[go: up one dir, main page]

WO2018014723A1 - Procédé, appareil, dispositif, et système de gestion de clé - Google Patents

Procédé, appareil, dispositif, et système de gestion de clé Download PDF

Info

Publication number
WO2018014723A1
WO2018014723A1 PCT/CN2017/091646 CN2017091646W WO2018014723A1 WO 2018014723 A1 WO2018014723 A1 WO 2018014723A1 CN 2017091646 W CN2017091646 W CN 2017091646W WO 2018014723 A1 WO2018014723 A1 WO 2018014723A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
session
server
client
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/091646
Other languages
English (en)
Chinese (zh)
Inventor
陈凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Publication of WO2018014723A1 publication Critical patent/WO2018014723A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords

Definitions

  • the embodiments of the present invention relate to the field of information security technologies, and in particular, to a key management method, apparatus, device, and system.
  • data encryption methods include Symmetric Cryptography and Asymmetric Cryptography.
  • Symmetric encryption is a fast and simple way to encrypt.
  • the same key (secret key) is used for encryption and decryption.
  • Symmetric encryption usually uses a relatively small key, typically less than 256 bits (bits). Because the larger the key, the stronger the encryption, but the slower the process of encryption and decryption. The size of the key needs to be balanced against security and efficiency.
  • AES Advanced Encryption Standard
  • Symmetric encryption method uses the same key for encryption and decryption. Therefore, the advantage is that the encryption and decryption speed is fast, but the disadvantage is that the communication parties need to agree on the key in advance. If the key is transmitted through the network, the security cannot be guaranteed. .
  • Asymmetric encryption provides a very secure method for encrypting and decrypting data using a pair of keys, a public key and a private key.
  • the private key can only be safely kept by one party and cannot be leaked, and the public key can be sent to any demander.
  • Asymmetric encryption is usually encrypted using public key and decrypted using a private key. Unlike the symmetric encryption method, security is improved because the private key is not transmitted over the network.
  • the commonly used asymmetric encryption algorithm is RSA (Rivest Shamir Adleman, a public key encryption algorithm) algorithm.
  • RSA Ramir Adleman
  • the advantage of asymmetric encryption is that it is highly secure, but its disadvantage is that encryption and decryption are slow. With a 1024-bit key, the estimated decryption speed is 1000-1400. Times/second, depending on the hardware.
  • the data to be transmitted is encrypted and decrypted by symmetric encryption, but the key used in the symmetric encryption mode is transmitted by asymmetric encryption, which ensures that the key used in the symmetric encryption mode is not directly exposed to the network. On top, it ensures the efficiency of encryption and decryption.
  • the communication party first generates a random number as a symmetric key, encrypts the symmetric key by using the public key provided by the communication peer, and sends the encrypted symmetric key to the communication peer;
  • the communication peer decrypts the encrypted symmetric key by using the private key corresponding to the above public key to obtain a symmetric key.
  • the communication party and the communication peer use the symmetric key to encrypt and decrypt the data transmitted between the two.
  • the number of clients can reach 10 million or even hundreds of millions of days.
  • the number of sessions between the client and the server is quite large. This causes the server to consume a lot of resources to manage symmetric keys.
  • the embodiment of the present invention provides a key management method, device, device and system.
  • the technical solution is as follows:
  • a key management method comprising:
  • the authentication response carries a second ciphertext
  • the second ciphertext is a ciphertext obtained by encrypting the session key by using the temporary key
  • the session The key is used to encrypt data of the session
  • a key management method comprising:
  • the authentication request carries the first ciphertext
  • the first ciphertext is a ciphertext obtained by encrypting the temporary key by using the public key provided by the local end
  • a key management apparatus comprising:
  • a key generation module configured to generate a temporary key
  • a first encryption module configured to encrypt the temporary key by using a public key provided by a server to obtain a first ciphertext
  • a request sending module configured to send an authentication request to the server, where the first ciphertext is carried in the authentication request
  • the response receiving module is configured to receive an authentication response sent by the server, where the authentication response carries a second ciphertext, and the second ciphertext is a ciphertext obtained by encrypting the session key by using the temporary key.
  • the session key is used to encrypt data of the session;
  • the first decryption module is configured to decrypt the second ciphertext by using the temporary key to obtain the session key.
  • a key management apparatus comprising:
  • the request receiving module is configured to receive an authentication request sent by the client, where the authentication request carries a first ciphertext, and the first ciphertext is a ciphertext obtained by encrypting the temporary key by using a public key provided by the local end. ;
  • a second decrypting module configured to decrypt the first ciphertext by using a private key corresponding to the public key, to obtain the temporary key
  • a second encryption module configured to encrypt the session key by using the temporary key to obtain a second ciphertext; wherein the session key is used to encrypt data of the session;
  • the response sending module is configured to send an authentication response to the client, where the second ciphertext is carried in the authentication response.
  • a key management system comprising: a client and a server;
  • the client includes the key management device as described in the third aspect
  • the server includes the key management device as described in the fourth aspect.
  • a terminal including a processor and a memory, where the memory stores at least one instruction, at least one program, a code set or a set of instructions, the at least one instruction, the at least one program
  • the code set or instruction set is loaded and executed by the processor to implement the key management method as described in the first aspect.
  • a server comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, a code set or a set of instructions, the at least one instruction, the at least one program
  • the code set or instruction set is loaded and executed by the processor to implement the key management method as described in the second aspect.
  • a computer readable storage medium stores at least one instruction, at least one program, a code set, or a set of instructions, the at least one instruction, the at least one program, and the code
  • the set or set of instructions is loaded and executed by the processor to implement the key management method as described in the first aspect.
  • a computer readable storage medium stores at least one instruction, at least one program, a code set or a set of instructions, the at least one instruction, the at least one program
  • the code set or instruction set is loaded and executed by a processor to implement the key management method as described in the second aspect.
  • a computer program product for performing the key management method of the first aspect described above when the computer program product is executed.
  • a computer program product for performing the key management method of the second aspect described above when the computer program product is executed.
  • the temporary encryption key is encrypted by the client and then sent to the server.
  • the server decrypts the temporary key
  • the temporary key is used to encrypt the session key to obtain the second ciphertext
  • the second ciphertext is sent to the server.
  • the client decrypts the second ciphertext by using the temporary key to obtain the session key, so that the client encrypts and decrypts the session data by using the session key when the client performs a session with the server. Because the number of sessions between the client and the server is quite large, the server needs to spend a lot of resources to manage the problem of the symmetric key; compared with the related technology, the symmetric data generated by the client directly uses the symmetric key generated by the client to encrypt and decrypt the session data.
  • the embodiment of the present invention uses the session key provided by the server to encrypt and decrypt the session data, so that the server only needs to manage the session key, and does not need to manage the keys generated by a large number of clients, thereby simplifying the server confidentiality.
  • the complexity of the key management and helps save server resources.
  • the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • the technical solution provided by the embodiment of the invention simplifies the complexity of managing the key by the server on the premise of balancing the security of the key and the efficiency of the encryption and decryption, and saves the processing and storage resources of the server. Therefore, the key management solution provided by the embodiment of the present invention can be well applied to a large number of high-concurrency service scenarios, such as a C/S architecture business scenario, even if the number of daily activities of the client reaches tens of millions or even hundreds of millions of levels. Even if the number of sessions between the client and the server is quite large, the server can easily and efficiently manage the keys needed for encryption and ensure the security of data transmission between the client and the server. Sex and encryption efficiency.
  • FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • FIG. 2 is a schematic diagram of an implementation environment provided by another embodiment of the present invention.
  • FIG. 3 is a flowchart of a key management method according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a key management method according to another embodiment of the present invention.
  • FIG. 5 is a flowchart of an authentication phase according to an embodiment of the present invention.
  • FIG. 6 is a flow chart of a data communication phase according to an embodiment of the present invention.
  • FIG. 7 is a block diagram of a key management apparatus according to an embodiment of the present invention.
  • FIG. 8 is a block diagram of a key management apparatus according to another embodiment of the present invention.
  • FIG. 9 is a block diagram of a key management system according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • FIG. 1 shows a schematic diagram of an implementation environment provided by an embodiment of the present invention.
  • a service scenario of a C/S architecture includes at least one terminal 11 and a server 12.
  • a running client can be installed in the terminal 11.
  • the type of the client is not limited.
  • the client may be an instant messaging client, a social application client, a payment application client, a video playing client, and the like.
  • the terminal 11 may be an electronic device such as a mobile phone, a tablet computer, an e-book reader, a multimedia playback device, a laptop portable computer, or a desktop computer.
  • a communication connection can be established between the terminal 11 and the server 12 via a wired network or a wireless network.
  • the server 12 can be a server or a server cluster composed of multiple servers. Or a cloud computing service center.
  • the server 12 is configured to provide a background service for the client to implement various functions of the client.
  • the server 12 is a server cluster composed of a plurality of servers. As shown in FIG. 2, the server 12 includes: an access server 121, a service server 122, an authentication center server 123, and a key management server 124. .
  • the access server 121 is a medium for data transfer and distribution between the client and the service server 122 and the authentication center server 123.
  • the access server 121 establishes a communication connection with the service server 122, the authentication center server 123, and the key management server 124 via the network, respectively.
  • the service server 122 is configured to provide business services to clients.
  • the types of services provided by the service server 122 are not limited, such as instant messaging services, social services, payment services, video services, and the like.
  • the authentication center server 123 is configured to provide an authentication service to the client, and provide the client with a key required for encryption.
  • the authentication center server 123 establishes a communication connection with the key management server 124 via the network.
  • the key management server 124 is used to manage keys.
  • the authentication center server 123 and the key management server 124 may be two mutually independent servers, or the authentication center server 123 and the key management server 124 may be integrated into one server.
  • the technical solution provided by the embodiment of the present invention can be applied to any service scenario that needs to encrypt data transmitted between two ends of a communication.
  • the service scenario of the C/S architecture is taken as an example for illustration.
  • the embodiments of the present invention do not limit the devices at both ends of the communication.
  • the devices at both ends of the communication may be a terminal and a server running a client, a terminal and a base station, or a server and a server, and the like.
  • FIG. 3 shows a flowchart of a key management method provided by an embodiment of the present invention. This method can be applied to the implementation environment shown in FIG. The method can include the following steps.
  • step 301 the client generates a temporary key.
  • Step 302 The client encrypts the temporary key by using a public key provided by the server to obtain a first ciphertext.
  • Step 303 The client sends an authentication request to the server, where the first ciphertext is carried in the authentication request.
  • the server receives an authentication request sent by the client.
  • Step 304 The server decrypts the first ciphertext by using a private key corresponding to the public key to obtain a temporary key.
  • Step 305 The server encrypts the session key by using a temporary key to obtain a second ciphertext; wherein the session key is used to encrypt data of the session.
  • Step 306 The server sends an authentication response to the client, where the authentication response carries the second ciphertext.
  • the client receives an authentication response sent by the server.
  • the authentication response further carries a key identifier, where the key identifier is used to identify the session key.
  • the key identifier carried in the authentication response is not encrypted by using a temporary key; in another possible implementation manner, the key identifier carried in the authentication response also uses a temporary key. encryption. In the case where there are multiple session keys managed in the server, different session keys can be distinguished by using the key identifier.
  • Step 307 The client decrypts the second ciphertext by using a temporary key to obtain a session key.
  • the client directly reads the key identifier from the authentication response; if the authentication response further carries the encrypted key identifier, the client The encrypted key identifier is decrypted by using a temporary key to obtain a key identifier.
  • the method provided in this embodiment encrypts the temporary key by using the asymmetric encryption method and sends the temporary key to the server. After the server decrypts the temporary key, the temporary key is used to encrypt the session key. The second ciphertext is sent to the client, and the client decrypts the second ciphertext by using the temporary key to obtain the session key, so that the client subsequently uses the session key pair when performing a session with the server.
  • the data of the session is encrypted and decrypted; the problem that the server needs to consume a large amount of resources to manage the symmetric key due to the relatively large number of sessions between the client and the server in the related art is solved; compared with the related technology, the client directly adopts The generated symmetric key encrypts and decrypts the data of the session.
  • the session key provided by the server is used to encrypt and decrypt the session data, so that the server only needs to manage the session key, and does not need to generate a large number of clients. Key management, which simplifies the complexity of server management of keys and helps save service resource of.
  • the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • the technical solution provided by the embodiment of the invention simplifies the complexity of managing the key by the server on the premise of balancing the security of the key and the efficiency of the encryption and decryption, and saves the processing and storage resources of the server. Therefore, the key management solution provided by the embodiment of the present invention can be well applied to a large number of high-concurrency service scenarios, such as a C/S architecture business scenario, even if the number of daily activities of the client reaches tens of millions or even hundreds of millions of levels. Even if the number of sessions between the client and the server is quite large, the server can easily and efficiently manage the keys needed for encryption and ensure the security and encryption and decryption efficiency of data transmission between the client and the server.
  • a session refers to a communication interaction between two devices during a specific operation time that is not interrupted. During a session, all packets transmitted between two devices belong to the session.
  • the session may be a “call process” between the client and the server, and a complete request and reply process.
  • FIG. 4 is a flowchart of a key management method according to another embodiment of the present invention. This method can be applied to the implementation environment shown in FIG. The method can include the following steps.
  • step 401 the client generates a temporary key.
  • a temporary key is generated using a random number generator.
  • the temporary key is a symmetric key.
  • the temporary key is not used to encrypt and decrypt the data of the session, and the temporary key is only used to encrypt and decrypt the session key, and the session key is actually used.
  • the key used to encrypt and decrypt the data of the session is not used to encrypt and decrypt the data of the session.
  • Step 402 The client encrypts the temporary key by using a public key provided by the server to obtain a first ciphertext.
  • the public key is pre-delivered to the client by the server.
  • the server writes the public key to a binary file that carries the digital signature of the development company corresponding to the client, and the server sends the binary file with the digital signature to the client to ensure that the file is not It has been tampered with and forged to ensure the safe issuance of public keys.
  • the public key may be updated with the update of the binary file, and after the server enables the new public key, the binary file with the new public key may be resent to the client.
  • the temporary key is encrypted by using the public key provided by the server according to the asymmetric encryption method to obtain the first ciphertext.
  • Step 403 The client sends an authentication request to the server, where the first ciphertext is carried in the authentication request.
  • the authentication request is used to request the server to authenticate the client, and allocate the key required for encrypting the session data to the client if the authentication is passed.
  • the server receives an authentication request sent by the client.
  • the temporary key is encrypted by using the public key provided by the server, even if the authentication request is intercepted by the malicious user, since the private key corresponding to the public key is not available, the first ciphertext cannot be decrypted. A temporary key is issued. Therefore, the security of the temporary key can be guaranteed, so that the security of the session key transmitted later can also be guaranteed.
  • Step 404 The server decrypts the first ciphertext by using a private key corresponding to the public key to obtain a temporary key.
  • the server After receiving the authentication request, the server adopts the private key corresponding to the public key according to the asymmetric encryption method.
  • the key decrypts the first ciphertext to obtain a temporary key.
  • step 405 the server acquires a session key and a key identifier.
  • the key identifier is used to identify the session key, and the session key is used to encrypt the data of the session.
  • the session key is a symmetric key.
  • the session key is a contiguous stream of bytes, typically an integer multiple of 128 bits, generated by a random number generator.
  • the key identifier is used to uniquely identify the session key. Different sessions can use the same key identifier. Different key identifiers correspond to different session keys.
  • the key identifier is a 64-bit integer.
  • the server generates a session key using a random number generator and generates a key identification corresponding to the session key.
  • the server corresponds to the storage session key and the key identifier.
  • the server picks a set of corresponding session keys and key identities from the pre-stored keys.
  • the pre-stored key includes at least one set of corresponding session key and key identifier.
  • the pre-stored key is pre-generated and stored by the server.
  • the pre-stored key can be stored in the server's Cache (cache) or it can be stored in a target file. In one example, the pre-stored key is stored both in the Cache and backed up in the target file to facilitate backup in the event of a Cache failure.
  • each session key has a corresponding validity period, and the session key is valid within the validity period, otherwise the session key is invalid.
  • the validity period of the session key can be set correspondingly when the session key is generated.
  • the duration of the validity period is usually the same, but it may be different. This embodiment does not limit this.
  • the validity time of the validity period of the session key is not limited.
  • the validity period of the session key may be effective when the session key is generated, or when the server sends the session key to the client. Effective at the beginning, or when the client receives the session key.
  • the client encrypts and decrypts the session data using the session key of the valid state (that is, the expiration date is not exceeded). After the session key is invalidated (that is, the validity period is exceeded), the client can request a new valid session key from the server. . Therefore, the execution timing of the above step 403 may be when the existing session key has expired, or when the client needs to initiate a session to the server and the existing session key has expired. If the existing session key has not expired, the client can use the existing session key to encrypt and decrypt the session data without re-requesting the new session key from the server.
  • the server selects a corresponding set of session keys and key identifiers from the pre-stored keys, and may include the following sub-steps:
  • the server obtains an IP (Internet Protocol) address corresponding to the client;
  • the server parses the data packet of the authentication request sent by the client, and parses and obtains the IP address corresponding to the client from the packet header.
  • the server determines a key selection range according to the IP address, and the key selection range includes a corresponding session key and a key identifier of the pre-stored key;
  • the server may segment the pre-stored key, and the server divides the pre-stored key into multiple segments, each segment including a part of the corresponding session key and key identifier. For example, the server calculates a hash value of the IP address corresponding to the client, and maps the data to a certain pre-stored key according to the hash value, where the pre-stored key is the key selection range. For another example, the server may also randomly select a pre-stored key from the pre-stored key after segmentation, and the selected pre-stored key of the segment is the key selection range.
  • the server selects a corresponding set of session keys and key identifiers from the key selection range.
  • Step 406 The server encrypts the session key by using a temporary key to obtain a second ciphertext.
  • the server encrypts the session key by using a temporary key according to a symmetric encryption method to obtain a second ciphertext.
  • the server further encrypts the key identifier by using a temporary key, and obtains the encrypted key identifier.
  • Step 407 The server sends an authentication response to the client, where the authentication response carries the second ciphertext and the key identifier.
  • the client receives an authentication response sent by the server.
  • the key identifier carried in the authentication response may be an unencrypted key identifier or an encrypted key identifier.
  • the server may further perform the following steps: the server obtains a GUID (Globally Unique Identifier) corresponding to the device where the client is located, and obtains an authentication request corresponding to the GUID. The number of times; determining whether the number of authentication requests is greater than a preset threshold; if the number of authentication requests is greater than a preset threshold, refusing to respond to the authentication request; if the number of authentication requests is less than a preset threshold, responding to the authentication request, for example, performing The above steps 404 to 407.
  • the GUID corresponding to the device where the client is located can be parsed and obtained from the packet header of the data packet of the authentication request. In the above manner, the number of authentication requests of the same GUID is limited, and the server can be effectively prevented when the server is subjected to frequent malicious attacks.
  • GUID Globally Unique Identifier
  • Step 408 The client decrypts the second ciphertext by using a temporary key to obtain a session key.
  • the client After receiving the authentication response, the client decrypts the second ciphertext by using the temporary key according to the symmetric encryption method to obtain the session key. After that, the client uses the session key to symmetrically encrypt the communication content with the server. During the subsequent session between the client and the server, the client encrypts and decrypts the data of the session transmitted between the server by using the session key, and the server uses the session key to add the data of the session transmitted between the client and the client. Decrypt.
  • the client directly reads the key identifier from the authentication response; if the authentication response further carries the encrypted key identifier, the client The encrypted key identifier is decrypted by using a temporary key to obtain a key identifier.
  • Steps 409 to 411 are uplink transmission procedures
  • steps 412 to 414 are downlink transmission procedures.
  • Step 409 The client encrypts the uplink data of the session by using the session key, and obtains the encrypted uplink data.
  • the uplink data refers to the data transmitted by the client to the server.
  • step 410 the client sends an uplink data packet to the server.
  • the packet header of the uplink data packet carries the key identifier
  • the packet body of the uplink data packet carries the encrypted uplink data.
  • the packet identifier of the uplink data packet does not carry the key identifier.
  • the server receives the uplink data packet sent by the client.
  • step 411 the server decrypts the encrypted uplink data by using the session key corresponding to the key identifier carried in the packet header to obtain uplink data.
  • the server After receiving the uplink data packet, the server queries the pre-stored key to obtain the session key corresponding to the key identifier carried in the packet header of the uplink data packet, and then encrypts the session key pair according to the symmetric encryption mode. After the uplink data is decrypted, the uplink data is obtained.
  • the server may further verify the validity period of the queried session key before performing the decryption operation, and if the expiration date has expired, the process ends, and if the validity period is not exceeded, the decryption operation is performed.
  • Step 412 The server encrypts the downlink data of the session by using the session key, and obtains the encrypted downlink data.
  • Downstream data refers to the data that the server transmits to the client.
  • step 413 the server sends a downlink data packet to the client.
  • the packet header of the downlink data packet carries the key identifier, and the packet body of the downlink data packet carries the encrypted downlink number. according to.
  • the key identifier of the downlink data packet does not carry the key identifier.
  • the client receives the downlink data packet sent by the server.
  • Step 414 The client decrypts the encrypted downlink data by using a session key corresponding to the key identifier carried in the packet header to obtain downlink data.
  • the client After receiving the downlink data packet, the client obtains the session key corresponding to the key identifier carried in the packet header of the downlink data packet, and then uses the queried session key pair to encrypt the downlink data according to the symmetric encryption mode. Decrypt, get the downlink data.
  • the server can also obtain an initialization vector (Init Vector, IV) corresponding to the session key, and send the initialization vector to the client.
  • This initialization vector is used by the client for symmetric encryption and decryption using the session key.
  • the client receives an initialization vector sent by the server.
  • the authentication response sent by the server to the client also carries an initialization vector.
  • the initialization vector may be sent by using a temporary key or may not be encrypted. This embodiment does not limit this.
  • the initialization vector can be generated by the server using a random number generator to generate a random number, and combined with the random number and the session key.
  • the initialization vector can be dynamically changed according to the relevant algorithm.
  • the initialization vector is a 12 byte byte stream. In the above manner, the same session key must be used together with the corresponding initialization vector to complete the decryption, so as to achieve further optimization and reinforcement.
  • the method provided in this embodiment encrypts the temporary key by using the asymmetric encryption method and sends the temporary key to the server. After the server decrypts the temporary key, the temporary key is used to encrypt the session key. The second ciphertext is sent to the client, and the client decrypts the second ciphertext by using the temporary key to obtain the session key, so that the client subsequently uses the session key pair when performing a session with the server.
  • the data of the session is encrypted and decrypted; the problem that the server needs to consume a large amount of resources to manage the symmetric key due to the relatively large number of sessions between the client and the server in the related art is solved; compared with the related technology, the client directly adopts The generated symmetric key encrypts and decrypts the data of the session.
  • the session key provided by the server is used to encrypt and decrypt the session data, so that the server only needs to manage the session key, and does not need to generate a large number of clients. Key management, which simplifies the complexity of server management of keys and helps save service resource of.
  • the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • the client can use the session key to encrypt and decrypt the session data, A new session key needs to be re-requested from the server to save processing overhead and communication resources of the device and server where the client is located.
  • code adjustment is performed on the rsa function api of the OpenSLL library, so as to implement the step of separating the multi-thread unsafe, and placing it in a safe place, and the remaining security steps can be located in the multi-thread environment.
  • code adjustment is performed on the rsa function api of the OpenSLL library, so as to implement the step of separating the multi-thread unsafe, and placing it in a safe place, and the remaining security steps can be located in the multi-thread environment.
  • the step on the client side can be separately implemented as a key management method on the client side
  • the steps on the server side can be separately implemented as a key management method on the server side.
  • FIG. 5 shows a flow chart of the authentication phase. As shown in FIG. 5, the authentication phase may include the following steps.
  • step 501 the client generates a temporary key.
  • Step 502 The client encrypts the temporary key by using the public key provided by the authentication center server to obtain the first key.
  • Step 503 The client sends an authentication request to the access server, where the first ciphertext is carried in the authentication request.
  • the access server receives an authentication request sent by the client.
  • Step 504 The access server forwards the authentication request to the authentication center server.
  • the authentication center server receives the authentication request sent by the access server.
  • Step 505 The authentication center server decrypts the first ciphertext by using a private key corresponding to the public key to obtain a temporary key.
  • Step 506 The authentication center server acquires a session key and a key identifier.
  • the key identifier is used to identify the session key, and the session key is used to encrypt the data of the session.
  • step 506 includes the following sub-steps:
  • Step 506a The authentication center server generates a session key by using a random number generator.
  • Step 506b The authentication center server sends a session key to the key management server.
  • the key management server receives the session key sent by the authentication center server
  • Step 506c The key management server generates a key identifier corresponding to the session key.
  • Step 506d the key management server correspondingly stores the key identifier and the session key
  • Step 506e The key management server sends a key identifier to the authentication center server.
  • the authentication center server receives the key identifier sent by the key management server.
  • step 506 includes the following sub-steps:
  • step 506f the authentication center server selects a corresponding set of session keys and key identifiers from the pre-stored keys.
  • the pre-stored key includes at least one set of corresponding session key and key identifier.
  • the pre-stored key can be pre-generated by the key management server and provided to the authentication center server. For example, the key management server writes the pre-stored key into the target file and sends the target file to the authentication center server. After the authentication center server is started, the pre-stored key in the target file is loaded into the memory, and a corresponding set of session key and key identifier are randomly selected from each time.
  • step 507 the authentication center server encrypts the session key by using a temporary key to obtain a second ciphertext.
  • Step 508 The authentication center server sends an authentication response to the access server, where the authentication response carries the second ciphertext and the key identifier.
  • the access server receives the authentication response sent by the authentication center server.
  • the key identifier carried in the authentication response may be an unencrypted key identifier or an encrypted key identifier.
  • step 509 the access server forwards the authentication response to the client.
  • the client receives an authentication response sent by the access server.
  • Step 510 The client decrypts the second ciphertext by using a temporary key to obtain a session key.
  • Figure 6 shows a flow chart of the data communication phase. As shown in FIG. 6, the data communication phase can include the following steps.
  • Step 601 The client encrypts the uplink data of the session by using the session key, and obtains the encrypted uplink data.
  • Step 602 The client sends an uplink data packet to the access server.
  • the packet header of the uplink data packet carries the key identifier, and the packet body of the uplink data packet carries the encrypted uplink number. according to.
  • the access server receives the uplink data packet sent by the client.
  • Step 603 The access server queries to obtain a session key corresponding to the key identifier carried in the packet header.
  • step 603 includes the following sub-steps:
  • Step 603a The access server queries, from the local cache, the session key corresponding to the key identifier carried in the packet header.
  • the access server obtains a preset key from the key management server in advance and stores it in the local cache.
  • step 603 includes the following sub-steps:
  • Step 603b The access server sends a query request to the key management server, where the query request carries the key identifier carried in the packet header.
  • the key management server receives the query request sent by the access server
  • Step 603c The key management server queries, by using a preset key, a session key corresponding to the key identifier carried in the query request.
  • Step 603d The key management server sends a query response to the access server, where the query response carries the session key obtained by the query;
  • the access server receives the query response sent by the key management server.
  • Step 604 The access server decrypts the encrypted uplink data by using the session key obtained by the query to obtain uplink data.
  • Step 605 The access server sends uplink data to the service server.
  • the service server receives the uplink data sent by the access server.
  • the access server sends the clear text of the uplink data to the service server.
  • the access server encrypts the uplink data and sends it to the service server by using an encryption method and a key that are negotiated in advance with the service server.
  • the service server After receiving the uplink data, the service server processes the uplink data and feeds back the packet to the client if necessary.
  • Step 606 The service server sends downlink data to the access server.
  • the access server receives downlink data sent by the service server.
  • the service server sends the clear text of the downlink data to the access server.
  • the service server adopts an encryption method and a key that are pre-negotiated with the access server, and the number of downlinks is used. After being encrypted, it is sent to the access server.
  • Step 607 The access server encrypts the downlink data by using the session key obtained by the query, and obtains the encrypted downlink data.
  • Step 608 The access server sends a downlink data packet to the client.
  • the packet header of the downlink data packet carries the key identifier, and the packet body of the downlink data packet carries the encrypted downlink data.
  • the client receives the downlink data packet sent by the access server.
  • Step 609 The client decrypts the encrypted downlink data by using a session key corresponding to the key identifier carried in the packet header to obtain downlink data.
  • FIG. 7 shows a block diagram of a key management apparatus according to an embodiment of the present invention.
  • the device has a function of implementing the above-mentioned client side key management method, and the function may be implemented by hardware or by executing corresponding software by hardware.
  • the apparatus may include a key generation module 710, a first encryption module 720, a request transmission module 730, a response receiving module 740, and a first decryption module 750.
  • the key generation module 710 is configured to generate a temporary key.
  • the first encryption module 720 is configured to encrypt the temporary key by using a public key provided by the server to obtain a first ciphertext.
  • the request sending module 730 is configured to send an authentication request to the server, where the first ciphertext is carried in the authentication request.
  • the response receiving module 740 is configured to receive an authentication response sent by the server, where the authentication response carries a second ciphertext, and the second ciphertext is a secret obtained by encrypting the session key by using the temporary key. Text.
  • the session key is used to encrypt data of the session.
  • the first decryption module 750 is configured to decrypt the second ciphertext by using the temporary key to obtain the session key.
  • the device provided in this embodiment encrypts the temporary key by using the asymmetric encryption method and sends the temporary ciphertext to the server, and receives the second ciphertext obtained by encrypting the session key by using the temporary key.
  • the temporary cipher is used to decrypt the second ciphertext to obtain the session key, so that the client can encrypt and decrypt the session data by using the session key when the client performs a session with the server.
  • the related technology is solved by the client and the client.
  • the number of sessions between servers is quite large, causing the server to consume A large amount of resources are used to manage the problem of the symmetric key; the session data is encrypted and decrypted by the symmetric key generated by the client, and the session key provided by the server is used for the session.
  • the data is encrypted and decrypted, so that the server only needs to manage the session key, and does not need to manage the keys generated by a large number of clients, thereby simplifying the complexity of managing the keys by the server and saving the resources of the server.
  • the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • FIG. 8 is a block diagram of a key management apparatus according to another embodiment of the present invention.
  • the device has a function of implementing the above-mentioned server-side key management method, and the function may be implemented by hardware or by executing corresponding software by hardware.
  • the apparatus may include a request receiving module 810, a second decryption module 820, a second encryption module 840, and a response sending module 850.
  • the request receiving module 810 is configured to receive an authentication request sent by the client, where the authentication request carries the first ciphertext, and the first ciphertext is a secret obtained by encrypting the temporary key by using the public key provided by the local end. Text.
  • the second decryption module 820 is configured to decrypt the first ciphertext by using a private key corresponding to the public key to obtain the temporary key.
  • the second encryption module 840 is configured to encrypt the session key by using the temporary key to obtain a second ciphertext; wherein the session key is used to encrypt data of the session.
  • the response sending module 850 is configured to send an authentication response to the client, where the second ciphertext is carried in the authentication response.
  • the device provided in this embodiment encrypts the temporary key by using the asymmetric encryption method and sends the temporary key to the server. After the server decrypts the temporary key, the temporary key is used to encrypt the session key. Two ciphertexts, and the second ciphertext is sent to the client, so that the client subsequently encrypts and decrypts the session data by using the session key when the client performs a session with the server; the related technology is solved by the client and the server.
  • the number of sessions is quite large, which causes the server to use a large amount of resources to manage the problem of the symmetric key.
  • the data of the session is encrypted and decrypted by using the symmetric key generated by the client.
  • the session key provided by the server encrypts and decrypts the data of the session, so that the server only needs to manage the session key, and does not need to manage the keys generated by a large number of clients, thereby simplifying the complexity of managing the keys by the server. And help save server resources. Moreover, since the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • FIG. 9 shows a block diagram of a key management system provided by an embodiment of the present invention.
  • the system includes a client 700 and a server 800.
  • Client 700 can include a key management device.
  • the device has a function of implementing the above-mentioned client side key management method, and the function may be implemented by hardware or by executing corresponding software by hardware.
  • the apparatus may include a key generation module 710, a first encryption module 720, a request transmission module 730, a response receiving module 740, and a first decryption module 750.
  • the key generation module 710 is configured to generate a temporary key.
  • the first encryption module 720 is configured to encrypt the temporary key by using a public key provided by the server 800 to obtain a first ciphertext.
  • the request sending module 730 is configured to send an authentication request to the server 800, where the first ciphertext is carried in the authentication request.
  • the response receiving module 740 is configured to receive an authentication response sent by the server 800, where the authentication response carries a second ciphertext, where the second ciphertext is encrypted by using the temporary key to encrypt the session key. Cipher text.
  • the session key is used to encrypt data of the session.
  • the first decryption module 750 is configured to decrypt the second ciphertext by using the temporary key to obtain the session key.
  • the authentication response further carries a key identifier, where the key identifier is used to identify the session key.
  • the device further includes: an uplink data encryption module 762 and an uplink data sending module 764.
  • the uplink data encryption module 762 is configured to encrypt the uplink data of the session by using the session key to obtain encrypted uplink data.
  • the uplink data sending module 764 is configured to send an uplink data packet to the server 800, where a packet header of the uplink data packet carries the key identifier, and a packet of the uplink data packet carries the encrypted uplink data.
  • the device further includes: a downlink data receiving module 766 and a downlink data decrypting module 768.
  • the downlink data receiving module 766 is configured to receive the downlink data packet sent by the server 800, where the packet header of the downlink data packet carries the key identifier, and the packet body of the downlink data packet carries the encrypted downlink data.
  • the downlink data decryption module 768 is configured to decrypt the encrypted downlink data by using a session key corresponding to the key identifier carried in the packet header to obtain downlink data.
  • the key generation module 710 is configured to generate the temporary key by using a random number generator.
  • the device further includes: a vector receiving module 770.
  • the vector receiving module 770 is configured to receive an initialization vector that is sent by the server 800 and that is corresponding to the session key, where the initialization vector is used when the local end uses the session key for symmetric encryption and decryption.
  • Server 800 can include a key management device.
  • the device has a function of implementing the above-mentioned server-side key management method, and the function may be implemented by hardware or by executing corresponding software by hardware.
  • the apparatus may include a request receiving module 810, a second decryption module 820, a second encryption module 840, and a response sending module 850.
  • the request receiving module 810 is configured to receive an authentication request sent by the client 700, where the authentication request carries the first ciphertext, and the first ciphertext is obtained by encrypting the temporary key by using the public key provided by the local end. Cipher text.
  • the second decryption module 820 is configured to decrypt the first ciphertext by using a private key corresponding to the public key to obtain the temporary key.
  • the second encryption module 840 is configured to encrypt the session key by using the temporary key to obtain a second ciphertext; wherein the session key is used to encrypt data of the session.
  • the response sending module 850 is configured to send an authentication response to the client 700, where the second ciphertext is carried in the authentication response.
  • the authentication response further carries a key identifier, where the key identifier is used to identify the session key.
  • the device further includes: a key acquisition module 830.
  • the key obtaining module 830 is configured to acquire a session key and a key identifier.
  • the key obtaining module 830 is configured to generate the session key by using a random number generator to generate a key identifier corresponding to the session key.
  • the key obtaining module 830 is configured to select a corresponding set of session keys and key identifiers from the pre-stored keys.
  • the pre-stored key includes at least one set of corresponding session key and key identifier.
  • the key obtaining module 830 includes: an address obtaining unit, a range determining unit, and Key selection unit.
  • An address obtaining unit is configured to obtain an IP address corresponding to the client 700.
  • a range determining unit configured to determine a key selection range according to the IP address, where the key selection range includes a part of the session key and a key identifier corresponding to the pre-stored key.
  • the key selection unit is configured to select a corresponding set of session keys and key identifiers from the key selection range.
  • the device further includes: an uplink data receiving module 862 and an uplink data decrypting module 864.
  • the uplink data receiving module 862 is configured to receive the uplink data packet sent by the client 700, where the packet header of the uplink data packet carries the key identifier, and the packet of the uplink data packet carries the encrypted uplink data.
  • the uplink data decryption module 864 is configured to decrypt the encrypted uplink data by using a session key corresponding to the key identifier carried in the packet header to obtain uplink data.
  • the device further includes: a downlink data encryption module 866 and a downlink data sending module 868.
  • the downlink data encryption module 866 is configured to encrypt the downlink data of the session by using the session key to obtain encrypted downlink data.
  • the downlink data sending module 868 is configured to send a downlink data packet to the client 700, where a packet header of the downlink data packet carries the key identifier, and a packet of the downlink data packet carries the encrypted downlink data.
  • the device further includes: an identifier obtaining module 812 and a number obtaining module 814.
  • the identifier obtaining module 812 is configured to obtain a GUID corresponding to the device where the client 700 is located.
  • the number obtaining module 814 is configured to acquire the number of authentication requests corresponding to the GUID.
  • the second decryption module 820 is further configured to: when the number of the authentication requests is less than a preset threshold, decrypt the first ciphertext by using a private key corresponding to the public key to obtain the temporary key.
  • the device further includes: a vector obtaining module 870 and a vector sending module 880.
  • the vector acquisition module 870 is configured to acquire an initialization vector corresponding to the session key.
  • the vector sending module 880 is configured to send the initialization vector to the client 700, where the initialization vector is used when the client 700 performs symmetric encryption and decryption using the session key.
  • the system provided in this embodiment encrypts the temporary key by using the asymmetric encryption method and sends the temporary key to the server. After the server decrypts the temporary key, the temporary key pair is used.
  • the session key is encrypted to obtain the second ciphertext, and the second ciphertext is sent to the client, and the client decrypts the second ciphertext by using the temporary key to obtain the session key, so that the client subsequently performs a session with the server.
  • the session key is used to encrypt and decrypt the session data; the related art has a problem that the server needs to spend a large amount of resources to manage the symmetric key due to the relatively large number of sessions between the client and the server;
  • the technology directly encrypts and decrypts the data of the session by using the symmetric key generated by the client.
  • the session key provided by the server is used to encrypt and decrypt the session data, so that the server only needs to manage the session key. There is no need to manage a large number of client-generated keys, which simplifies the complexity of managing keys by the server and helps save server resources.
  • the session key is not directly transmitted in the plaintext on the network, it is encrypted by using a temporary key, so security is also guaranteed.
  • FIG. 10 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • the terminal is used to implement the client side key management method provided in the foregoing embodiment. Specifically:
  • the terminal 1000 may include an RF (Radio Frequency) circuit 1010, a memory 1020 including one or more computer readable storage media, an input unit 1030, a display unit 1040, a sensor 1050, an audio circuit 1060, and a WiFi (wireless fidelity, wireless).
  • the fidelity module 1070 includes a processor 1080 having one or more processing cores, and a power supply 1090 and the like. It will be understood by those skilled in the art that the terminal structure shown in FIG. 10 does not constitute a limitation to the terminal, and may include more or less components than those illustrated, or combine some components, or different component arrangements. among them:
  • the RF circuit 1010 can be used for receiving and transmitting signals during and after receiving or transmitting information, in particular, receiving downlink information of the base station and then processing it by one or more processors 1080; in addition, transmitting data related to the uplink to the base station .
  • the RF circuit 1010 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (Low Noise Amplifier). , duplexer, etc.
  • SIM Subscriber Identity Module
  • the RF circuit 1010 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System of Mobile communication), GPRS (General Packet Radio Service), CDMA (Code Division Multiple Access). , Code Division Multiple Access), WCDMA (Wideband Code Division Multiple Access), LTE (Long Term Evolution), e-mail, SMS (Short Messaging Service), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • e-mail Short Messaging Service
  • the memory 1020 can be used to store software programs and modules, and the processor 1080 executes various functional applications and data processing by running software programs and modules stored in the memory 1020.
  • the memory 1020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to The data created by the use of the terminal 1000 (such as audio data, phone book, etc.) and the like.
  • memory 1020 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 1020 can also include a memory controller to provide access to memory 1020 by processor 1080 and input unit 1030.
  • Input unit 1030 can be used to receive input numeric or character information, as well as to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
  • the input unit 1030 may include an image input device 1031 and other input devices 1032.
  • the image input device 1031 may be a camera or an optical scanning device.
  • the input unit 1030 may also include other input devices 1032.
  • other input devices 1032 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • Display unit 1040 can be used to display information entered by the user or information provided to the user and various graphical user interfaces of terminal 1000, which can be constructed from graphics, text, icons, video, and any combination thereof.
  • the display unit 1040 may include a display panel 1041.
  • the display panel 1041 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
  • Terminal 1000 can also include at least one type of sensor 1050, such as a light sensor, motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor can adjust the brightness of the display panel 1041 according to the brightness of the ambient light, and the proximity sensor
  • the display panel 1041 and/or the backlight can be turned off when the terminal 1000 is moved to the ear.
  • the gravity acceleration sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity.
  • the terminal 1000 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, not here Let me repeat.
  • Audio circuit 1060, speaker 1061, and microphone 1062 can provide an audio interface between the user and terminal 1000.
  • the audio circuit 1060 can transmit the converted electrical data of the received audio data to the speaker 1061, and convert it into a sound signal output by the speaker 1061; on the other hand, the microphone 1062 converts the collected sound signal into an electrical signal, by the audio circuit 1060. After receiving, it is converted into audio data, and then processed by the audio data output processor 1080, transmitted to the terminal, for example, via the RF circuit 1010, or outputted to the memory 1020 for further processing.
  • the audio circuit 1060 may also include an earbud jack to provide communication of the peripheral earphones with the terminal 1000.
  • WiFi is a short-range wireless transmission technology
  • the terminal 1000 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module 1070, which provides wireless broadband Internet access for users.
  • FIG. 10 shows the WiFi module 1070, it can be understood that it does not belong to the essential configuration of the terminal 1000, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the processor 1080 is the control center of the terminal 1000, connecting various portions of the entire handset with various interfaces and lines, by running or executing software programs and/or modules stored in the memory 1020, and recalling data stored in the memory 1020, The various functions and processing data of the terminal 1000 are performed to perform overall monitoring of the mobile phone.
  • the processor 1080 may include one or more processing cores; preferably, the processor 1080 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like.
  • the modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 1080.
  • the terminal 1000 also includes a power source 1090 (such as a battery) for powering various components.
  • the power source can be logically coupled to the processor 1080 through a power management system to manage functions such as charging, discharging, and power management through the power management system.
  • the power supply 1090 may also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
  • the terminal 1000 may further include a Bluetooth module or the like, and details are not described herein again.
  • the terminal 1000 further includes a memory. Storing at least one instruction, at least one program, code set or instruction set in the memory, the at least one instruction, the at least one program, the code set or the instruction set being loaded and executed by the processor to implement the above Client-side key management method.
  • FIG. 11 is a schematic structural diagram of a server according to an embodiment of the present invention.
  • This server is used to implement the server-side key management method provided in the above embodiment. Specifically:
  • the server 1100 includes a central processing unit (CPU) 1101, a system memory 1104 including a random access memory (RAM) 1102 and a read only memory (ROM) 1103, and a system bus 1105 that connects the system memory 1104 and the central processing unit 1101.
  • the server 1100 also includes a basic input/output system (I/O system) 1106 that facilitates transfer of information between various devices within the computer, and mass storage for storing the operating system 1113, applications 1114, and other program modules 1115.
  • I/O system basic input/output system
  • the basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse or keyboard for user input of information.
  • the display 1108 and the input device 1109 are both connected to the central processing unit 1101 via an input-output controller 1110 connected to the system bus 1105.
  • the basic input/output system 1106 can also include an input output controller 1110 for receiving and processing input from a plurality of other devices, such as a keyboard, mouse, or electronic stylus.
  • the input and output controller 1110 also provides output to a display screen, printer, or other type of output device.
  • the mass storage device 1107 is connected to the central processing unit 1101 by a mass storage controller (not shown) connected to the system bus 1105.
  • the mass storage device 1107 and its associated computer readable medium provide non-volatile storage for the server 1100. That is, the mass storage device 1107 can include a computer readable medium (not shown) such as a hard disk or a CD-ROM drive.
  • the computer readable medium can include computer storage media and communication media.
  • Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Computer storage media include RAM, ROM, EPROM, EEPROM, flash memory or other solid state storage technologies, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices.
  • RAM random access memory
  • ROM read only memory
  • EPROM Erasable programmable read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • the server 1100 may also be operated by a remote computer connected to the network through a network such as the Internet. That is, the server 1100 can be connected to the network 1112 through the network interface unit 1111 connected to the system bus 1105, or can also be connected to other types of networks or remote computer systems (not shown) using the network interface unit 1111. .
  • a computer readable storage medium having stored therein at least one instruction, at least one program, a code set or a set of instructions, the at least one instruction, the at least one program
  • the code set or instruction set is loaded and executed by the processor of the terminal to implement the steps of the terminal side in the above method embodiment.
  • a computer readable storage medium having stored therein at least one instruction, at least one program, a code set or a set of instructions, the at least one instruction, the at least one program
  • the code set or instruction set is loaded and executed by a processor of the server to implement the various steps of the server side in the above method embodiment.
  • the computer readable storage medium described above may be a ROM, a random access memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, and an optical data storage device.
  • a computer program product for performing the functions of the various steps of the terminal side in the above method embodiments when the computer program product is executed.
  • a computer program product for performing the functions of the various steps on the server side of the above method embodiments when the computer program product is executed.
  • a plurality as referred to herein means two or more.
  • "and/or” describing the association relationship of the associated objects, indicating that there may be three relationships, for example, A and/or B, which may indicate that there are three cases where A exists separately, A and B exist at the same time, and B exists separately.
  • the character "/" generally indicates that the contextual object is an "or" relationship.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention appartient au domaine technique de la sécurité des informations, et concerne un procédé, un appareil, un dispositif, et un système de gestion de clé. Le procédé comprend les étapes suivantes : un client génère une clé temporaire à l'aide d'une clé publique fournie par un serveur pour chiffrer la clé temporaire de sorte à obtenir un premier cryptogramme, et l'envoie à un serveur; le serveur utilise une clé privée correspondant à la clé publique pour déchiffrer le premier cryptogramme de sorte à obtenir la clé temporaire, acquérir une clé de session et un identificateur de clé, utiliser la clé temporaire pour chiffrer la clé de session de sorte à obtenir un second cryptogramme, et l'envoie au client; et le client utilise la clé temporaire pour déchiffrer le second cryptogramme de sorte à obtenir la clé de session, la clé de session étant utilisée pour chiffrer des données d'une session. En prenant en compte la sécurité d'une clé et l'efficacité d'un chiffrement et d'un déchiffrement, l'invention simplifie la gestion de la clé par un serveur et économise les ressources de traitement et de stockage du serveur.
PCT/CN2017/091646 2016-07-20 2017-07-04 Procédé, appareil, dispositif, et système de gestion de clé Ceased WO2018014723A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610579122.XA CN106712932B (zh) 2016-07-20 2016-07-20 密钥管理方法、装置及系统
CN201610579122.X 2016-07-20

Publications (1)

Publication Number Publication Date
WO2018014723A1 true WO2018014723A1 (fr) 2018-01-25

Family

ID=58939709

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/091646 Ceased WO2018014723A1 (fr) 2016-07-20 2017-07-04 Procédé, appareil, dispositif, et système de gestion de clé

Country Status (2)

Country Link
CN (1) CN106712932B (fr)
WO (1) WO2018014723A1 (fr)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110890968A (zh) * 2019-10-24 2020-03-17 成都卫士通信息产业股份有限公司 一种即时通信方法、装置、设备及计算机可读存储介质
CN111368322A (zh) * 2020-03-11 2020-07-03 中电科(天津)网络信息安全有限公司 一种文件解密方法、装置、电子设备和存储介质
CN111432373A (zh) * 2020-02-24 2020-07-17 吉利汽车研究院(宁波)有限公司 一种安全认证方法、装置及电子设备
CN111611577A (zh) * 2020-05-22 2020-09-01 北京金山云网络技术有限公司 鉴权方法、装置、系统、电子设备及计算机可读存储介质
CN111683099A (zh) * 2020-06-11 2020-09-18 杭州海兴电力科技股份有限公司 一种数据通讯方法、装置及设备
CN112073192A (zh) * 2020-09-07 2020-12-11 北京天融信网络安全技术有限公司 一种数据处理方法、装置及密码机
CN112398832A (zh) * 2020-11-04 2021-02-23 四川长虹电器股份有限公司 一种业务端用户数据加密方法和解密方法
CN112564901A (zh) * 2020-12-08 2021-03-26 浙江三维万易联科技有限公司 密钥的生成方法和系统、存储介质及电子装置
CN112769560A (zh) * 2020-12-31 2021-05-07 中国农业银行股份有限公司 一种密钥管理方法和相关装置
CN114095152A (zh) * 2020-08-03 2022-02-25 天翼电子商务有限公司 密钥更新及数据加解密方法、系统、介质及装置
CN114374512A (zh) * 2022-01-10 2022-04-19 梵迩佳智能电气有限公司 一种基于量子策略的无人机通信方法
CN115348011A (zh) * 2022-07-21 2022-11-15 中国电信股份有限公司 一种密钥处理方法、装置、电子设备和可读存储介质
CN115633348A (zh) * 2022-10-24 2023-01-20 成都卫士通信息产业股份有限公司 一种数据传输方法、装置、设备及存储介质
CN115766002A (zh) * 2022-11-15 2023-03-07 中电信量子科技有限公司 采用量子密钥分发及软件定义实现以太数据加解密的方法
CN115801308A (zh) * 2022-09-16 2023-03-14 北京瑞莱智慧科技有限公司 数据处理方法、相关装置及存储介质
CN116032556A (zh) * 2022-12-13 2023-04-28 支付宝(杭州)信息技术有限公司 小程序应用的密钥协商方法及装置
CN117034309A (zh) * 2023-07-20 2023-11-10 北京理房通支付科技有限公司 用户密码管理方法、计算机装置及存储介质
CN118233097A (zh) * 2024-05-22 2024-06-21 中国电信股份有限公司 密钥协商方法、装置、相关设备和计算机程序产品

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106712932B (zh) * 2016-07-20 2019-03-19 腾讯科技(深圳)有限公司 密钥管理方法、装置及系统
CN107493281A (zh) * 2017-08-16 2017-12-19 海信集团有限公司 加密通信方法及装置
CN109698935A (zh) * 2017-10-24 2019-04-30 中国移动通信有限公司研究院 监控视频加密解密方法及装置、设备、存储介质、系统
CN107896147B (zh) * 2017-12-07 2020-07-28 福建联迪商用设备有限公司 一种基于国密算法协商临时会话密钥的方法及其系统
CN109962767A (zh) * 2017-12-25 2019-07-02 航天信息股份有限公司 一种安全通信方法
CN108566365B (zh) * 2018-01-22 2020-09-22 成都清轻信息技术有限公司 一种基于声波技术的智能门锁开启方法
CN109150865A (zh) * 2018-08-07 2019-01-04 厦门市美亚柏科信息股份有限公司 一种移动终端app通讯协议的保护、装置及存储介质
CN109067814B (zh) * 2018-10-31 2021-04-20 苏州科达科技股份有限公司 媒体数据加密方法、系统、设备及存储介质
CN109547471B (zh) * 2018-12-24 2021-10-26 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) 网络通信方法和装置
CN109831432B (zh) * 2019-01-30 2021-06-01 重庆农村商业银行股份有限公司 服务提供方h5应用形式的第三方安全接入方法
CN110601825B (zh) * 2019-08-29 2022-09-30 北京思源理想控股集团有限公司 密文的处理方法及装置、存储介质、电子装置
CN110688646B (zh) * 2019-10-14 2021-12-03 广州麦仑信息科技有限公司 一种应用于掌脉识别的多服务器集群的安全认证方法
CN110995685B (zh) * 2019-11-26 2022-07-19 中国银联股份有限公司 数据的加解密方法、装置、系统及存储介质
CN111080299B (zh) * 2019-12-27 2020-12-15 广州骏伯网络科技有限公司 一种交易信息的防抵赖方法及客户端、服务器
JP7451738B2 (ja) 2020-02-29 2024-03-18 ホアウェイ・テクノロジーズ・カンパニー・リミテッド 鍵更新方法および関連装置
CN111431890B (zh) * 2020-03-20 2021-12-03 苏州瑞立思科技有限公司 一种低开销的中间服务器代理传输认证方法及装置
CN111951463B (zh) * 2020-06-05 2022-08-19 陶源 一种售货机激活系统及售货机离线售货方法
CN111865956A (zh) * 2020-07-13 2020-10-30 杭州萤石软件有限公司 一种防服务劫持系统、方法、装置及存储介质
CN111988299A (zh) * 2020-08-14 2020-11-24 杭州视洞科技有限公司 一种客户端和服务器可信链接的建立方式
CN114697008B (zh) * 2020-12-30 2024-03-12 科大国盾量子技术股份有限公司 基于量子安全sim卡的通信系统及方法、量子安全sim卡、密钥服务平台
CN114915964B (zh) * 2021-01-29 2025-09-16 华为技术有限公司 一种密钥协商方法及电子设备
CN113489706B (zh) * 2021-06-30 2023-10-10 北京达佳互联信息技术有限公司 一种数据处理方法、装置、系统、设备及存储介质
CN113691502B (zh) * 2021-08-02 2023-06-30 上海浦东发展银行股份有限公司 通信方法、装置、网关服务器、客户端及存储介质
CN115706929A (zh) * 2021-08-05 2023-02-17 中移(上海)信息通信科技有限公司 一种车路信息交互方法、系统及相关设备
CN114401102A (zh) * 2021-11-29 2022-04-26 南威软件股份有限公司 一种基于国密算法的http请求参数加密方案
CN114499836B (zh) * 2021-12-29 2024-07-16 北京像素软件科技股份有限公司 一种密钥管理方法、装置、计算机设备及可读存储介质
CN116094763A (zh) * 2022-12-07 2023-05-09 天翼云科技有限公司 一种基于云手机的上网行为管控方法及系统
US20240303638A1 (en) * 2023-03-08 2024-09-12 Capital One Services, Llc Systems and methods for secure authentication of contactless card
CN116112152B (zh) * 2023-04-11 2023-06-02 广东徐工汉云工业互联网有限公司 跨企业网络的数据共享安全加密方法和装置
CN116707817A (zh) * 2023-05-17 2023-09-05 苏州浪潮智能科技有限公司 一种账户认证方法、装置、设备及存储介质
CN118449965A (zh) * 2023-05-18 2024-08-06 洪碧群 实现海量数据上载大数据区块链云平台的方法
CN116436710B (zh) * 2023-06-15 2023-08-29 烟台岸基网络科技有限公司 港口桥式装卸设备作业远程操作系统
CN119210862A (zh) * 2024-09-29 2024-12-27 中国建设银行股份有限公司 数据分发方法、数据接收方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532714A (zh) * 2012-07-06 2014-01-22 中国银联股份有限公司 一种从数据提供方传输数据到智能卡的方法和系统
CN103595718A (zh) * 2013-11-15 2014-02-19 拉卡拉支付有限公司 一种pos终端激活方法、系统、服务平台及pos终端
CN104519013A (zh) * 2013-09-27 2015-04-15 华为技术有限公司 保证媒体流安全性的方法、设备和系统
CN105307160A (zh) * 2015-09-29 2016-02-03 北京元心科技有限公司 通过Wi-Fi网络传输数据的方法及装置
CN106712932A (zh) * 2016-07-20 2017-05-24 腾讯科技(深圳)有限公司 密钥管理方法、装置及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103532714A (zh) * 2012-07-06 2014-01-22 中国银联股份有限公司 一种从数据提供方传输数据到智能卡的方法和系统
CN104519013A (zh) * 2013-09-27 2015-04-15 华为技术有限公司 保证媒体流安全性的方法、设备和系统
CN103595718A (zh) * 2013-11-15 2014-02-19 拉卡拉支付有限公司 一种pos终端激活方法、系统、服务平台及pos终端
CN105307160A (zh) * 2015-09-29 2016-02-03 北京元心科技有限公司 通过Wi-Fi网络传输数据的方法及装置
CN106712932A (zh) * 2016-07-20 2017-05-24 腾讯科技(深圳)有限公司 密钥管理方法、装置及系统

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110890968B (zh) * 2019-10-24 2022-08-23 成都卫士通信息产业股份有限公司 一种即时通信方法、装置、设备及计算机可读存储介质
CN110890968A (zh) * 2019-10-24 2020-03-17 成都卫士通信息产业股份有限公司 一种即时通信方法、装置、设备及计算机可读存储介质
US20230123241A1 (en) 2020-02-24 2023-04-20 Zhejiang Geely Holding Group Co., Ltd Security authentication method and apparatus thereof, and electronic device
US11924635B2 (en) 2020-02-24 2024-03-05 Zhejiang Geely Holding Group Co., Ltd Security authentication method and apparatus thereof, and electronic device
CN111432373B (zh) * 2020-02-24 2022-08-30 吉利汽车研究院(宁波)有限公司 一种安全认证方法、装置及电子设备
CN111432373A (zh) * 2020-02-24 2020-07-17 吉利汽车研究院(宁波)有限公司 一种安全认证方法、装置及电子设备
CN111368322B (zh) * 2020-03-11 2022-04-12 中电科(天津)网络信息安全有限公司 一种文件解密方法、装置、电子设备和存储介质
CN111368322A (zh) * 2020-03-11 2020-07-03 中电科(天津)网络信息安全有限公司 一种文件解密方法、装置、电子设备和存储介质
CN111611577B (zh) * 2020-05-22 2023-10-03 北京金山云网络技术有限公司 鉴权方法、装置、系统、电子设备及计算机可读存储介质
CN111611577A (zh) * 2020-05-22 2020-09-01 北京金山云网络技术有限公司 鉴权方法、装置、系统、电子设备及计算机可读存储介质
CN111683099A (zh) * 2020-06-11 2020-09-18 杭州海兴电力科技股份有限公司 一种数据通讯方法、装置及设备
CN114095152A (zh) * 2020-08-03 2022-02-25 天翼电子商务有限公司 密钥更新及数据加解密方法、系统、介质及装置
CN112073192B (zh) * 2020-09-07 2023-01-10 北京天融信网络安全技术有限公司 一种数据处理方法、装置及密码机
CN112073192A (zh) * 2020-09-07 2020-12-11 北京天融信网络安全技术有限公司 一种数据处理方法、装置及密码机
CN112398832A (zh) * 2020-11-04 2021-02-23 四川长虹电器股份有限公司 一种业务端用户数据加密方法和解密方法
CN112398832B (zh) * 2020-11-04 2022-02-01 四川长虹电器股份有限公司 一种业务端用户数据加密方法和解密方法
CN112564901A (zh) * 2020-12-08 2021-03-26 浙江三维万易联科技有限公司 密钥的生成方法和系统、存储介质及电子装置
CN112564901B (zh) * 2020-12-08 2023-08-25 三维通信股份有限公司 密钥的生成方法和系统、存储介质及电子装置
CN112769560A (zh) * 2020-12-31 2021-05-07 中国农业银行股份有限公司 一种密钥管理方法和相关装置
CN112769560B (zh) * 2020-12-31 2023-03-24 中国农业银行股份有限公司 一种密钥管理方法和相关装置
CN114374512A (zh) * 2022-01-10 2022-04-19 梵迩佳智能电气有限公司 一种基于量子策略的无人机通信方法
CN115348011B (zh) * 2022-07-21 2024-04-30 中国电信股份有限公司 一种密钥处理方法、装置、电子设备和可读存储介质
CN115348011A (zh) * 2022-07-21 2022-11-15 中国电信股份有限公司 一种密钥处理方法、装置、电子设备和可读存储介质
CN115801308A (zh) * 2022-09-16 2023-03-14 北京瑞莱智慧科技有限公司 数据处理方法、相关装置及存储介质
CN115801308B (zh) * 2022-09-16 2023-08-29 北京瑞莱智慧科技有限公司 数据处理方法、相关装置及存储介质
CN115633348A (zh) * 2022-10-24 2023-01-20 成都卫士通信息产业股份有限公司 一种数据传输方法、装置、设备及存储介质
CN115766002A (zh) * 2022-11-15 2023-03-07 中电信量子科技有限公司 采用量子密钥分发及软件定义实现以太数据加解密的方法
CN116032556A (zh) * 2022-12-13 2023-04-28 支付宝(杭州)信息技术有限公司 小程序应用的密钥协商方法及装置
CN117034309A (zh) * 2023-07-20 2023-11-10 北京理房通支付科技有限公司 用户密码管理方法、计算机装置及存储介质
CN118233097A (zh) * 2024-05-22 2024-06-21 中国电信股份有限公司 密钥协商方法、装置、相关设备和计算机程序产品

Also Published As

Publication number Publication date
CN106712932A (zh) 2017-05-24
CN106712932B (zh) 2019-03-19

Similar Documents

Publication Publication Date Title
WO2018014723A1 (fr) Procédé, appareil, dispositif, et système de gestion de clé
CN111193695B (zh) 一种第三方账号登录的加密方法、装置及存储介质
US11177955B2 (en) Device-to-device messaging protocol
US11582579B2 (en) Secure streaming of real-time location data between electronic devices
CN106686008B (zh) 信息存储方法及装置
US10491399B2 (en) Cryptographic method for secure communications
US20230421394A1 (en) Secure authentication of remote equipment
US20190236300A1 (en) Service processing method and apparatus, data sharing system, and storage medium
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
WO2018176781A1 (fr) Procédé d'envoi d'informations, procédé de réception d'informations, appareil et système
CN111835774B (zh) 数据处理方法、装置、设备及存储介质
CN108989848A (zh) 一种视频资源文件的获取方法和管理系统
EP4336393A1 (fr) Procédé d'authentification de sécurité, support lisible et dispositif électronique
WO2018201991A1 (fr) Procédé de traitement de données, système, appareil, support d'informations et dispositif
US10454905B2 (en) Method and apparatus for encrypting and decrypting picture, and device
CN112866981B (zh) 一种签约数据的管理方法、装置
CN112533202A (zh) 身份鉴别方法及装置
CN113434905B (zh) 数据传输方法、装置、计算机设备及存储介质
CN114553612B (zh) 数据加密、解密方法、装置、存储介质及电子设备
CN111193704B (zh) Http通信方法、装置及可读存储介质
CN105515757A (zh) 基于可信执行环境的安全性信息交互设备
JP7366115B2 (ja) モバイルデバイスへの通知の配信
CN113905258B (zh) 视频播放方法、网络设备以及存储介质
CN112995322B (zh) 信息传输通道建立方法、装置、存储介质以及终端
CN104954447B (zh) 支持属性基加密的移动智能设备安全服务实现方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17830357

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17830357

Country of ref document: EP

Kind code of ref document: A1