specification provides an information processing method for secure communication, which is applied to a second security domain, and includes: receiving algorithm information from a first security domain, wherein the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by a target application on a terminal device where the first security domain is located, and the plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by a security channel; determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target application and the algorithm information, wherein the target algorithms are the encryption and decryption algorithms supported by the target application and the second security domain; determining data types which are respectively used for encryption and decryption by the target algorithms in a plurality of data types required by the secure channel; generating an encryption strategy, wherein the encryption strategy shows algorithm identifications of the target algorithms and data types corresponding to the target algorithms; sending the encryption policy to the first security domain; and executing the initialization operation of the secure channel according to the encryption strategy.
In some embodiments, the determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target algorithms and the algorithm information includes: determining each encryption and decryption algorithm supported by the target application and the second security domain according to the encryption and decryption algorithm supported by the target application and the algorithm information; and selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm for each algorithm type in the multiple algorithm types.
In some embodiments, the plurality of algorithm types includes a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function; and selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm, wherein the method comprises the following steps: when the algorithm type is a symmetric encryption algorithm or a password hash function, selecting one encryption and decryption algorithm from the at least one encryption and decryption algorithm as a target algorithm; when the algorithm type is an asymmetric encryption algorithm, selecting one encryption and decryption algorithm as a target algorithm from the encryption and decryption algorithms which meet a selection condition in the at least one encryption and decryption algorithm, wherein the selection condition comprises the following steps: the terminal device is preset with a public and private key pair corresponding to an encryption and decryption algorithm, and the second security domain is stored with a first public key in the public and private key pair.
In some embodiments, the second security domain stores an algorithm selection policy corresponding to a service party to which the target application belongs; and determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target algorithms and the algorithm information, wherein the method comprises the following steps: and determining the target algorithms according to the encryption and decryption algorithms supported by the target algorithms, the algorithm information and the algorithm selection strategy.
In some embodiments, the plurality of data types includes: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and the determining the data types respectively used for encryption and decryption by the plurality of target algorithms comprises: when the plurality of algorithm types are respectively a symmetric encryption algorithm and a password hash function, allocating a target algorithm belonging to the symmetric encryption algorithm to the first data type and the second data type, and allocating a target algorithm belonging to the password hash function to the third data type; when the plurality of algorithm types are a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function, respectively, a target algorithm belonging to one of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the first data type, a target algorithm belonging to the other of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the second data type, and a target algorithm belonging to the cryptographic hash function is assigned to the third data type.
In some embodiments, the plurality of algorithm types includes at least a symmetric encryption algorithm and a cryptographic hash function; and the executing of the secure channel initialization operation according to the encryption policy comprises: acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located; for a data type corresponding to a first target algorithm in the multiple target algorithms, generating a decryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, where the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the first security domain generates an encryption key that is the same as the decryption key for the data type.
In some embodiments, the multiple algorithm types further include an asymmetric encryption algorithm, the terminal device is preset with a public and private key pair corresponding to a second target algorithm, the second security domain holds a first public key in the public and private key pair, and the second target algorithm belongs to the asymmetric encryption algorithm; and the executing the initialization operation of the secure channel according to the encryption policy further comprises: and for the data type corresponding to the second target algorithm, determining the first public key as a decryption key corresponding to the data type, wherein the first security domain determines a first private key in the public and private key pair as an encryption key corresponding to the data type.
In some embodiments, prior to said receiving algorithm information from the first security domain, the method further comprises: receiving first identity information from the first security domain, the first identity information comprising device feature information of the terminal device; and sending second identity information to the first security domain, wherein the second identity information comprises equipment characteristic information of equipment where the second security domain is located.
In some embodiments, the first identity information further comprises information to be verified; and after said receiving first identity information from said first security domain, said method further comprising: carrying out validity verification on the information to be verified; and in response to the information to be verified passing the verification, executing the sending of the second identity information to the first security domain.
In some embodiments, the information to be verified comprises a public key of the first security domain or a device certificate.
In some embodiments, the plurality of data types includes: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and after the secure channel initialization operation is performed according to the encryption policy, the method further comprises: receiving an encrypted message and a signature of the encrypted message from the first security domain, wherein the encrypted message is generated by encrypting a transfer message, the transfer message including encrypted data, the encrypted data being generated by encrypting target traffic data of a target application; performing validity verification on the signature according to a decryption key corresponding to the third data type by using a target algorithm corresponding to the third data type; in response to the signature passing the verification, decrypting the encrypted message by using a target algorithm corresponding to the second data type according to a decryption key corresponding to the second data type to obtain the transmission message; and decrypting the encrypted data according to a decryption key corresponding to the first data type by using a target algorithm corresponding to the first data type to obtain the target service data.
In some embodiments, after said legality verifying said signature, said method further comprises: and regenerating a decryption key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
In a third aspect, an embodiment of the present specification provides an information processing apparatus for secure communication, applied to a first security domain in a terminal device, including: a first receiving unit configured to receive a secure channel establishment request from a target application on the terminal device, the establishment request including a domain identification of a second secure domain; a sending unit configured to send algorithm information to the second security domain in response to the establishment request, the algorithm information including algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, the plurality of encryption and decryption algorithms corresponding to a plurality of algorithm types required by a secure channel; a second receiving unit configured to receive an encryption policy from the second security domain, the encryption policy showing algorithm identifications of a plurality of target algorithms, and the plurality of target algorithms being respectively specified with data types for encryption and decryption, wherein the plurality of target algorithms correspond to the plurality of algorithm types and are encryption and decryption algorithms supported by both the target application and the second security domain; a secure channel initialization unit configured to perform a secure channel initialization operation according to the encryption policy.
In a fourth aspect, an embodiment of the present specification provides an information processing apparatus for secure communication, applied to a second security domain, including: the terminal equipment comprises a receiving unit and a processing unit, wherein the receiving unit is configured to receive algorithm information from a first security domain, the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by a target application on the terminal equipment where the first security domain is located, and the encryption and decryption algorithms correspond to a plurality of algorithm types required by a security channel; a first determining unit configured to determine a plurality of target algorithms according to the encryption and decryption algorithms supported by the second security domain and the algorithm information, wherein the plurality of target algorithms are encryption and decryption algorithms supported by the target application and the second security domain; a second determining unit configured to determine, among a plurality of data types required for a secure channel, data types respectively used for encryption and decryption by the plurality of target algorithms; an encryption policy generation unit configured to generate an encryption policy showing algorithm identifications of the plurality of target algorithms and data types corresponding to the plurality of target algorithms; a sending unit configured to send the encryption policy to the first security domain; and the secure channel initialization unit is configured to execute secure channel initialization operation according to the encryption strategy.
In a fifth aspect, the present specification provides a computer-readable storage medium on which a computer program is stored, wherein when the computer program is executed in a computer, the computer is caused to execute the method described in any implementation manner of the first aspect and the second aspect.
In a sixth aspect, the present specification provides a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement the method described in any one of the implementation manners of the first aspect and the second aspect.
The information processing method and apparatus for secure communication provided by the above embodiments of the present specification receive the aforementioned secure channel establishment request from the target application on the terminal device via the first security domain, and send the aforementioned algorithm information to the second security domain in response to the establishment request. The encryption policy as described above is then returned to the first security domain by the second security domain in response to the algorithm information. And then, executing the initialization operation of the secure channel through the first secure domain and the second secure domain according to the encryption strategies respectively. Therefore, the solution provided by the above embodiments of the present specification may enable the first security domain and the second security domain to agree on the encryption policy, and initialize the secure channel according to the encryption policy. The scheme can be applied to the equipment of the second security domain, no matter the equipment is terminal equipment or a server. Therefore, the scheme can not only realize the secure communication between the first security domain and the second security domain, but also meet the uniform requirements of the interactive services between the client and the client, and between the client and the server.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments disclosed in the present specification, the drawings needed to be used in the description of the embodiments will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments disclosed in the present specification, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is an exemplary system architecture diagram to which some embodiments of the present description may be applied;
FIG. 2 is a timing diagram of one embodiment of an information processing method for secure communications according to the present description;
FIG. 3 is a timing diagram for one embodiment of a process for performing a secure channel initialization operation in accordance with the present description;
FIG. 4 is a timing diagram for one embodiment of a message processing flow relating to targeted business data in accordance with the present description;
fig. 5 is a schematic configuration diagram of an information processing apparatus for secure communication according to the present specification;
fig. 6 is a schematic diagram of one configuration of an information processing apparatus for secure communication according to the present specification.
Detailed Description
The present specification will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. The described embodiments are only a subset of the embodiments described herein and not all embodiments described herein. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step are within the scope of the present application.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present description may be combined with each other without conflict. In addition, the terms "first", "second", "third", and the like in the present specification are used only for information distinction and do not play any limiting role.
As described above, the terminal environment is implemented based on various different chip platforms, and has different algorithm capabilities and encryption capabilities, and the owned secure channel protocols are not matched with each other, and if one set of encryption algorithm protocol is used, the unified requirements of the interactive services between the client and the client, and between the client and the server cannot be satisfied.
Based on this, some embodiments of the present specification provide an information processing method for secure communication, by which not only secure communication between a first security domain and a second security domain can be achieved, but also unified requirements of interactive services between a client and a client, and between the client and a server can be satisfied. In particular, FIG. 1 illustrates an exemplary system architecture diagram suitable for use with these embodiments.
As shown in fig. 1, a target application, a first security domain and a second security domain are shown. The target application is any client application installed on the terminal device and having secure communication requirements, and may include, but is not limited to, a payment application and the like. The first security domain is a security domain configured in the terminal device, such as a TEE or the like. The first security domain may receive various requests of the target application, such as a secure channel establishment request, a data transmission request, and the like.
The second security domain is a security domain corresponding to an application on a server or other terminal device that can communicate with the target application. As an example, when the target application is a payment-type application, the server may be a background server of the payment-type application, and the application on the other terminal device may be an application with a cash register function. The server may be a cloud server or a physical server, and is not limited herein.
It should be understood that the device of the second security domain may be a terminal device, or may be a server. It should be noted that, when the device in which the second security domain is located is a terminal device, the first security domain and the second security domain may communicate in an offline scenario or in an online scenario, which is not specifically limited herein.
Taking the secure channel establishment request as an example, the first secure domain may receive the secure channel establishment request from the target application, where the establishment request includes the domain identification of the second secure domain. The first security domain may then send algorithm information relating to the target application to the second security domain in response to the establishment request. The first security domain may then receive, from the second security domain, an encryption policy returned in response to the algorithm information. Then, the first security domain and the second security domain can respectively execute the secure channel initialization operation according to the encryption policy.
The following describes specific implementation steps of the above method with reference to specific examples.
Referring to FIG. 2, a timing diagram of one embodiment of an information processing method for secure communications is shown. The method comprises the following steps:
step 201, a first security domain receives a security channel establishment request from a target application on a terminal device where the first security domain is located, and the establishment request includes a domain identifier of a second security domain;
step 205, the first security domain sends algorithm information to the second security domain, where the algorithm information includes algorithm identifiers of multiple encryption and decryption algorithms supported by the target application, and the multiple encryption and decryption algorithms correspond to multiple algorithm types required by the secure channel;
step 206, the second security domain determines a plurality of target algorithms according to the encryption and decryption algorithms and the algorithm information supported by the second security domain, wherein the target algorithms are the encryption and decryption algorithms supported by both the target application and the second security domain;
step 207, the second security domain determines, in the multiple data types required by the secure channel, the data types that the multiple target algorithms are respectively used for encryption and decryption;
step 208, the second security domain generates an encryption policy, wherein the encryption policy shows algorithm identifications of the plurality of target algorithms and data types corresponding to the plurality of target algorithms;
step 209, the second security domain sends the encryption policy to the first security domain;
step 210, the second security domain executes the initialization operation of the security channel according to the encryption policy;
in step 211, the first security domain performs a security channel initialization operation according to the encryption policy.
Step 205 and step 209 embody the process of the first security domain and the second security domain to agree on the encryption policy.
The above steps are further explained below.
In step 201, the first security domain may receive a secure channel establishment request from the target application in real time. The establishment request may be triggered manually or automatically, and is not limited herein.
In step 205, the first security domain may send algorithm information to the second security domain in response to the establishment request. The algorithm information may include, but is not limited to, algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, and the like. The plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by the secure channel. It is noted that there may be encryption and decryption algorithms of the plurality of encryption and decryption algorithms corresponding to the same algorithm type.
In practice, the above-mentioned plurality of algorithm types includes at least a symmetric encryption algorithm and a cryptographic hash function. Optionally, the plurality of algorithm types may further include an asymmetric encryption algorithm. The Encryption and decryption algorithms under the symmetric Encryption algorithm may include, but are not limited to, SM4, AES (Advanced Encryption Standard), 3DES, and the like. The encryption and decryption algorithms under the asymmetric encryption algorithm may include, for example, but are not limited to, SM2, RSA, and the like. The encryption/decryption algorithm under the cryptographic hash function may be an algorithm based on a key algorithm and a hash function, and may include, but is not limited to, an algorithm consisting of SM2 and SM3 (a hash algorithm), an algorithm consisting of RSA and SHA256 (a hash algorithm), an algorithm consisting of SM4 and SM3, and an algorithm consisting of AES and SHA256, for example, and is not particularly limited thereto. It should be noted that the key algorithm may belong to a symmetric encryption algorithm or an asymmetric encryption algorithm, and is not limited herein.
It should be noted that 3DES (or called Triple DES) is a generic term of Triple Data Encryption Algorithm (TDEA) block cipher, and it is equivalent to applying Triple DES (Data Encryption Standard) Encryption Algorithm to each Data block. The RSA public key cryptosystem is a cryptosystem that uses different encryption and decryption keys, and it is computationally infeasible to derive a decryption key from a known encryption key. The hash value used by the SHA256 algorithm is 256 bits in length and is an abstract class. SM2, SM3, SM4 are all national cryptographic algorithms, i.e. the domestic cryptographic algorithms identified by the national crypto authority. Since the above listed algorithms are well known technologies that are widely researched and applied at present, they are not described herein again.
Optionally, the algorithm information may further include at least one of: a first mark and a second mark. The first flag may be used to indicate whether an encryption algorithm supported by the encryption algorithm acceleration engine exists in the plurality of encryption and decryption algorithms. The second mark may be used to indicate whether there is an encryption/decryption algorithm with a public/private key pair in the plurality of encryption/decryption algorithms.
The first flag in the algorithm information is helpful for the second security domain to determine whether the encryption/decryption algorithm supported by the encryption algorithm acceleration engine exists in the plurality of encryption/decryption algorithms supported by the target application. The encryption algorithm acceleration engine may be an independent IP (Internet Protocol ) module, integrated on a chip, and may provide a specific algorithm hardware implementation interface. It should be noted that, compared with an encryption and decryption algorithm implemented by software, an encryption and decryption algorithm implemented by hardware is safer and more efficient.
In addition, under the condition that the multiple algorithm types include asymmetric encryption algorithms, the second mark in the algorithm information is helpful for the second security domain to judge whether the encryption and decryption algorithms provided with public and private key pairs exist in the multiple encryption and decryption algorithms supported by the target application.
Optionally, before step 205, the first security domain and the second security domain may send respective identity information to each other. For example, the first security domain may send the first identity information to the second security domain by performing step 202. The first identity information may include, but is not limited to, device feature information of the terminal device where the first security domain is located. Optionally, the first identity information may further include version information. The second security domain may send second identity information to the first security domain by performing step 204 in response to receiving the first identity information, which may include, but is not limited to, device feature information of a device in which the second security domain is located. In practice, the device feature information may include, but is not limited to, a MAC (Media Access Control) address, etc., for example.
Optionally, before step 205, the first security domain and the second security domain may perform an identity identification procedure to prove that the terminal device where the first security domain is located is a legal device (e.g. an official authorized device), an unforeseen/virtual device.
As an implementation manner of identity recognition, the first security domain may add information to be verified for identity verification to the first identity information as described above, where the information to be verified may include, but is not limited to, a public key of the first security domain or a device certificate, for example. Based on this, before step 204, the second security domain may perform validity verification on the information to be verified by executing step 203 in response to the first identity information including the information to be verified. The second security domain may then perform step 204 in response to the information to be verified being authenticated. In practice, the second security domain may adopt an authentication method agreed with the first security domain in advance to perform validity authentication on the information to be verified, and the specification does not specifically limit the authentication method.
As another implementation manner of identity recognition, the first security domain may also encrypt the first identity information in an encryption manner agreed in advance with the second security domain. Thus, further, in step 202, the first security domain may send the encrypted first identity information to the second security domain. Based on this, before step 204, the second security domain may decrypt the first identity information in a decryption manner agreed with the first security domain. After decryption is successful, step 204 may be performed.
It should be understood that, in the solutions provided in the present specification, various methods may be used to identify the first security domain, and the present specification does not specifically limit the identification method.
In step 206, the second security domain may determine a plurality of target algorithms according to its own supported encryption/decryption algorithms and the received algorithm information. Wherein the plurality of target algorithms are cryptographic algorithms supported by both the target application and the second security domain. It should be understood that the plurality of target algorithms correspond to the plurality of algorithm types described above.
In this specification, the plurality of data types required for the secure channel include: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, and a third data type for characterizing encrypted messages. The data of the first data type and the data of the second data type are encrypted and decrypted by using a corresponding encryption and decryption algorithm and a corresponding key respectively. And the data of the third data type needs to be signed and checked by using a corresponding encryption and decryption algorithm and a corresponding secret key. The "signature" herein may represent a "signature".
For the data of the first data type and the second data type, both the data can be encrypted and decrypted by using a symmetric/asymmetric encryption and decryption algorithm. The Key type corresponding to the Key for encrypting and decrypting the Data of the first Data type may be referred to as a Data Encryption Key (DEK). The key type corresponding to the key for encrypting and decrypting the data of the second data type may be referred to as an application cryptograph master key, abbreviated as ENC. And for the data of the third data type, the signature can be added and checked by using an encryption and decryption algorithm belonging to a password hash function. The key type corresponding to the key used for signing and verifying the data may be referred to as a Message Authentication key (MAC).
In general, the plurality of algorithm types and the plurality of data types are equal in number, and the plurality of target algorithms and the plurality of algorithm types have a one-to-one correspondence relationship.
As an implementation, step 206 may further include:
s1, determining each encryption and decryption algorithm supported by the target application and the second security domain according to the encryption and decryption algorithm supported by the target application and the algorithm information;
s2, for each algorithm type in the plurality of algorithm types, selecting one encryption/decryption algorithm from at least one encryption/decryption algorithm belonging to the algorithm type in the encryption/decryption algorithms as a target algorithm.
Optionally, when the plurality of algorithm types include a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function, the step S2 may further include:
for each algorithm type in the multiple algorithm types, when the algorithm type is a symmetric encryption algorithm or a cryptographic hash function, selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm; when the algorithm type is an asymmetric encryption algorithm, selecting one encryption and decryption algorithm as a target algorithm from the encryption and decryption algorithms which meet a selection condition in the at least one encryption and decryption algorithm, wherein the selection condition comprises the following steps: the terminal device is preset with a public and private key pair corresponding to an encryption and decryption algorithm, and the second security domain stores a first public key in the public and private key pair.
Optionally, the second security domain may store an algorithm selection policy corresponding to a service party to which the target application belongs. The algorithm selection policy may include, but is not limited to, performance requirement prioritization, and the like, for example, and is not limited herein. Based on this, step 206 may further include:
and S3, determining the target algorithms according to the encryption and decryption algorithms supported by the target algorithms, the algorithm information and the algorithm selection strategy.
Taking the example that the algorithm selection policy includes a performance requirement priority, the step S3 may further include the step S1 and the following step S31:
s31, for each algorithm type of the multiple algorithm types and at least one encryption/decryption algorithm belonging to the algorithm type in the encryption/decryption algorithms, if a hardware implementation algorithm supported by the encryption algorithm acceleration engine exists in the at least one encryption/decryption algorithm, selecting a hardware implementation algorithm from the hardware implementation algorithms in the at least one encryption/decryption algorithm as a target algorithm; and if the at least one encryption and decryption algorithm does not have a hardware implementation algorithm, selecting one encryption and decryption algorithm from the at least one encryption and decryption algorithm as a target algorithm.
In step S31, reference may be made to the related description of step S2 for a specific algorithm selection method.
It should be noted that, by performing step S3, the above target algorithms can be made to better meet the requirements of the target application. In addition, step S3 may enable the solution provided by the present embodiment to contribute to the platform capability with various feature encryption capabilities (e.g., high-performance encryption algorithm capability, etc.).
The above describes only one method of determining a target algorithm for each data type. In the case that the plurality of algorithm types are respectively a symmetric encryption algorithm and a cryptographic hash function, and the number of the plurality of algorithm types is smaller than the number of the plurality of data types, for the symmetric encryption algorithm, the second security domain may determine at least one target algorithm for the symmetric encryption algorithm. Wherein the number of the at least one target algorithm is less than the number of the plurality of data types. For example, if the plurality of data types are the three data types listed above, the number of the at least one target algorithm may be 1 or 2.
In step 207, the second security domain may determine, among the plurality of data types, data types respectively used for encryption and decryption by the plurality of target algorithms.
Assuming that the plurality of data types include the first data type, the second data type and the third data type as described above, step 207 may further include:
s4, when the plurality of algorithm types are a symmetric encryption algorithm and a cryptographic hash function, respectively, assigning a target algorithm belonging to the symmetric encryption algorithm to the first data type and the second data type, and assigning a target algorithm belonging to the cryptographic hash function to the third data type;
s5, when the plurality of algorithm types are a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function, respectively, assigning a target algorithm belonging to one of the symmetric encryption algorithm and the asymmetric encryption algorithm to the first data type, assigning a target algorithm belonging to the other of the symmetric encryption algorithm and the asymmetric encryption algorithm to the second data type, and assigning a target algorithm belonging to the cryptographic hash function to the third data type.
Specifically, in step S4, when the multiple algorithm types are a symmetric encryption algorithm and a cryptographic hash function, respectively, if the multiple target algorithms include 1 target algorithm belonging to the symmetric encryption algorithm, the second security domain may assign the 1 target algorithm to the first data type and the second data type simultaneously. If the plurality of target algorithms includes 2 target algorithms belonging to symmetric encryption algorithms, the second security domain may assign any one of the 2 target algorithms to the first data type and another one of the 2 target algorithms to the second data type.
In step 208, the second security domain may generate an encryption policy. The encryption policy may show algorithm identifications of the target algorithms and data types corresponding to the target algorithms respectively. In the encryption policy, the data type may be represented by a type name or a type number, and is not specifically limited herein.
In step 209, the second security domain may send the encryption policy to the first security domain. The first and second security domains may then initialize the secure channel by performing steps 210, 211, and process the message by performing the steps shown in fig. 4.
In this embodiment, through the execution of step 205 and step 209, the first security domain and the second security domain may agree on the encryption policy. Because the encryption policy includes the algorithm identifiers of the target algorithms, and the target algorithms are encryption and decryption algorithms supported by both the target application and the second security domain, both the first security domain and the second security domain can initialize the security channel and process the message according to the encryption policy in an offline scene or an online scene.
It should be noted that, in this specification, a plurality of algorithm types as described above may correspond to a plurality of first-level algorithm types. The plurality of first-level algorithm types may include, for example, a national cryptographic algorithm and an international universal algorithm. The algorithms listed in the foregoing text, except for the cryptographic algorithm, may all belong to the international general algorithm. Typically, the plurality of target algorithms determined by the second security domain may be categorized into a national cryptographic algorithm or an international common algorithm.
In the following, the beneficial effects of the agreement encryption strategy in different scenarios are briefly introduced.
Scene 1: user terminal A and user terminal B possess both the national cryptographic algorithm (SM2/3/4), and user terminal C and user terminal D possess both the international general purpose algorithm (RSA, AES, SHA256, 3 DES). By agreeing on the encryption policy, both parties to user terminal A, B may choose to use a cryptographic algorithm to establish a secure channel and process the message. Both parties of the user terminal C, D may choose to use an international common algorithm to establish a secure channel and process the message. Therefore, user experience can be improved, and the business safety requirements can be met.
Scene 2: the user terminal A has a national cryptographic algorithm (SM2/3/4) acceleration engine, the user terminal B has an international general algorithm (RSA, AES, SHA256 and 3DES) acceleration engine, and the service server side has an acceleration engine which simultaneously supports the national cryptographic algorithm and the international general algorithm. By agreement on the encryption strategy, the user terminal A can establish a secure channel with the service server by using a national cryptographic algorithm, and the user terminal B can establish a secure channel with the service server by using an international general algorithm. Therefore, the algorithm advantages of the user terminal A and the user terminal B can be brought into play at the same time, and the performance and the user experience are greatly improved.
Therefore, by agreement on the encryption strategy, the unified requirements of interactive services between the client and between the client and the server can be met, the platform capability with various characteristic encryption capabilities is exerted, and the fragmentation problem of service processing logic is reduced.
In step 210, the second security domain may perform a secure channel initialization operation according to the encryption policy. Specifically, step 210 may further include step 2101-. Optionally, step 210 may also include step 2103 as shown in fig. 3.
In step 211, the first security domain may perform a secure channel initialization operation according to an encryption policy. Specifically, step 211 may further include steps 2111-2112 as shown in FIG. 3. Optionally, step 211 may also include step 2113 as shown in fig. 3.
As shown in fig. 3, a timing diagram illustrating one embodiment of a process for performing a secure channel initialization operation is shown. In the case where the plurality of algorithm types include a symmetric encryption algorithm and a cryptographic hash function, the performing comprises the steps of:
step 2101, the second security domain obtains device characteristic information of the terminal device where the first security domain is located and device characteristic information of the device where the second security domain is located;
step 2102, for a data type corresponding to a first target algorithm in the multiple target algorithms, generating, by a second security domain, a decryption key corresponding to the data type according to the obtained feature information of each piece of equipment by using a target key generation algorithm corresponding to the data type, where the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function;
step 2111, the first security domain acquires the device characteristic information of the terminal device where the first security domain is located and the device characteristic information of the device where the second security domain is located;
step 2112, for the data type corresponding to the first target algorithm in the multiple target algorithms, the first security domain generates an encryption key corresponding to the data type according to the acquired feature information of each piece of equipment by using a target key generation algorithm corresponding to the data type, and the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function.
The above steps in this embodiment will be further explained below.
In step 2101 and step 2111, if the first security domain and the second security domain both store the pieces of device feature information, the pieces of device feature information may be acquired from respective storage areas.
Optionally, in the case of performing the above step 202 and the above step 204, the first security domain may obtain the device feature information of the terminal device where the first security domain is located from the local, and obtain the device feature information of the device where the second security domain is located from the received second identity information. The second security domain may locally obtain device feature information of a device in which the second security domain is located, and obtain device feature information of the terminal device in which the first security domain is located from the first identity information.
In steps 2102 and 2112, the target key generation algorithm may be a key generation algorithm pre-agreed by the first security domain and the second security domain. The data types corresponding to the first target algorithms may correspond to the same target key generation algorithm, or may correspond to different target key generation algorithms.
When the data types corresponding to the first target algorithms correspond to the same target key generation algorithm, the target key generation algorithm may include, for example, at least one sub-algorithm, and the number of the at least one sub-algorithm is the same as that of the first target algorithms. After the pieces of device feature information are input into the target key generation algorithm, the target key generation algorithm may be enabled to output a key corresponding to the data type, for example, an encryption key or a decryption key.
It should be appreciated that for each data type corresponding to the first target algorithm, the first security domain and the second security domain employ the same key generation algorithm and the same input parameters when generating the encryption key and the decryption key corresponding to that data type.
Note that in step 2102 and step 2112, for the target algorithm belonging to the cryptographic hash function, the key algorithm in the target algorithm usually belongs to a symmetric encryption algorithm.
Optionally, the plurality of algorithm types may further include an asymmetric encryption algorithm, and a second target algorithm belonging to the asymmetric encryption algorithm may further exist in the plurality of target algorithms. The terminal equipment where the first security domain is located is preset with a public and private key pair corresponding to the second target algorithm, and the second security domain stores a first public key in the public and private key pair. Based on this, the secure channel initialization operation performed by the second secure domain may further include: step 2103, for the data type corresponding to the second target algorithm, determining the first public key in the public and private key pair corresponding to the second target algorithm as the decryption key corresponding to the data type. In addition, the secure channel initialization operation performed by the first secure domain may further include: step 2113, for the data type corresponding to the second target algorithm, determining the first private key in the public and private key pair corresponding to the second target algorithm as the encryption key corresponding to the data type.
Because the first security domain and the second security domain initialize the security channel each time the security channel is established, the risks of identity forgery, encryption strategy leakage and the like can be effectively avoided, and the security of communication can be improved.
It should be noted that, in the embodiment corresponding to fig. 3, only the above-mentioned pieces of device characteristic information are described as input parameters of the target key generation algorithm. It should be understood that, in the embodiment corresponding to fig. 3, the above-mentioned pieces of device feature information may also be replaced by other information items that can be applied to the scheme provided in this specification, where the information items may include, but are not limited to, random numbers generated by the first security domain and the second security domain, respectively, and the like, and are not limited in detail herein. As an example, a first security domain may generate a first random number and send the first random number to a second security domain. The second security domain may generate a second random number in response to the first random number and return the second random number to the first security domain. Alternatively, in the case where the first security domain and the second security domain send identity information to each other, the first random number may be included in the first identity information as described above, and the second random number may be included in the second identity information as described above.
After the secure channel initialization operation is finished, the first secure domain and the second secure domain may further execute a message processing flow. Specifically, the establishment request may further include target service data. Alternatively, after step 201, the first security domain may further receive a data transmission request from the target application, where the data transmission request includes the target service data and the domain identifier of the second security domain. The first security domain may obtain the target service data from the establishment request or the data sending request. Subsequently, the first security domain and the second security domain may perform a message processing procedure related to the target business data.
Next, a message processing flow related to the target service data is described.
As shown in fig. 4, a timing diagram of one embodiment of a message processing flow relating to targeted traffic data is shown. In this embodiment, the plurality of data types include the first data type, the second data type, and the third data type as described above. The message processing flow comprises the following steps:
step 212, in response to acquiring target service data of the target application, the first security domain encrypts the target service data according to an encryption key corresponding to the first data type by using a target algorithm corresponding to the first data type to obtain encrypted data, wherein a target receiver of the target service data is a second security domain;
step 213, the first security domain generating a transmission message comprising encrypted data;
step 214, the first security domain encrypts the transmission message according to the encryption key corresponding to the second data type by using the target algorithm corresponding to the second data type, so as to obtain an encrypted message;
step 215, the first security domain generates a signature of the encrypted message according to the encryption key corresponding to the third data type by using a target algorithm corresponding to the third data type;
step 216, the first security domain sends the encrypted message and the signature to the second security domain;
step 218, the second security domain performs validity verification on the signature according to the decryption key corresponding to the third data type by using the target algorithm corresponding to the third data type;
step 220, in response to the signature passing the verification, decrypting the encrypted message by using a target algorithm corresponding to the second data type according to the decryption key corresponding to the second data type to obtain a transmission message;
step 221, decrypting the encrypted data in the transmission message according to the decryption key corresponding to the first data type by using the target algorithm corresponding to the first data type, so as to obtain the target service data.
In the present embodiment, the first security domain specifically performs an encryption process related to the target service data, which includes steps 212 and 216. The second security domain performs in particular a decryption process related to the target service data, which comprises steps 218, 220, 221.
The above steps in this embodiment will be further explained below.
In step 212, the first security domain may, for example, input the target service data and an encryption key corresponding to the first data type into a target algorithm corresponding to the first data type, so that the target algorithm encrypts the target service data, and output the encrypted data. It should be understood that the encrypted data is the encrypted target service data.
In step 213, the first security domain may generate a transfer message including encrypted data according to a message format agreed upon with the second security domain. The message format may include, but is not limited to, JSON (JavaScript Object Notation) format, for example.
In step 214, the first security domain may, for example, input the transmission message and an encryption key corresponding to the second data type into a target algorithm corresponding to the second data type, so that the target algorithm encrypts the transmission message, and outputs the encrypted message. It should be understood that the encrypted message is an encrypted transmission message.
In step 215, the first security domain may input the encrypted message and an encryption key corresponding to the third data type into a target algorithm corresponding to the third data type, so that the target algorithm generates and outputs a signature of the encrypted message.
In step 216, the first security domain may send the encrypted message and the signature to the second security domain.
In step 218, the second security domain may verify the validity of the signature according to the decryption key corresponding to the third data type using the target algorithm corresponding to the third data type in response to receiving the encrypted message and the signature.
For example, the second security domain may input the signature and a decryption key corresponding to the third data type into a target algorithm corresponding to the third data type, so that the target algorithm decrypts the signature to obtain a decrypted message. Then, if the decrypted message is an encrypted message, the decrypted message and the received encrypted message can be compared; if the two are consistent, the signature can be determined to be legal; otherwise, the signature may be determined to be illegal. Optionally, if the decrypted message is a digest of an encrypted message, the hash function in the target algorithm may be used to calculate the digest of the received encrypted message, and then the decrypted message and the calculated digest may be compared; if the two are consistent, the signature can be determined to be legal; otherwise, the signature may be determined to be illegal.
Wherein, when the signature is determined to be legitimate, the signature can be considered to be verified, and the process can continue to step 220.
In step 220, in case that the signature passes the verification, the second security domain may, for example, input the encrypted message and a decryption key corresponding to the second data type into a target algorithm corresponding to the second data type, so that the target algorithm decrypts the encrypted message, and outputs a decrypted transmission message.
In step 221, for the encrypted data in the decrypted transmission message, the second security domain may input the encrypted data and the decryption key corresponding to the first data type into a target algorithm corresponding to the first data type, so that the target algorithm decrypts the encrypted data, and outputs the decrypted target service data.
Thereafter, the second security domain may send the target service data to a corresponding client application or server, for example, so that the client application or server processes the target service data. When the second security domain obtains the first processing result corresponding to the target service data and the first processing result needs to be encrypted and signed, the second security domain may regard the decryption keys corresponding to the multiple data types as encryption keys, perform encryption and signing processing on the first processing result by using a process similar to the encryption process, obtain a second processing result, and send the second processing result to the first security domain. After receiving the second processing result, the first security domain may regard the encryption keys corresponding to the multiple data types as decryption keys, and perform signature verification and decryption on the second processing result by using a process similar to the decryption process.
Optionally, after step 215, the method may further include: step 217, the first security domain regenerates the encryption key corresponding to the third data type according to the above-mentioned feature information of each piece of equipment by using a target key generation algorithm corresponding to the third data type. Further, step 217 may be performed before or after step 216, or step 217 may be performed simultaneously with step 216, which is not specifically limited herein. Accordingly, after step 218, the method may further include: in step 219, the second security domain regenerates the decryption key corresponding to the third data type according to the above-mentioned feature information of each device by using a target key generation algorithm corresponding to the third data type. Wherein the decryption key is the same as the encryption key in step 217.
In the embodiment corresponding to fig. 4, the first security domain and the second security domain may encrypt and decrypt data and sign and check a signature according to an encryption and decryption key of the initialized secure channel and a target algorithm specified by an agreed encryption policy. Therefore, confidentiality, authenticity and integrity of data can be ensured, replay attack and out-of-order attack can be prevented, and the first security domain and the second security domain can realize secure communication.
With further reference to fig. 5, as an implementation of the methods illustrated in some of the above figures, the present specification provides one embodiment of an information processing apparatus for secure communication, which may be applied to a first security domain as illustrated in fig. 1.
As shown in fig. 5, the information processing apparatus 500 for secure communication of the present embodiment includes: a first receiving unit 501, a sending unit 502, a second receiving unit 503, and a secure channel initializing unit 504. The first receiving unit 501 is configured to receive a secure channel establishment request from a target application on a terminal device, where the establishment request includes a domain identifier of a second secure domain; the sending unit 502 is configured to send algorithm information to the second security domain in response to the establishment request, the algorithm information including algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, the plurality of encryption and decryption algorithms corresponding to a plurality of algorithm types required by the secure channel; the second receiving unit 503 is configured to receive an encryption policy from the second security domain, the encryption policy showing algorithm identifications of a plurality of target algorithms, and the plurality of target algorithms being respectively specified with data types for encryption and decryption, wherein the plurality of target algorithms correspond to the plurality of algorithm types and are encryption and decryption algorithms supported by both the target application and the second security domain; the secure channel initialization unit 504 is configured to perform a secure channel initialization operation according to an encryption policy.
Optionally, the plurality of algorithm types at least include a symmetric encryption algorithm and a cryptographic hash function; and the secure channel initialization unit 504 may be further configured to: acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located; and for a data type corresponding to a first target algorithm in the multiple target algorithms, generating an encryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, wherein the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the second security domain generates a decryption key which is the same as the encryption key thereof for the data type.
Optionally, the multiple algorithm types further include an asymmetric encryption algorithm, the terminal device is preset with a public and private key pair corresponding to a second target algorithm, a second security domain stores a first public key in the public and private key pair, and the second target algorithm belongs to the asymmetric encryption algorithm; and the secure channel initialization unit 504 may be further configured to: and for the data type corresponding to the second target algorithm, determining a first private key in the public and private key pair as an encryption key corresponding to the data type, wherein the second security domain determines the first public key as a decryption key corresponding to the data type.
Optionally, the sending unit 502 may be further configured to: before sending algorithm information to a second security domain, sending first identity information to the second security domain, wherein the first identity information comprises equipment characteristic information of the terminal equipment; the second receiving unit 503 may also be configured to: and receiving second identity information from the second security domain, wherein the second identity information comprises equipment characteristic information of the equipment where the second security domain is located.
Optionally, the first identity information further includes information to be verified; and the second receiving unit 503 may be further configured to: and receiving second identity information returned in response to the information to be verified passing the verification from the second security domain. The information to be verified may include, but is not limited to, a public key of the first security domain or a device certificate.
Optionally, the respective data types in the encryption policy include: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and the apparatus 500 may further include: the message processing unit (not shown in the figure) is configured to, in response to the acquired target service data of the target application, encrypt the target service data according to an encryption key corresponding to the first data type by using a target algorithm corresponding to the first data type to obtain encrypted data, wherein a target receiver of the target service data is a second security domain; generating a transmission message including the encrypted data; encrypting the transmission message by using a target algorithm corresponding to the second data type according to an encryption key corresponding to the second data type to obtain an encrypted message; generating a signature of the encrypted message according to the encryption key corresponding to the third data type by using a target algorithm corresponding to the third data type; and the sending unit 502 may be further configured to: the encrypted message and the signature are sent to the second security domain.
Optionally, the first receiving unit 501 may be further configured to: and receiving a data sending request from the target application, wherein the data sending request comprises the target service data and the domain identifier of the second security domain.
Optionally, the message processing unit may be further configured to: and after the signature of the encrypted message is generated, regenerating the encrypted key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
With further reference to fig. 6, as an implementation of the methods illustrated in some of the above figures, the present specification provides one embodiment of an information processing apparatus for secure communication, which may be applied to a second security domain as illustrated in fig. 1.
As shown in fig. 6, the information processing apparatus 600 for secure communication of the present embodiment includes: a receiving unit 601, a first determining unit 602, a second determining unit 603, an encryption policy generating unit 604, a transmitting unit 605, and a secure channel initializing unit 606. The receiving unit 601 is configured to receive algorithm information from the first security domain, where the algorithm information includes algorithm identifiers of a plurality of encryption and decryption algorithms supported by a target application on a terminal device where the first security domain is located, and the plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by the secure channel; the first determining unit 602 is configured to determine, according to the encryption and decryption algorithms supported by the second security domain itself and the algorithm information, a plurality of target algorithms, which are encryption and decryption algorithms supported by both the target application and the second security domain; the second determining unit 603 is configured to determine, among a plurality of data types required for the secure channel, data types respectively used for encryption and decryption by a plurality of target algorithms; the encryption policy generating unit 604 is configured to generate an encryption policy, where the encryption policy shows algorithm identifications of the target algorithms and data types corresponding to the target algorithms; the sending unit 605 is configured to send the encryption policy to the first security domain; the secure channel initialization unit 606 is configured to perform a secure channel initialization operation according to an encryption policy.
Optionally, the first determining unit 602 may be further configured to: determining each encryption and decryption algorithm supported by the target application and the second security domain according to the encryption and decryption algorithm supported by the second security domain and the algorithm information; for each algorithm type in the multiple algorithm types, selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm.
Optionally, the plurality of algorithm types include a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function; and the first determining unit 602 may be further configured to: for each algorithm type in the multiple algorithm types, when the algorithm type is a symmetric encryption algorithm or a cryptographic hash function, selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm; when the algorithm type is an asymmetric encryption algorithm, selecting one encryption and decryption algorithm as a target algorithm from the encryption and decryption algorithms which meet a selection condition in the at least one encryption and decryption algorithm, wherein the selection condition comprises the following steps: the terminal device is preset with a public and private key pair corresponding to an encryption and decryption algorithm, and the second security domain stores a first public key in the public and private key pair.
Optionally, the second security domain stores an algorithm selection policy corresponding to a service party to which the target application belongs; and the first determining unit 602 may be further configured to: and determining the target algorithms according to the encryption and decryption algorithm supported by the second security domain, the algorithm information and the algorithm selection strategy. The algorithm selection policy may include, but is not limited to, priority of performance requirements, and the like.
Optionally, the plurality of data types include: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and the second determining unit 603 may be further configured to: when the algorithm types are respectively a symmetric encryption algorithm and a password hash function, allocating a target algorithm belonging to the symmetric encryption algorithm to a first data type and a second data type, and allocating the target algorithm belonging to the password hash function to a third data type; when the plurality of algorithm types are a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function, respectively, a target algorithm belonging to one of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the first data type, a target algorithm belonging to the other of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the second data type, and a target algorithm belonging to the cryptographic hash function is assigned to the third data type.
Optionally, the plurality of algorithm types at least include a symmetric encryption algorithm and a cryptographic hash function; and the secure channel initiating unit 606 may be further configured to: acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located; for a data type corresponding to a first target algorithm in the multiple target algorithms, generating a decryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, wherein the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the first security domain generates an encryption key which is the same as the decryption key of the first target algorithm for the data type.
Optionally, the multiple algorithm types further include an asymmetric encryption algorithm, the terminal device is preset with a public and private key pair corresponding to a second target algorithm, a second security domain stores a first public key in the public and private key pair, and the second target algorithm belongs to the asymmetric encryption algorithm; and the secure channel initiating unit 606 may be further configured to: and for the data type corresponding to the second target algorithm, determining the first public key as a decryption key corresponding to the data type, wherein the first security domain determines a first private key in the public and private key pair as an encryption key corresponding to the data type.
Optionally, the receiving unit 601 may be further configured to: receiving first identity information from the first security domain before receiving algorithm information from the first security domain, the first identity information including device characteristic information of the terminal device; the sending unit 605 may be further configured to send second identity information to the first security domain, where the second identity information includes device feature information of a device in which the second security domain is located.
Optionally, the first identity information further includes information to be verified; and the apparatus 600 may further include: an identity recognition unit (not shown in the figure) configured to perform validity verification on the information to be verified; and the sending unit 605 may be further configured to: and responding to the information to be verified passing the verification, and executing sending second identity information to the first security domain. The information to be verified may include, but is not limited to, a public key of the first security domain or a device certificate.
Optionally, the plurality of data types include: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and the apparatus 600 may further include: a message processing unit (not shown in the figure) configured to receive an encrypted message and a signature of the encrypted message from the first security domain, wherein the encrypted message is generated by encrypting a transmission message, the transmission message comprises encrypted data, and the encrypted data is generated by encrypting target service data of a target application; verifying the validity of the signature by using a target algorithm corresponding to the third data type according to a decryption key corresponding to the third data type; in response to the signature passing the verification, decrypting the encrypted message by using a target algorithm corresponding to the second data type according to a decryption key corresponding to the second data type to obtain a transmission message; and decrypting the encrypted data by using a target algorithm corresponding to the first data type according to a decryption key corresponding to the first data type to obtain target service data.
Optionally, the message processing unit may be further configured to: and after the legality of the signature is verified, regenerating a decryption key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
In the embodiments respectively corresponding to fig. 5 and fig. 6, the detailed processing of each unit and the technical effect thereof can refer to the related descriptions in the embodiments respectively corresponding to fig. 2, fig. 3, and fig. 4, and are not repeated herein.
The present specification also provides a computer readable storage medium, on which a computer program is stored, wherein when the computer program is executed in a computer, the computer is caused to execute the methods respectively shown in the above method embodiments.
The present specification further provides a computing device, including a memory and a processor, where the memory stores executable codes, and the processor executes the executable codes to implement the methods respectively shown in the above method embodiments.
The present specification also provides a computer program product, which when executed on a data processing apparatus, causes the data processing apparatus to implement the methods respectively shown in the above method embodiments.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in the embodiments disclosed herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the embodiments disclosed in the present specification are further described in detail, it should be understood that the above-mentioned embodiments are only specific embodiments of the embodiments disclosed in the present specification, and are not intended to limit the scope of the embodiments disclosed in the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the embodiments disclosed in the present specification should be included in the scope of the embodiments disclosed in the present specification.
Claims (25)
1. An information processing method for secure communication, applied to a first security domain in a terminal device, includes:
receiving a secure channel establishment request from a target application on the terminal device, wherein the establishment request comprises a domain identifier of a second secure domain;
sending algorithm information to the second security domain in response to the establishment request, wherein the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, and the plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by a secure channel;
receiving an encryption policy from the second security domain, the encryption policy showing algorithm identifications of a plurality of target algorithms, and the plurality of target algorithms being respectively designated for data types for encryption and decryption, wherein the plurality of target algorithms correspond to the plurality of algorithm types and are encryption and decryption algorithms supported by both the target application and the second security domain;
and executing the initialization operation of the secure channel according to the encryption strategy.
2. The method of claim 1, wherein the plurality of algorithm types includes at least a symmetric encryption algorithm and a cryptographic hash function; and
the executing of the secure channel initialization operation according to the encryption policy includes:
acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located;
and for a data type corresponding to a first target algorithm in the multiple target algorithms, generating an encryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, wherein the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the second security domain generates a decryption key which is the same as the encryption key for the data type.
3. The method according to claim 2, wherein the plurality of algorithm types further include an asymmetric cryptographic algorithm, the terminal device is preset with a public and private key pair corresponding to a second target algorithm, the second security domain holds the first public key in the public and private key pair, and the second target algorithm belongs to the asymmetric cryptographic algorithm; and
the executing the secure channel initialization operation according to the encryption policy further comprises:
and for the data type corresponding to the second target algorithm, determining a first private key in the public and private key pair as an encryption key corresponding to the data type, wherein the second security domain determines the first public key as a decryption key corresponding to the data type.
4. The method according to one of claims 1-3, wherein prior to said sending algorithm information to the second security domain, the method further comprises:
sending first identity information to the second security domain, wherein the first identity information comprises device feature information of the terminal device;
and receiving second identity information from the second security domain, wherein the second identity information comprises equipment characteristic information of equipment where the second security domain is located.
5. The method of claim 4, wherein the first identity information further comprises information to be verified; and
the receiving second identity information from the second security domain comprises:
receiving second identity information returned from the second security domain in response to the information to be verified being authenticated.
6. The method of claim 5, wherein the information to be verified comprises a public key of the first security domain or a device certificate.
7. The method of claim 2 or 3, wherein the respective data types in the encryption policy comprise: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and
after the performing a secure channel initialization operation according to the encryption policy, the method further comprises:
in response to obtaining target service data of the target application, encrypting the target service data by using a target algorithm corresponding to the first data type according to an encryption key corresponding to the first data type to obtain encrypted data, wherein a target receiving party of the target service data is the second security domain;
generating a transmission message including the encrypted data;
encrypting the transmission message by using a target algorithm corresponding to the second data type according to an encryption key corresponding to the second data type to obtain an encrypted message;
generating a signature of the encrypted message according to an encryption key corresponding to the third data type by using a target algorithm corresponding to the third data type;
sending the encrypted message and the signature to the second security domain.
8. The method of claim 7, wherein after the receiving a secure channel establishment request from a target application on the terminal device and before the obtaining target traffic data for the target application in response, the method further comprises:
receiving a data transmission request from the target application, wherein the data transmission request comprises the target service data and the domain identifier.
9. The method of claim 7, wherein after the generating a signature of the encrypted message, the method further comprises:
and regenerating an encryption key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
10. An information processing method for secure communication, applied to a second security domain, includes:
receiving algorithm information from a first security domain, wherein the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by a target application on a terminal device where the first security domain is located, and the plurality of encryption and decryption algorithms correspond to a plurality of algorithm types required by a security channel;
determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target application and the algorithm information, wherein the target algorithms are the encryption and decryption algorithms supported by the target application and the second security domain;
determining data types which are respectively used for encryption and decryption by the target algorithms in a plurality of data types required by the secure channel;
generating an encryption strategy, wherein the encryption strategy shows algorithm identifications of the target algorithms and data types corresponding to the target algorithms;
sending the encryption policy to the first security domain;
and executing the initialization operation of the secure channel according to the encryption strategy.
11. The method of claim 10, wherein the determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target algorithms and the algorithm information comprises:
determining each encryption and decryption algorithm supported by the target application and the second security domain according to the encryption and decryption algorithm supported by the target application and the algorithm information;
and selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm for each algorithm type in the multiple algorithm types.
12. The method of claim 11, wherein the plurality of algorithm types include a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function; and
the selecting one encryption and decryption algorithm from at least one encryption and decryption algorithm belonging to the algorithm type in the encryption and decryption algorithms as a target algorithm comprises the following steps:
when the algorithm type is a symmetric encryption algorithm or a password hash function, selecting one encryption and decryption algorithm from the at least one encryption and decryption algorithm as a target algorithm;
when the algorithm type is an asymmetric encryption algorithm, selecting one encryption and decryption algorithm as a target algorithm from the encryption and decryption algorithms which meet a selection condition in the at least one encryption and decryption algorithm, wherein the selection condition comprises the following steps: the terminal device is preset with a public and private key pair corresponding to an encryption and decryption algorithm, and the second security domain is stored with a first public key in the public and private key pair.
13. The method according to claim 10, wherein the second security domain holds an algorithm selection policy corresponding to a service party to which the target application belongs; and
the determining a plurality of target algorithms according to the encryption and decryption algorithms supported by the target algorithms and the algorithm information comprises the following steps:
and determining the target algorithms according to the encryption and decryption algorithms supported by the target algorithms, the algorithm information and the algorithm selection strategy.
14. The method of claim 10, wherein the plurality of data types comprises: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and
the determining the data types respectively used for encryption and decryption by the multiple target algorithms includes:
when the plurality of algorithm types are respectively a symmetric encryption algorithm and a password hash function, allocating a target algorithm belonging to the symmetric encryption algorithm to the first data type and the second data type, and allocating a target algorithm belonging to the password hash function to the third data type;
when the plurality of algorithm types are a symmetric encryption algorithm, an asymmetric encryption algorithm, and a cryptographic hash function, respectively, a target algorithm belonging to one of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the first data type, a target algorithm belonging to the other of the symmetric encryption algorithm and the asymmetric encryption algorithm is assigned to the second data type, and a target algorithm belonging to the cryptographic hash function is assigned to the third data type.
15. The method of claim 10, wherein the plurality of algorithm types includes at least a symmetric encryption algorithm and a cryptographic hash function; and
the executing of the secure channel initialization operation according to the encryption policy includes:
acquiring the equipment characteristic information of the terminal equipment and the equipment characteristic information of the equipment where the second security domain is located;
for a data type corresponding to a first target algorithm in the multiple target algorithms, generating a decryption key corresponding to the data type by using a target key generation algorithm corresponding to the data type according to the acquired feature information of each piece of equipment, where the first target algorithm belongs to a symmetric encryption algorithm or a cryptographic hash function, and the first security domain generates an encryption key that is the same as the decryption key for the data type.
16. The method of claim 15, wherein the plurality of algorithm types further include an asymmetric cryptographic algorithm, the terminal device is pre-provisioned with a public-private key pair corresponding to a second target algorithm, the second security domain holds a first public key of the public-private key pair, and the second target algorithm belongs to the asymmetric cryptographic algorithm; and
the executing the secure channel initialization operation according to the encryption policy further comprises:
and for the data type corresponding to the second target algorithm, determining the first public key as a decryption key corresponding to the data type, wherein the first security domain determines a first private key in the public and private key pair as an encryption key corresponding to the data type.
17. The method according to one of claims 10-16, wherein prior to said receiving algorithm information from the first security domain, the method further comprises:
receiving first identity information from the first security domain, the first identity information comprising device feature information of the terminal device;
and sending second identity information to the first security domain, wherein the second identity information comprises equipment characteristic information of equipment where the second security domain is located.
18. The method of claim 17, wherein the first identity information further comprises information to be verified; and
after the receiving first identity information from the first security domain, the method further comprises:
carrying out validity verification on the information to be verified;
and in response to the information to be verified passing the verification, executing the sending of the second identity information to the first security domain.
19. The method of claim 18, wherein the information to be verified comprises a public key of the first security domain or a device certificate.
20. The method of claim 15 or 16, wherein the plurality of data types comprises: a first data type for characterizing traffic data, a second data type for characterizing transmitted messages, a third data type for characterizing encrypted messages; and
after the performing a secure channel initialization operation according to the encryption policy, the method further comprises:
receiving an encrypted message and a signature of the encrypted message from the first security domain, wherein the encrypted message is generated by encrypting a transfer message, the transfer message including encrypted data, the encrypted data being generated by encrypting target traffic data of a target application;
performing validity verification on the signature according to a decryption key corresponding to the third data type by using a target algorithm corresponding to the third data type;
in response to the signature passing the verification, decrypting the encrypted message by using a target algorithm corresponding to the second data type according to a decryption key corresponding to the second data type to obtain the transmission message;
and decrypting the encrypted data according to a decryption key corresponding to the first data type by using a target algorithm corresponding to the first data type to obtain the target service data.
21. The method of claim 20, wherein after said legality verifying said signature, said method further comprises:
and regenerating a decryption key corresponding to the third data type according to the characteristic information of each piece of equipment by using a target key generation algorithm corresponding to the third data type.
22. An information processing apparatus for secure communication, applied to a first security domain in a terminal device, comprising:
a first receiving unit configured to receive a secure channel establishment request from a target application on the terminal device, the establishment request including a domain identification of a second secure domain;
a sending unit configured to send algorithm information to the second security domain in response to the establishment request, the algorithm information including algorithm identifications of a plurality of encryption and decryption algorithms supported by the target application, the plurality of encryption and decryption algorithms corresponding to a plurality of algorithm types required by a secure channel;
a second receiving unit configured to receive an encryption policy from the second security domain, the encryption policy showing algorithm identifications of a plurality of target algorithms, and the plurality of target algorithms being respectively specified with data types for encryption and decryption, wherein the plurality of target algorithms correspond to the plurality of algorithm types and are encryption and decryption algorithms supported by both the target application and the second security domain;
a secure channel initialization unit configured to perform a secure channel initialization operation according to the encryption policy.
23. An information processing apparatus for secure communication, applied to a second security domain, comprising:
the terminal equipment comprises a receiving unit and a processing unit, wherein the receiving unit is configured to receive algorithm information from a first security domain, the algorithm information comprises algorithm identifications of a plurality of encryption and decryption algorithms supported by a target application on the terminal equipment where the first security domain is located, and the encryption and decryption algorithms correspond to a plurality of algorithm types required by a security channel;
a first determining unit configured to determine a plurality of target algorithms according to the encryption and decryption algorithms supported by the second security domain and the algorithm information, wherein the plurality of target algorithms are encryption and decryption algorithms supported by the target application and the second security domain;
a second determining unit configured to determine, among a plurality of data types required for a secure channel, data types respectively used for encryption and decryption by the plurality of target algorithms;
an encryption policy generation unit configured to generate an encryption policy showing algorithm identifications of the plurality of target algorithms and data types corresponding to the plurality of target algorithms;
a sending unit configured to send the encryption policy to the first security domain;
and the secure channel initialization unit is configured to execute secure channel initialization operation according to the encryption strategy.
24. A computer-readable storage medium, on which a computer program is stored, wherein the computer program causes a computer to carry out the method of any one of claims 1-21, when the computer program is carried out in the computer.
25. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that when executed by the processor implements the method of any of claims 1-21.
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK40045503A true HK40045503A (en) | 2021-10-22 |
| HK40045503B HK40045503B (en) | 2023-05-05 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12244739B2 (en) | Confidential authentication and provisioning | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN109309565B (en) | Security authentication method and device | |
| US10142297B2 (en) | Secure communication method and apparatus | |
| CN108282329B (en) | Bidirectional identity authentication method and device | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| JP2009529832A (en) | Undiscoverable, ie secure data communication using black data | |
| US20250202688A1 (en) | Quantum key transmission method, apparatus, and system | |
| CN104836784B (en) | A kind of information processing method, client and server | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN116633530A (en) | Quantum key transmission method, device and system | |
| KR101531662B1 (en) | Method and system for mutual authentication between client and server | |
| CN114513339A (en) | A security authentication method, system and device | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN117675285A (en) | An identity verification method, chip and device | |
| Liou et al. | T-auth: A novel authentication mechanism for the iot based on smart contracts and pufs | |
| US11570008B2 (en) | Pseudonym credential configuration method and apparatus | |
| CN110784305B (en) | Single sign-on authentication method based on inadvertent pseudo-random function and signcryption | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| HK40045503A (en) | Information processing method and device for secure communication | |
| HK40045503B (en) | Information processing method and device for secure communication | |
| EP3361670B1 (en) | Multi-ttp-based method and device for verifying validity of identity of entity | |
| CN115442127B (en) | Transmission data processing method and device | |
| CN120567403A (en) | Key generation method and computing device |