CN114422261B - Management method, management system, computer device, and computer-readable storage medium - Google Patents
Management method, management system, computer device, and computer-readable storage medium Download PDFInfo
- Publication number
- CN114422261B CN114422261B CN202210138256.3A CN202210138256A CN114422261B CN 114422261 B CN114422261 B CN 114422261B CN 202210138256 A CN202210138256 A CN 202210138256A CN 114422261 B CN114422261 B CN 114422261B
- Authority
- CN
- China
- Prior art keywords
- key
- server
- client
- equipment
- authentication key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 61
- 238000004422 calculation algorithm Methods 0.000 claims description 31
- 230000008676 import Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 101000878595 Arabidopsis thaliana Squalene synthase 1 Proteins 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 2
- 238000002715 modification method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a management method, a management system, a computer device, and a computer-readable storage medium for managing a device authentication key and an administrator PIN of an intelligent cryptographic key, the management method including one or more of the following methods: the method A, the method for initializing the intelligent cipher key, including setting up the equipment authentication key and setting up the personal identification code of the administrator; the method B, the equipment authentication key and the method for using the personal identification code of the administrator; and C, modifying the equipment authentication key and the personal identification code of the administrator. In the management method, the equipment authentication key and the manager PIN are generated by the server side and can be changed, so that the problems of unsafe and easy leakage of the equipment authentication key and the manager PIN are effectively avoided, and the use safety of the intelligent password key is greatly improved.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a management method, a management system, a computer device, and a computer readable storage medium.
Background
An intelligent cipher KEY (USB KEY, also called intelligent KEY) is a terminal device under public KEY infrastructure (Public Key Infrastructure, PKI) system, provides services such as identity authentication, digital certificate, data protection and the like for users, and is widely applied to the fields such as online banking, electronic signature and the like. The interface specification of the intelligent cipher key follows the GB/T35291 'information security technology intelligent cipher key application interface specification'.
The smart key authenticates an application program that calls the smart key by using a device authentication key (DevAuthKey) (see GB/T35291, which is a key for device authentication). The device authentication key is typically a 16 byte SM4 key. After the application program completes the equipment authentication through the equipment authentication key, the application program can carry out management such as new creation, deletion and the like on the application in the intelligent password key.
The smart key may have a plurality of applications [ see GB/T35291, a device authentication key and a plurality of applications exist in one device, the applications are independent of each other, and the applications consist of an administrator (Admin) personal identification number (Personal Identification Number, PIN), a user PIN, a file and a container ]. Wherein a container (see GB/T35291, the container being the unique storage space divided for holding keys in a cryptographic device) is used for storing the key data and the digital certificate. The user PIN is used to verify the identity of the user to open the container, and the relevant interface is invoked to perform cryptographic operations using the key in the container. In practical application, if the user PIN and the manager PIN are repeatedly input for a plurality of times, the user PIN and the manager PIN are locked, although the manager PIN can be used for unlocking and setting a new user PIN after the user PIN is locked, if the manager PIN is locked, the application cannot be used any more. Accordingly, the administrator PIN needs to be strictly protected and managed in view of its importance.
In the existing information system, the equipment authentication key is generally set to a fixed value by the manufacturer of the intelligent cipher key, the user PIN should be managed by the user, and for the manager PIN, the existing information system is generally also managed by the user at the same time, or some information systems uniformly set to a fixed value and then managed by the system manager of the information system.
The above management methods for the device authentication key and the administrator PIN have the following disadvantages: 1. a fixed value for the device authentication key may result in applications within the smart key being maliciously deleted. 2. The PIN of the manager is not used often, and if the PIN is handed to a user, the management is easy to forget, so that the intelligent password key is not available once the intelligent password key is locked; 3. if the manager PIN uses a fixed value, the manager PIN is not easy to replace periodically, and once the manager PIN leaks, the manager PIN of all intelligent cipher keys can be leaked. Therefore, how to provide an efficient and secure mechanism to manage the device authentication key and administrator PIN is a challenge.
Disclosure of Invention
In view of the above, the present invention provides a management method for managing a device authentication key and an administrator PIN.
The management method provided by the invention comprises one or more of the following methods:
The method A, the method for initializing the intelligent cipher key, including setting up the equipment authentication key and setting up the personal identification code of the administrator;
the method B, the equipment authentication key and the method for using the personal identification code of the administrator;
Method C, a method of modifying the device authentication key and the administrator personal identification code,
Wherein,
The method A comprises the following steps:
AB. The client acquires the equipment information in the intelligent password key and takes out a serial number SN in the equipment information;
AC. The server randomly generates a device label, calculates the device authentication key and the personal identity of the manager according to the serial number SN and the application name AppName, and then sends the device authentication key and the personal identity of the manager to the client;
AD. The client modifies the device tag and the device authentication key in the smart key, establishes a new application,
The method B comprises the following steps:
BB. The client acquires a serial number SN and an equipment tag in the equipment information in the intelligent password key, and sends the serial number SN, the equipment tag and an application name AppName to the server;
BC. The server calculates the equipment authentication key and the personal identification code of the manager and sends the equipment authentication key and the personal identification code of the manager to the client,
The method C comprises the following steps:
CB. The client acquires a current equipment authentication key and an administrator personal identification code;
CC. The client applies for calculation to the server to obtain a new device tag NewLabel, a new device authentication key NewDevAuthKey and a new administrator personal identification code NEWADMINPIN;
CD. The client updates the device tag, device authentication key, and administrator personal identification code.
Further, the method comprises the steps of,
Before said step AB, the following steps are performed:
and the client uses the factory equipment authentication key to carry out equipment authentication and is connected with the intelligent key.
Further, the method comprises the steps of,
The step AB comprises the following steps:
and the client calls an equipment information acquisition interface to acquire the equipment information of the intelligent key, and takes out a serial number SN in the equipment information.
Further, the method comprises the steps of,
In the step AC, if the connection between the client and the server is a trusted channel, the following steps are executed:
The client sends the serial number SN and the application name AppName to the server;
the server generates a 32-byte random number as a first equipment Label Label1, and then performs byte splicing on the first equipment Label Label1 and a serial number SN to obtain first data1: data1 = Label1 SN, where SN represents concatenation of bytes;
The server calls a server cipher machine, uses an SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and using an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server calls the server cipher machine, uses the session key handle, encrypts the first data1 by using an SM4 encryption algorithm, and obtains a first ciphertext C1;
The server calculates a first SM3 hash value S01=S3 (C1|ID) of the C1|ID to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string or null of an information system, and the server is a server of the information system;
The server takes the first 16 bytes of the SM3 hash value S01 as a first device authentication key DevAuthKey1: devAuthKey =s01 [0:16], each byte constituting the character string D is provided with a subscript (being an integer), and the sequence of the corresponding bytes in the character string D from front to back is marked sequentially from small to large by the subscript of each byte, dmn represents taking the bytes from the subscript m (initial subscript) to the subscript n-1 for the character string D, m and n are integers, and m < n, and m is 0 in the initial subscript in S01;
the server calculates s1=sm3 (s01|appname) and s2=base 64 (S1), so as to obtain a 44-byte printable string S2, where Base64 (E) represents converting binary data E into 44 printable characters using Base64 coding;
The server takes the first 16 bytes of the printable string S2 as the first administrator personal identification code AdminPIN1: adminPIN =s2 [0:16];
the server sends the first equipment Label Label1, the first equipment authentication key DevAuthKey1 and the first administrator personal identification code AdminPIN1 to the client;
the client modifies the first device Label1 and the first device authentication key DevAuthKey1 and establishes a new application using the first administrator PIN ADMINPIN and the user's personal identification number entered by the user.
Further, the method comprises the steps of,
In the step AC, if the connection between the client and the server is an untrusted channel, the following steps are executed:
the client establishes a new temporary application, and a temporary user personal identification code and a temporary manager personal identification code of the temporary application are randomly generated by the client;
the client establishes a temporary container by using the temporary application;
The client generates an elliptic curve cryptography algorithm signing key pair in the temporary container and outputs a temporary signing public key TempSignPubKey in the elliptic curve cryptography algorithm signing key pair;
The client sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server;
The server generates a 32-byte random number as a second equipment Label Label2, and performs byte splicing on the second equipment Label2 and a serial number SN to obtain second data2: data2 = lab2||sn;
The server calls a server cipher machine, uses an SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and using an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server calls the server cipher machine, uses the session key handle, and encrypts the second data2 by using an SM4 encryption algorithm to obtain a second ciphertext C2;
The server calculates a second SM3 hash value S02=S3 (C2|ID) of the C2|ID to obtain a second SM3 hash value S02 of 32 bytes, wherein the ID is a fixed identification character string or null of an information system;
the server takes the first 16 bytes of the second SM3 hash value S02 as a second device authentication key DevAuthKey2: devAuthKey 2=s02 [0:16];
The server calculates s11=sm3 (s02|appname), and s21=base 64 (S11), to obtain a 44-byte printable string S21;
The server takes the first 16 bytes of the printable string S21 as the second administrator personal identification code: adminPIN 2=s21 [0:16];
The server generates a temporary session key TempSessionKey and encrypts the combined data using the temporary session key TempSessionKey and SM4 algorithm
Label2 DevAuthKey2 AdminPIN2 yields encrypted data ENCRYPTEDDATA:
ENCRYPTEDDATA = SM4 (TempSessionKey, label2 DevAuthKey2 AdminPIN), wherein SM4 (K, D1) represents ciphertext obtained by encrypting data D1 using an SM4 encryption algorithm using key K;
The server generates SM2 encryption key pair (TEMPENCPRIVATEKEY, TEMPENCPUBKEY), encrypts the temporary session key TempSessionKey using the encryption key TempEncPubKey therein to obtain digital envelope EnvelopedSessionKey:
EnvelopedSessionKey = SM2 (TempEncPubKey, tempSessionKey), wherein SM2 (PubKey, D2) represents ciphertext encrypted using SM2 public key PubKey, using SM2 encryption algorithm for data D2;
the server encrypts the encryption key TEMPENCPRIVATEKEY by using the temporary signature public key TempSignPubKey of the client and forms an elliptic curve encryption key pair protection structure EnvelopedKeyBlob;
The server sends the elliptic curve encryption key pair protection structure EnvelopedKeyBlob, the digital envelope EnvelopedSessionKey and the encrypted data ENCRYPTEDDATA to the client;
The client uses an import elliptic curve encryption key pair interface to import the elliptic curve encryption key pair protection structure EnvelopedKeyBlob into the temporary container;
The client uses an import session key interface to import the digital envelope EnvelopedSessionKey into the temporary container and obtain a session key handle;
The client decrypts the encrypted data ENCRYPTEDDATA using the session key handle and the single-group data decryption interface to obtain combined data Label2 DevAuthKey2 AdminPIN, and intercepts and obtains the second device Label2, the second device authentication key DevAuthKey2 and the second administrator personal identification code AdminPIN according to the data length, respectively.
Further, the method comprises the steps of,
The step AD comprises the following steps:
after the client obtains the first device Label1, the first device authentication key DevAuthKey, the first administrator personal identification code AdminPIN1, or the second device Label2, the second device authentication key DevAuthKey2, and the second administrator personal identification code AdminPIN, the device Label and the device authentication key are modified to establish a new application, which includes the following steps:
writing the first equipment Label Label1 or the second equipment Label Label2 into a character string of the equipment Label of the intelligent key;
modifying the device authentication key to the first device authentication key DevAuthKey or the second device authentication key DevAuthKey using a modified device authentication key interface;
Establishing a new application, and setting the personal identity code of the administrator as a first personal identity code AdminPIN of the administrator or a second personal identity code AdminPIN of the administrator, wherein the personal identity code of the user is input by the user;
and deleting the temporary application after the new application is established.
Further, the method comprises the steps of,
The step BB comprises the following steps:
The client calls an equipment information acquisition interface to acquire equipment information of the intelligent key, and takes out a serial number SN and an equipment Label Label in the equipment information;
and the client sends the serial number SN, the equipment Label Label and the application name AppName to the server.
Further, the method comprises the steps of,
The step BC comprises the following steps:
The server calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, and an SM2 encrypted ciphertext KEYCIPHER in the session key is imported by using an internal elliptic curve encryption private key decryption interface to obtain a session key handle;
The server calls the server cipher machine, encrypts Label SN by using the session key handle and SM4 encryption algorithm to obtain ciphertext C;
The server calculates a third SM3 hash value S03=S3 (C|ID) of the C|ID to obtain a 32-byte third SM3 hash value S03;
the server takes the first 16 bytes of the third SM3 hash value S03 as a third device authentication key DevAuthKey3: devAuthKey 3=s03 [0:16];
The server calculates SS1=SM3 (S03 AppName) and SS2=Base64 (SS 1), and obtains a 44-byte printable string SS2;
the server takes the first 16 bytes of the printable string SS2 as the third administrator personal identification code AdminPIN3: adminPIN 3=ss2 [0:16];
The server sends the third device authentication key DevAuthKey and the third administrator personal identification number AdminPIN3 to the client.
Further, the method comprises the steps of,
Step CB is the same as steps BB to BC, and the client obtains the current device authentication key: fourth device authentication key DevAuthKey4 and current fourth administrator personal identification number: fourth administrator PIN ADMINPIN4.
Further, the method comprises the steps of,
The step CC is the same as the step AC, and the client applies for the new device tag NewLabel, the new device authentication key NewDevAuthKey, and the new administrator pin NEWADMINPIN to the server.
Further, the method comprises the steps of,
The step CD comprises the following steps:
The client uses the fourth equipment authentication key DevAuthKey to carry out equipment authentication, and after the authentication is successful, the client uses a device authentication key modification interface to modify the fourth equipment authentication key DevAuthKey into the new equipment authentication key NewDevAuthKey;
the client uses a modify pin interface to modify the fourth administrator pin AdminPIN to a new administrator pin NEWADMINPIN;
the client uses a set device tag interface to write the new device tag NewLabel into the device tag string of the smart key.
The invention also provides a management system for realizing the management method, which comprises a client, an intelligent password key and a server.
The invention also provides a computer device comprising a memory, a first processor and a first computer program stored on the memory and executable on the first processor, which when executed by the first processor implements the steps of the management method described above.
The present invention also provides a computer-readable storage medium storing a second computer program executable by at least one second processor to cause the at least one second processor to perform the steps of the above-described management method.
In the management method, the equipment authentication key and the manager PIN are generated by the server side and can be changed, so that the problems of unsafe and easy leakage of the equipment authentication key and the manager PIN are effectively avoided, and the use safety of the intelligent password key is greatly improved. The generation elements of the equipment authentication key and the manager PIN are composed of a client, an intelligent password key, a server and the like, so that the safety is further improved. When the equipment authentication key and the manager PIN are used, the client of the information system is operated after the identity authentication is required to be carried out on the information system, so that the intelligent password key can effectively and safely carry out centralized management and control on the equipment authentication key and the manager PIN of the intelligent password key used in the information system.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a method of initializing a smart key in accordance with an embodiment of the present invention;
FIG. 2 illustrates a flow chart of a method of using a device authentication key and an administrator PIN in accordance with an embodiment of the present invention;
fig. 3 shows a flow chart of a method of modifying a device authentication key and an administrator PIN according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description of the application and the claims and the description of the drawings above are intended to cover a non-exclusive inclusion. The terms first, second, third and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. The term "plurality" as used herein refers to two or more (including two).
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The information system adopting the intelligent key comprises a client and a server. The client can be an executable program, a browser plug-in and the like, and the intelligent key is called by using an interface in GB/T35291-2017 information security technology intelligent password key application interface Specification. The server is an information system server, and the server cipher machine is called to execute encryption and decryption and other cipher services, and the server cipher machine is called to follow GB/T36322-2018 'information security technology cipher equipment application interface Specification'.
Before the information system operates, the server allocates an SM2 key with a key index of index for the information system on a server cryptomachine, calls a session key generation and encryption output interface (SDF_ GENERATEKEYWITHIPK _ECC interface) by using an internal elliptic curve encryption algorithm (ECC) public key, generates a session key and outputs an SM2 encryption ciphertext KEYCIPHER of the session key (KEYCIPHER is an SM2 encryption ciphertext obtained by encrypting the session key by using the SM2 public key), saves the SM2 encryption ciphertext KEYCIPHER to a database or a disk, namely, the session key is encrypted by using the SM2 public key and then is exported and stored in the database or the disk in a ciphertext form, and when the session key needs to be used, the SM2 encryption ciphertext KEYCIPHER of the session key is imported into the cryptomachine for decryption and then is used. The session key is used for data encryption and decryption and message authentication code (Message Authentication Codes, MAC) operations, and is typically a 16-byte symmetric key, such as an SM4 key.
There may be multiple applications in the smart key, but generally in actual use, only one application is established by one smart key, so the present invention is directed to the case where only one application is established by one smart key.
The embodiment of the invention provides a management method for managing an authentication key and an administrator PIN of intelligent password key equipment. The management method comprises the following steps:
the method A, the method for initializing the intelligent cipher key, including setting up the equipment authentication key and setting up the application and setting up the administrator PIN;
The method B, the equipment authentication key and the administrator PIN use method;
method C, modification method of device authentication key and administrator PIN.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
And the user of the information system uses the factory-set intelligent password key to perform the initialization operation of the intelligent key at the client, the operation sets the equipment authentication key for the intelligent password key, establishes the application with the application name of AppName, and sets the manager PIN and the user PIN of the application. Wherein the device authentication key and the administrator PIN are generated by the information system and the user PIN is entered by the user.
FIG. 1 illustrates a flow chart of a method of initializing a smart key of the present invention. Referring to fig. 1, the method a relates to a serial number (SerialNumber, SN) in device information of a smart key, a device Label (Label) and a key of a server cryptographic machine, and specifically, the method for initializing the smart key includes:
AA. The client uses the factory equipment authentication key to carry out equipment authentication (namely authentication of the intelligent password key to the application program) and is connected with the intelligent key;
AB. The client acquires the equipment information in the intelligent password key and takes out a serial number SN in the equipment information, and the method comprises the following steps:
The client calls an equipment information acquisition interface (SKF_ GetDevInfo interface) to acquire equipment information of the intelligent key, and extracts a serial number SN in the equipment information, wherein the serial numbers are written in by manufacturers and are generally different from each other, and the equipment information comprises a version number, equipment manufacturer information, equipment release information, equipment labels, serial numbers and the like;
AC. The server randomly generates a device tag, calls a server cipher machine, calculates a device authentication key and an administrator PIN for the client according to a serial number SN and an application name AppName, and then sends the device tag to the client, and comprises the following steps:
ACa, if the connection between the client and the server is a trusted channel, executing the following steps:
ACa1, the client sends a serial number SN and an application name AppName to the server;
ACa2, the server generates 32-byte random numbers as a first equipment Label Label1, and then byte splicing is carried out on the first equipment Label Label1 and a serial number SN to obtain first data1:
data1=Label1||SN,
in the invention, the 32-byte random number generated by the server is generated by calling a server cipher machine by the server and is stored in a Label field of equipment information of the intelligent key, and the server does not store the random number;
ACa3, the server calls the server cipher machine, uses the SM2 key with the key index in the server cipher machine, and uses the imported session key and uses the internal ECC private key decryption interface (SDF_ ImportKeyWithISK _ECC interface) to import the session key, and obtains the session key handle, and the specific process is as follows: after the index and SM2 encrypted ciphertext KEYCIPHER are input by the sdf_ ImportKeyWithISK _ecc interface, the server crypto machine decrypts the SM2 encrypted ciphertext KEYCIPHER with the SM2 private key of the crypto index bit to obtain a session key, stores the session key in the server crypto machine, generates a session key handle, and returns the session key handle to the caller. The caller can not directly obtain the session key, when the caller needs to encrypt, the caller sends the encrypted data and the session key handle to the server cipher machine, the server cipher machine encrypts the encrypted data to obtain ciphertext, and then the ciphertext is sent back to the caller;
ACa4, the server calls a server cipher machine, uses a session key handle, encrypts first data1 by using an SM4 encryption algorithm to obtain a first ciphertext C1;
ACa5, the server calculates a first SM3 hash value S01=SM 3 (C1|ID) of C1|ID to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string of an information system, and can also be null, and the calculation of the hash value refers to 7.6.40-7.6.43 of GB/T35291-2017;
ACa6, the server takes the first 16 bytes of SM3 hash value S01 as the first device authentication key DevAuthKey1: devAuthKey =s01 [0:16], each byte constituting the character string D is provided with a subscript (being an integer), and the sequence of the corresponding bytes in the character string D from front to back is marked sequentially from small to large by the subscript of each byte, dmn represents taking the bytes from the subscript m (initial subscript) to the subscript n-1 for the character string D, m and n are integers, and m < n, and m is 0 in the initial subscript in S01;
for example, if the 32-byte SM3 hash value S01 is {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f},, devAuthKey 1= {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }.
ACa7, server side calculation s1=sm3 (s01|appname), and s2=base 64 (S1), resulting in a 44 byte printable string S2, base64 (E) representing the conversion of binary data E into printable characters, i.e. bytes, using Base64 encoding.
For example, if S1 is {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f},
S2=AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=;
ACa8, the server takes the first 16 bytes of S2 as the first administrator PIN ADMINPIN1: adminPIN =s2 [0:16];
ACa9, the server sends a first device Label1, a first device authentication key DevAuthKey1 and a first administrator PIN ADMINPIN1 to the client;
The ACa10, the client modifies the first device tag 1 and the first device authentication key DevAuthKey1, and uses the first administrator PIN ADMINPIN and the user PIN entered by the user to create a new application, the modification being to change the original device tag in the smart key to the first device tag 1 and to change the original device authentication key in the smart key to the first device authentication key DevAuthKey1. The idea of the invention is that the first device authentication key DevAuthKey and the first administrator PIN ADMINPIN are calculated from the first device Label1, the serial number SN and the session key. The first device Label1 is stored on the serial number SN ukey, and the session key is stored on the server (encrypted). The first device authentication key DevAuthKey and the first administrator PIN ADMINPIN must be temporarily calculated by the client through the server when they are to be used.
Note that if a trusted channel is between the client and the server, the SM4 key of the server cryptographic engine is an SM2 encrypted ciphertext of the session key output by the internal ECC public key encryption output interface (sdf_ GENERATEKEYWITHIPK _ecc interface) after the server invokes the cryptographic engine to generate the session key. And when the SM4 key, namely the SM2 encrypted ciphertext of the session key is needed to be used, importing the SM2 encrypted ciphertext of the SM4 key into a cipher machine for use, namely importing the session key by a server cipher machine, importing the SM2 encrypted ciphertext of the session key by an internal ECC private key decryption interface (SDF_ ImportKeyWithISK _ECC interface) and obtaining a session key handle, and calling the SM4 encrypted and decrypted by the session key handle.
ACb, if the connection between the client and the server is an untrusted channel, executing the following steps:
ACb1, a new temporary application is established by the client, and a temporary user PIN and a temporary manager PIN of the temporary application are randomly generated for the client;
ACb2, the client uses the temporary application to establish a temporary container;
ACb3, the client generates an ECC signing key pair in the temporary container and outputs a temporary signing public key TempSignPubKey of the ECC signing key pair;
ACb4, the client sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server;
ACb5, the server generates a 32-byte random number as a second equipment Label Label2. Byte splicing is carried out on Label2 and the serial number SN, and second data2 are obtained: data2 = lab2||sn;
ACb6, the same as step ACa3 above, namely, the server calls the server cipher machine, uses the SM2 key with the key index in the server cipher machine, and uses the imported session key and uses the internal ECC private key decryption interface (SDF_ ImportKeyWithISK _ECC interface) to import the session key, and obtains the session key handle;
the ACb7, the server calls the server cipher machine, uses the session key handle, encrypts the second data2 by using the SM4 encryption algorithm to obtain a second ciphertext C2;
ACb8, the server calculates a second SM3 hash value s02=sm3 (c2|id) of c2|id, and obtains a second SM3 hash value S02 of 32 bytes, where ID is a fixed identification string of the information system, and may also be null;
ACb9, the server takes the first 16 bytes of the second SM3 hash value S02 as the second device authentication key DevAuthKey2: devAuthKey 2=s02 [0:16];
A3b10, server side calculates s11=sm3 (s02|appname), and s21=base 64 (S11), resulting in a 44 byte printable string S21;
ACb11, the server takes the first 16 bytes of S21 as the second administrator PIN: adminPIN 2=s21 [0:16];
ACb12, server generates temporary session key TempSessionKey, and encrypts combined data using temporary session key TempSessionKey and SM4 algorithm
Label2 DevAuthKey2 AdminPIN2 yields encrypted data ENCRYPTEDDATA:
EncryptedData=SM4(TempSessionKey,Label2||DevAuthKey2||AdminPIN2);
Here, SM4 (K, D1) represents a ciphertext obtained by encrypting data D1 using a key K and using an SM4 encryption algorithm, and the SM4 algorithm is described in GB/T32907-2016 "information security technology SM4 block cipher algorithm". Ciphertext ENCRYPTEDDATA is a binary string.
ACb13, the server generates SM2 encryption key pair (TEMPENCPRIVATEKEY, TEMPENCPUBKEY), encrypts temporary session key TempSessionKey using encryption key TempEncPubKey therein to obtain digital envelope EnvelopedSessionKey:
EnvelopedSessionKey=SM2(TempEncPubKey,TempSessionKey);
Here, SM2 (PubKey, D2) represents a ciphertext obtained by encrypting data D2 using an SM2 public key PubKey and an SM2 encryption algorithm, see GB/T32918.4-2016 (section 4 of information security technology SM2 elliptic curve public key crypto algorithm): public key encryption algorithm. Ciphertext EnvelopedSessionKey is a binary string.
ACb14, the server encrypts encryption key TEMPENCPRIVATEKEY using client's temporary signature public key TempSignPubKey and composes an ECC encryption key (elliptic curve encryption key) versus protection architecture EnvelopedKeyBlob.
The protection structure and encryption process of the ECC encryption key pair are described in section 6.4.10 of GB/T35291-2017 information safety technology Intelligent password Key application interface Specification.
ACb15 and protection structure for ECC encryption key pair by server
EnvelopedKeyBlob, digital envelope EnvelopedSessionKey, encrypted data ENCRYPTEDDATA to the client;
ACb16, client uses an import ECC key pair interface (skf_ ImportECCKeyPair interface) to import ECC key pair protection fabric EnvelopedKeyBlob into the temporary container;
ACb17, client uses import session key interface (skf_ ImportSessionKey interface) to import digital envelope EnvelopedSessionKey into temporary container and get session key handle;
The ACb18 and the client use the session key handle and the single-group data decryption interface to decrypt the encrypted data ENCRYPTEDDATA to obtain combined data Label2 DevAuthKey2 AdminPIN2, and intercept according to the data length to obtain Label2, devAuthKey2 and AdminPIN2 respectively.
In summary, if the non-secure channel is between the server and the client, the client needs to establish a temporary application and a temporary container in the intelligent cipher key, generate an SM2 temporary signature key, and send the SM2 temporary signature key, SN and AppName to the server. The server encrypts an SM2 temporary encryption key generated by the server by using the SM2 temporary signing key, encrypts a temporary session key by using the SM2 temporary encryption key, and encrypts Label2, devAuthKey2 and AdminPIN2 data generated by the server by using the temporary session key, so that eavesdropping on a channel can be prevented.
AD. After the client obtains the first device Label1, the first device authentication key DevAuthKey, the first administrator PINADMINPIN1 or the second device Label2, the second device authentication key DevAuthKey2 and the second administrator PIN ADMINPIN, the device Label and the device authentication key in the smart key are modified to establish a new application, which includes the following steps:
AD1, writing a first equipment Label Label1 or a second equipment Label Label2 into a character string of an equipment Label of the intelligent key by setting the equipment Label (SKF_ SetLabel);
AD2, using a modified device authentication key interface (SKF_ ChangeDevAuthKey interface), modifies the device authentication key to either a first device authentication key DevAuthKey or a second device authentication key DevAuthKey2;
AD3, establishing a new application, setting an administrator PIN as a first administrator PIN ADMINPIN or a second administrator PIN ADMINPIN, and inputting the user PIN by a user;
And AD4, if the connection between the client and the server is an untrusted channel, deleting the temporary application.
AE. The initialization setting of the smart key is completed.
Fig. 2 is a flow chart of a method of using the device authentication key and administrator PIN of the present invention. Referring to fig. 2, the method B, i.e., the method for using the device authentication key and the administrator PIN, includes the steps of:
BA. A user submits an application at a client and approves the application through an information system administrator;
BB. The client acquires a serial number SN and an equipment Label Label in the equipment information, and sends the serial number SN, the equipment Label and an application name AppName to the server, wherein the method comprises the following steps:
BB1, a client calls an equipment information acquisition interface (SKF_ GetDevInfo interface) to acquire equipment information of the intelligent key, and a serial number SN and an equipment Label Label in the equipment information are taken out;
BB2, the client sends the serial number SN, the equipment Label Label and the application name AppName to the server;
BC. The server side calculates the equipment authentication key and the personal identity of the administrator and sends the personal identity of the administrator to the client side, and the method comprises the following steps:
BC1, a server calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, and an SM2 encryption ciphertext KEYCIPHER in the session key is imported by using an internal ECC private key decryption interface (SDF_ ImportKeyWithISK _ECC interface) to obtain a session key handle;
BC2, the server calls a server cipher machine, encrypts Label SN by using a session key handle and an SM4 encryption algorithm to obtain ciphertext C;
BC3, the server calculates a third SM3 hash value s03=sm3 (c|id) of c|id, to obtain a 32-byte third SM3 hash value S03;
BC4, the server takes the first 16 bytes of the third SM3 hash value S03 as the third device authentication key DevAuthKey3: devAuthKey 3=s03 [0:16].
BC5, calculating ss1=sm3 (S03|appname) and ss2=base 64 (SS 1) by the server to obtain a 44-byte printable string SS2;
BC6, the server takes the first 16 bytes of SS2 as the third administrator PIN ADMINPIN3: adminPIN 3=ss2 [0:16];
the BC7, the server sends the third device authentication key DevAuthKey and the third administrator PIN ADMINPIN3 to the client.
Fig. 3 is a flow chart of a method of modifying a device authentication key and an administrator PIN of the present invention. Referring to fig. 3, the method C, i.e., the modification method of the device authentication key and the administrator PIN, includes the steps of:
CA. A user submits an application at a client and approves the application through an information system administrator;
CB. As in step BB-BC above, the client obtains the current DevAuthKey (referred to as the fourth device authentication key DevAuthKey) and the administrator PIN (referred to as the fourth administrator PIN ADMINPIN).
CC. In the same way as the above step AC, the client applies for the new device tag NewLabel, the new device authentication key NewDevAuthKey and the new administrator PIN NEWADMINPIN to the server;
CD. The client updates the device tag, the device authentication key and the administrator personal identification code, including:
The method comprises the steps that a CD1 and a client use a fourth device authentication key DevAuthKey to carry out device authentication, after authentication is successful, the client uses a modified device authentication key interface (SKF_ ChangeDevAuthKey interface) to modify the fourth device authentication key DevAuthKey to a new device authentication key NewDevAuthKey;
CD2, client uses the modify PIN interface (SKF CHANGEPIN interface) to modify the fourth administrator PIN ADMINPIN in the smart key to a new administrator PIN NEWADMINPIN;
CD3, the client uses the set device tag interface (SKF SetLabel interface) to write the new device tag NewLabel into the device tag string of the smart key.
The invention also provides a management system for managing the authentication key of the intelligent password key device and the PIN of the manager, wherein the management system is used for realizing the management method and comprises a client, the intelligent password key and a server.
The invention also provides a computer device comprising a storage, a first processor and a first computer program stored on the storage and capable of running on the first processor, wherein the first computer program realizes the management method when being executed by the first processor.
The present invention also provides a computer-readable storage medium storing a second computer program executable by at least one second processor to cause the at least one second processor to perform the above-described management method.
In the management method, the equipment authentication key and the manager PIN are generated by the server side and can be changed, so that the problems of unsafe and easy leakage of the equipment authentication key and the manager PIN are effectively avoided, and the use safety of the intelligent password key is greatly improved. The generation elements of the equipment authentication key and the manager PIN are composed of a client, an intelligent password key, a server and the like, so that the safety is further improved. When the equipment authentication key and the manager PIN are used, the client of the information system is operated after the identity authentication is required to be carried out on the information system, so that the intelligent password key can effectively and safely carry out centralized management and control on the equipment authentication key and the manager PIN of the intelligent password key used in the information system.
Although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (8)
1. The management method is characterized by comprising one or more of the following methods:
The method A, the method for initializing the intelligent cipher key, including setting up the equipment authentication key and setting up the personal identification code of the administrator;
the method B, the equipment authentication key and the method for using the personal identification code of the administrator;
Method C, a method of modifying the device authentication key and the administrator personal identification code,
Wherein,
The method A comprises the following steps:
AB. The client acquires the equipment information in the intelligent password key and takes out a serial number SN in the equipment information;
AC. The server randomly generates a device label, calculates the device authentication key and the personal identity of the manager according to the serial number SN and the application name AppName, and then sends the device authentication key and the personal identity of the manager to the client;
AD. The client modifies the device tag and the device authentication key in the smart key, establishes a new application,
The method B comprises the following steps:
BB. The client acquires a serial number SN and an equipment tag in the equipment information in the intelligent password key, and sends the serial number SN, the equipment tag and an application name AppName to the server;
BC. The server calculates the equipment authentication key and the personal identification code of the manager and sends the equipment authentication key and the personal identification code of the manager to the client,
The method C comprises the following steps:
CB. The client acquires a current equipment authentication key and an administrator personal identification code;
CC. The client applies for calculation to the server to obtain a new device tag NewLabel, a new device authentication key NewDevAuthKey and a new administrator personal identification code NEWADMINPIN;
CD. The client updates the equipment tag, the equipment authentication key and the administrator personal identification code;
in the step AC, if the connection between the client and the server is a trusted channel, the following steps are executed:
The client sends the serial number SN and the application name AppName to the server;
the server generates a 32-byte random number as a first equipment Label Label1, and then performs byte splicing on the first equipment Label Label1 and a serial number SN to obtain first data1: data1 = Label1 SN, where SN represents concatenation of bytes;
The server calls a server cipher machine, uses an SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and using an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server calls the server cipher machine, uses the session key handle, encrypts the first data1 by using an SM4 encryption algorithm, and obtains a first ciphertext C1;
The server calculates a first SM3 hash value S01=S3 (C1|ID) of the C1|ID to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string or null of an information system, and the server is a server of the information system;
The server takes the first 16 bytes of the SM3 hash value S01 as a first device authentication key DevAuthKey1: devAuthKey =s01 [0:16], each byte constituting the character string D is provided with a subscript (being an integer), and the sequence of the corresponding bytes in the character string D from front to back is marked sequentially from small to large by the subscript of each byte, dmn represents taking the bytes from the subscript m (initial subscript) to the subscript n-1 for the character string D, m and n are integers, and m < n, and m is 0 in the initial subscript in S01;
the server calculates s1=sm3 (s01|appname) and s2=base 64 (S1), so as to obtain a 44-byte printable string S2, where Base64 (E) represents converting binary data E into 44 printable characters using Base64 coding;
The server takes the first 16 bytes of the printable string S2 as the first administrator personal identification code AdminPIN1: adminPIN =s2 [0:16];
the server sends the first equipment Label Label1, the first equipment authentication key DevAuthKey1 and the first administrator personal identification code AdminPIN1 to the client;
the client modifies the first device Label1 and the first device authentication key DevAuthKey1 and establishes a new application using the first administrator PIN ADMINPIN and the user personal identification code entered by the user;
In the step AC, if the connection between the client and the server is an untrusted channel, the following steps are executed:
the client establishes a new temporary application, and a temporary user personal identification code and a temporary manager personal identification code of the temporary application are randomly generated by the client;
the client establishes a temporary container by using the temporary application;
The client generates an elliptic curve cryptography algorithm signing key pair in the temporary container and outputs a temporary signing public key TempSignPubKey in the elliptic curve cryptography algorithm signing key pair;
The client sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server;
The server generates a 32-byte random number as a second equipment Label Label2, and performs byte splicing on the second equipment Label2 and a serial number SN to obtain second data2: data2 = lab2||sn;
The server calls a server cipher machine, uses an SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and using an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server calls the server cipher machine, uses the session key handle, and encrypts the second data2 by using an SM4 encryption algorithm to obtain a second ciphertext C2;
The server calculates a second SM3 hash value S02=S3 (C2|ID) of the C2|ID to obtain a second SM3 hash value S02 of 32 bytes, wherein the ID is a fixed identification character string or null of an information system;
the server takes the first 16 bytes of the second SM3 hash value S02 as a second device authentication key DevAuthKey2: devAuthKey 2=s02 [0:16];
The server calculates s11=sm3 (s02|appname), and s21=base 64 (S11), to obtain a 44-byte printable string S21;
The server takes the first 16 bytes of the printable string S21 as the second administrator personal identification code: adminPIN 2=s21 [0:16];
The server generates a temporary session key TempSessionKey, encrypts the combined data Label2|| DevAuthKey2|| AdminPIN2 by using the temporary session key TempSessionKey and an SM4 algorithm to obtain encrypted data ENCRYPTEDDATA:
EncryptedData=SM4(TempSessionKey,
Label2 DevAuthKey2 AdminPIN), wherein SM4 (K, D1) represents ciphertext obtained by encrypting data D1 using an SM4 encryption algorithm using a secret key K;
The server generates SM2 encryption key pair (TEMPENCPRIVATEKEY, TEMPENCPUBKEY), encrypts the temporary session key TempSessionKey using the encryption key TempEncPubKey therein to obtain digital envelope EnvelopedSessionKey:
EnvelopedSessionKey=SM2(TempEncPubKey,
TempSessionKey), wherein SM2 (PubKey, D2) represents a ciphertext obtained by encrypting data D2 using an SM2 encryption algorithm using an SM2 public key PubKey;
the server encrypts the encryption key TEMPENCPRIVATEKEY by using the temporary signature public key TempSignPubKey of the client and forms an elliptic curve encryption key pair protection structure EnvelopedKeyBlob;
The server sends the elliptic curve encryption key pair protection structure EnvelopedKeyBlob, the digital envelope EnvelopedSessionKey and the encrypted data ENCRYPTEDDATA to the client;
The client uses an import elliptic curve encryption key pair interface to import the elliptic curve encryption key pair protection structure EnvelopedKeyBlob into the temporary container;
The client uses an import session key interface to import the digital envelope EnvelopedSessionKey into the temporary container and obtain a session key handle;
The client decrypts the encrypted data ENCRYPTEDDATA by using the session key handle and a single-group data decryption interface to obtain combined data Label 2I DevAuthKey 2I AdminPIN2, and respectively intercepts and obtains the second equipment Label2, the second equipment authentication key DevAuthKey2 and the second administrator personal identification code AdminPIN2 according to the data length;
the step BC comprises the following steps:
The server calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, and an SM2 encrypted ciphertext KEYCIPHER in the session key is imported by using an internal elliptic curve encryption private key decryption interface to obtain a session key handle;
The server calls the server cipher machine, encrypts Label SN by using the session key handle and SM4 encryption algorithm to obtain ciphertext C;
The server calculates a third SM3 hash value S03=S3 (C|ID) of the C|ID to obtain a 32-byte third SM3 hash value S03;
the server takes the first 16 bytes of the third SM3 hash value S03 as a third device authentication key DevAuthKey3: devAuthKey 3=s03 [0:16];
The server calculates SS1=SM3 (S03 AppName) and SS2=Base64 (SS 1), and obtains a 44-byte printable string SS2;
the server takes the first 16 bytes of the printable string SS2 as the third administrator personal identification code AdminPIN3: adminPIN 3=ss2 [0:16];
the server sends a third device authentication key DevAuthKey and a third administrator personal identification number AdminPIN3 to the client;
step CB is the same as steps BB to BC, and the client obtains the current device authentication key: fourth device authentication key DevAuthKey4 and current fourth administrator personal identification number: fourth manager PIN ADMINPIN4;
The step CC is the same as the step AC, and the client applies for calculation to the server to obtain a new device tag NewLabel, a new device authentication key NewDevAuthKey and a new administrator personal identification code NEWADMINPIN;
the step CD comprises the following steps:
The client uses the fourth equipment authentication key DevAuthKey to carry out equipment authentication, and after the authentication is successful, the client uses a device authentication key modification interface to modify the fourth equipment authentication key DevAuthKey into the new equipment authentication key NewDevAuthKey;
the client uses a modify pin interface to modify the fourth administrator pin AdminPIN to a new administrator pin NEWADMINPIN;
the client uses a set device tag interface to write the new device tag NewLabel into the device tag string of the smart key.
2. The method of claim 1, wherein,
Before said step AB, the following steps are performed:
and the client uses the factory equipment authentication key to carry out equipment authentication and is connected with the intelligent key.
3. The method of claim 2, wherein,
The step AB comprises the following steps:
and the client calls an equipment information acquisition interface to acquire the equipment information of the intelligent key, and takes out a serial number SN in the equipment information.
4. The method of claim 1, wherein,
The step AD comprises the following steps:
after the client obtains the first device Label1, the first device authentication key DevAuthKey, the first administrator personal identification code AdminPIN1, or the second device Label2, the second device authentication key DevAuthKey2, and the second administrator personal identification code AdminPIN, the device Label and the device authentication key are modified to establish a new application, which includes the following steps:
writing the first equipment Label Label1 or the second equipment Label Label2 into a character string of the equipment Label of the intelligent key;
modifying the device authentication key to the first device authentication key DevAuthKey or the second device authentication key DevAuthKey using a modified device authentication key interface;
Establishing a new application, and setting the personal identity code of the administrator as a first personal identity code AdminPIN of the administrator or a second personal identity code AdminPIN of the administrator, wherein the personal identity code of the user is input by the user;
and deleting the temporary application after the new application is established.
5. The method of claim 4, wherein,
The step BB comprises the following steps:
The client calls an equipment information acquisition interface to acquire equipment information of the intelligent key, and takes out a serial number SN and an equipment Label Label in the equipment information;
and the client sends the serial number SN, the equipment Label Label and the application name AppName to the server.
6. The management system for implementing the management method according to any one of claims 1 to 5, which is characterized by comprising a client, an intelligent password key and a server.
7. Computer device comprising a memory, a first processor and a first computer program stored on the memory and executable on the first processor, characterized in that the first computer program when executed by the first processor realizes the steps of the management method according to any of claims 1-5.
8. Computer readable storage medium, characterized in that a second computer program is stored, which second computer program is executable by at least one second processor to cause the at least one second processor to perform the steps of the management method according to any one of claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210138256.3A CN114422261B (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210138256.3A CN114422261B (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114422261A CN114422261A (en) | 2022-04-29 |
CN114422261B true CN114422261B (en) | 2024-06-07 |
Family
ID=81260696
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210138256.3A Active CN114422261B (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114422261B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115022057A (en) * | 2022-06-13 | 2022-09-06 | 中信百信银行股份有限公司 | Security authentication method, device and equipment and storage medium |
CN115062330B (en) * | 2022-08-18 | 2022-11-11 | 麒麟软件有限公司 | TPM-based intelligent password key password application interface implementation method |
CN117155709B (en) * | 2023-10-30 | 2024-01-26 | 翼方健数(北京)信息科技有限公司 | Multi-party identity authentication method, system and medium using hardware security key |
CN117411643B (en) * | 2023-12-11 | 2024-02-27 | 四川省数字证书认证管理中心有限公司 | PIN code security system and method for on-line UKEY |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
CN101872399A (en) * | 2010-07-01 | 2010-10-27 | 武汉理工大学 | Dynamic digital copyright protection method based on dual identity authentication |
CN109067766A (en) * | 2018-08-30 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of identity identifying method, server end and client |
CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
-
2022
- 2022-02-15 CN CN202210138256.3A patent/CN114422261B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
CN101872399A (en) * | 2010-07-01 | 2010-10-27 | 武汉理工大学 | Dynamic digital copyright protection method based on dual identity authentication |
CN109067766A (en) * | 2018-08-30 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of identity identifying method, server end and client |
CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
Also Published As
Publication number | Publication date |
---|---|
CN114422261A (en) | 2022-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114422261B (en) | Management method, management system, computer device, and computer-readable storage medium | |
CN107579819B (en) | A kind of SM9 digital signature generation method and system | |
CN110881048B (en) | Safety communication method and device based on identity authentication | |
CN111464301B (en) | Key management method and system | |
CN109379387B (en) | Safety certification and data communication system between Internet of things equipment | |
CN101399666A (en) | Safety control method and system for digital certificate of file | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
CN109617677A (en) | Code key based on symmetric cryptography loses method for retrieving and relevant device | |
CN103618705A (en) | Personal code managing tool and method under open cloud platform | |
CN107809311A (en) | The method and system that a kind of unsymmetrical key based on mark is signed and issued | |
CN115499118A (en) | Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium | |
WO2024012517A1 (en) | End-to-end data transmission method, and device and medium | |
CN110912686A (en) | Secure channel key negotiation method and system | |
CN113726733B (en) | Encryption intelligent contract privacy protection method based on trusted execution environment | |
CN114338648A (en) | SFTP multi-terminal file secure transmission method and system based on state cryptographic algorithm | |
CN108390755B (en) | Safety input method of SIM (subscriber identity Module) film-pasting card based on built-in safety chip | |
CN113055376A (en) | Block chain data protection system | |
Homoliak et al. | An air-gapped 2-factor authentication for smart-contract wallets | |
Sandoval et al. | Pakemail: authentication and key management in decentralized secure email and messaging via pake | |
GB2530084A (en) | Key usage detection | |
CN114154181A (en) | Privacy calculation method based on distributed storage | |
CN103916237B (en) | Method and system for managing user encrypted-key retrieval | |
CN113722741A (en) | Data encryption method and device and data decryption method and device | |
CN101834852B (en) | Realization method of credible OpenSSH for protecting platform information | |
CN114285557B (en) | Communication decryption method, system and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |