Nothing Special   »   [go: up one dir, main page]

CN109586920A - A kind of trust authentication method and device - Google Patents

A kind of trust authentication method and device Download PDF

Info

Publication number
CN109586920A
CN109586920A CN201811477343.1A CN201811477343A CN109586920A CN 109586920 A CN109586920 A CN 109586920A CN 201811477343 A CN201811477343 A CN 201811477343A CN 109586920 A CN109586920 A CN 109586920A
Authority
CN
China
Prior art keywords
metric
credible equipment
ciphertext
verification
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811477343.1A
Other languages
Chinese (zh)
Inventor
郑驰
梁思谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang High Hung Principal (zhejiang) Mdt Infotech Ltd
Original Assignee
Datang High Hung Principal (zhejiang) Mdt Infotech Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang High Hung Principal (zhejiang) Mdt Infotech Ltd filed Critical Datang High Hung Principal (zhejiang) Mdt Infotech Ltd
Priority to CN201811477343.1A priority Critical patent/CN109586920A/en
Publication of CN109586920A publication Critical patent/CN109586920A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a kind of trust authentication method and devices, for verifying to credible equipment, credible equipment is configured with creditable calculation modules, and method includes: the credible equipment power-up, step by step during measurement building chain-of-trust, every grade of metric by metric data is calculated using the close SM3 algorithm of state;The metric is stored in the PCR register of the creditable calculation modules;Later, credible equipment and certificate server carry out integrity verification to credible equipment using national secret algorithm according to metric.The present invention is realized using national secret algorithm to credible chain building, the trust authentication of credible equipment, can guarantee the safety and controllability of credible equipment.

Description

A kind of trust authentication method and device
Technical field
The present invention relates to reliable computing technology fields, particularly relate to a kind of trust authentication method and device.
Background technique
With the fast development of the information technologies such as big data, cloud computing, degree of dependence of the state and society to information technology Increasingly increase, the information security technology for being related to the processing of the sensitive datas such as privacy, classified data is always research emphasis.
Reliable computing technology is based on credible calculating platform, using creditable calculation modules as root of trust, from hardware view It sets out and establishes a chain-of-trust, construct believable calculating running environment, be the effective ways for improving information security.Current can Believe chain building process, usually utilizes international cryptographic algorithms' implementation, national secret algorithm is a set of password of China's independent research Algorithm (including SM1, SM2, SM3, SMS4 algorithm), the requirement in conjunction with China to information security hierarchical protection and compliance, in order to The safety and controllability for improving chain-of-trust, it is very necessary based on national secret algorithm building chain-of-trust.
Summary of the invention
In view of this, being realized it is an object of the invention to propose a kind of trust authentication method and device based on national secret algorithm The building of chain-of-trust and the verifying of credible equipment guarantee the safety and controllability of credible equipment.
Based on above-mentioned purpose, the present invention provides a kind of trust authentication methods, are applied to credible equipment, the credible equipment Configured with creditable calculation modules, method includes:
Construct chain-of-trust: the credible equipment power-up utilizes the close SM3 algorithm of state step by step during measurement building chain-of-trust Every grade of metric by metric data is calculated, the metric is stored in the PCR register of the creditable calculation modules.
Optionally, the metric is stored in the PCR register with PCR extended method.
Optionally, the method also includes:
After the credible equipment starting, integrality verification request is sent to certificate server;
Receive the random number that the certificate server is generated using the close SM3 algorithm of state;
The metric is read out from the PCR register, using the random number as symmetric key, utilizes the close SM4 of state The metric is encrypted in algorithm, generates ciphertext metric;
Based on public key, the private key pair of the close SM2 algorithm of the creditable calculation modules founder, calculated using the close SM3 algorithm of state First digest value of the ciphertext metric is encrypted first digest value using the private key, described in generation The digital signature of ciphertext metric;
Verification information including the public key, ciphertext metric, digital signature is sent to the certificate server, by institute It states certificate server and integrity verification is carried out to the credible equipment according to the verification information.
The embodiment of the present invention also provides a kind of trust authentication method, is applied to certificate server, comprising:
Receive the integrality verification request that credible equipment is sent;
Random number is generated using the close SM3 algorithm of state, random number is sent to the credible equipment;
Receive that the credible equipment sends include public key, ciphertext metric, digital signature verification information, therefrom parse The public key, ciphertext metric, digital signature out;
The digital signature is decrypted using the public key, generates the second digest value of ciphertext metric, benefit The first digest value of the ciphertext metric is calculated with the close SM3 algorithm of state;
First digest value is compared with second digest value, is sent if inconsistent to the credible equipment Integrity verification does not pass through message;If consistent:
Using the random number as symmetric key, the ciphertext metric is decrypted using state's close SM4 algorithm, it is raw At plaintext metric;
The benchmark metric value for the credible equipment that the plaintext metric is saved with the certificate server is compared Compared with to credible equipment transmission integrity verification by message if consistent, if inconsistent send to the credible equipment Integrity verification does not pass through message.
The embodiment of the present invention also provides a kind of trust authentication device, is applied to credible equipment, and the credible equipment is configured with Creditable calculation modules characterized by comprising
Metric module step by step during measurement building chain-of-trust, utilizes the close SM3 of state for being powered in the credible equipment Algorithm calculates every grade of metric by metric data, and the metric is stored in the PCR register of the creditable calculation modules In.
Optionally, the metric is stored in the PCR register with PCR extended method.
Optionally, described device further include:
First data transmit-receive module, for sending integrality verification request, and the reception certification to certificate server The random number that the close SM3 algorithm of server by utilizing state generates, and sending to the certificate server includes public key, ciphertext measurement Value, the verification information of digital signature, and receive integrity verification that the certificate server is sent and pass through message or complete Property verifying do not pass through message;
Encrypting module, for using the random number as symmetric key, using the close SM4 algorithm of state to from the PCR register In the metric that reads out be encrypted, generate the ciphertext metric;
Signature blocks utilize institute for public key, private key pair based on the close SM2 algorithm of the creditable calculation modules founder It states private key the ciphertext metric is encrypted, generates the digital signature of the ciphertext metric.
The embodiment of the present invention also provides a kind of trust authentication device, be applied to certificate server, for credible equipment into Row integrity verification, described device include:
Second data transmit-receive module, the integrality verification request sent for receiving the credible equipment, and to described Credible equipment sends random number, and receive that the credible equipment sends includes that public key, ciphertext metric, digital signature are tested Demonstrate,prove information, and if signature verification module obtain that signature verification does not pass through or integrity verification module obtains integrity verification not Pass through, Xiang Suoshu credible equipment sends integrity verification and do not pass through message, if integrity verification module obtains integrity verification and leads to It crosses, Xiang Suoshu credible equipment sends integrity verification and passes through message;
Random number generation module, for being generated using the close SM3 algorithm of state described random according to the integrality verification request Number;
Signature verification module, for parsing the public key, ciphertext metric, digital signature according to the verification information, The digital signature is decrypted using the public key, the second digest value of the ciphertext metric is generated, utilizes state Close SM3 algorithm calculates the first digest value of the ciphertext metric, and first digest value and second digest value are carried out Compare, signature verification passes through if first digest value is consistent with second digest value, if inconsistent signature verification is not Pass through;
Integrity verification module, for the signature verification according to the signature verification module as a result, if the signature verification Pass through, using the random number as symmetric key, the ciphertext metric is decrypted using state's close SM4 algorithm, generates Plaintext metric carries out the benchmark metric value for the credible equipment that the plaintext metric and the certificate server save Compare, the integrity verification of the credible equipment passes through if consistent, if the integrity verification of the inconsistent credible equipment Do not pass through.
From the above it can be seen that trust authentication method and device provided by the invention, first in credible equipment can During believing chain building, the metrics at different levels by metric data are calculated using national secret algorithm, metric is stored in trust computing In the PCR register of module.Later, credible equipment carries out integrity verification procedures, benefit in verification process by certificate server The integrity verification of signature verification and metric is carried out with national secret algorithm.The present invention is based on national secret algorithm realize credible equipment can Believe chain building and integrity verification, can guarantee the safety and controllability of credible equipment.
Detailed description of the invention
Fig. 1 is the chain-of-trust construction method flow diagram of the embodiment of the present invention;
Fig. 2 is the trust authentication method flow schematic diagram applied to credible equipment of the embodiment of the present invention;
Fig. 3 is the trust authentication method flow schematic diagram applied to certificate server of the embodiment of the present invention;
Fig. 4 is the trust authentication apparatus structure schematic diagram of the credible equipment of the embodiment of the present invention;
Fig. 5 is the trust authentication apparatus structure schematic diagram of the certificate server of the embodiment of the present invention.
Specific embodiment
Below in conjunction with drawings and examples, the present invention is described in further detail.
Fig. 1 is the method flow schematic diagram of the embodiment of the present invention.As shown, trust authentication provided in an embodiment of the present invention Method, including chain-of-trust building process:
S10: credible equipment power-up calculates every grade using the close SM3 algorithm of state and is spent step by step during measurement building chain-of-trust Measure the metric of data;
S11: metric is stored in the PCR register of creditable calculation modules.
The trust authentication method of the embodiment of the present invention is realized based on the credible equipment configured with creditable calculation modules.First Chain-of-trust is constructed, is after credible equipment power-up, using root of trust as starting point, from hardware to BIOS, BootLoader, operation system System, application program step-by-step calculation construct chain-of-trust by the metric of metric data (code or data of execution part).Wherein, Every grade of metric by metric data is calculated using the close SM3 algorithm of state, credible chain building is completed, by the measurements at different levels being calculated Value is stored in the PCR register of creditable calculation modules.
Optionally, the metrics at different levels being calculated are stored in the PCR of creditable calculation modules with PCR extended method respectively In register, final metric is saved after the completion of credible chain building, in PCR register.Wherein, PCR extended method are as follows: PCR [n]=SM3 (PCR [n] | | by metric data), it is meant that when grade is by metric data and current PCR register PCR [n] Data carry out or operation, calculated using the close SM3 algorithm pair of state or operation result, calculation result data be stored in PCR In register PCR [n], i.e., calculation result data covers the data that PCR [n] is currently saved.After measuring step by step, PCR deposit The final metric value after the completion of credible chain building is saved in device, which characterizes the integrity state of credible equipment.
Wherein, construct chain-of-trust during, from hardware to BIOS, BootLoader, operating system, application program step by step Calculate by the metric of metric data (code or data of execution part), specifically include: every grade of measure object (hardware, BIOS, BootLoader, operating system, application program etc.) it include multiple by metric data, the metric of every grade of measure object saves In the specific region of PCR register, (for example, the metric of hardware is stored in PCR [0] region, the metric of BIOS is stored in PCR [1] region, the metric of BootLoader are stored in PCR [2] region, and the metric of operating system is stored in PCR [3] region), Multiple metrics by metric data of every grade of measure object are stored in the corresponding region of PCR register using PCR extended method. After credible equipment start completion, the measurement value list being made of the metric of measure objects at different levels is saved in PCR register.
Fig. 2 is the trust authentication method flow schematic diagram applied to credible equipment of the embodiment of the present invention.As shown, answering Trust authentication method for credible equipment includes:
S20: after credible equipment starting, integrality verification request is sent to certificate server;
S21: credible equipment receives the random number that certificate server is generated using the close SM3 algorithm of state;
S22: credible equipment reads out metric from PCR register, close using state using the random number as symmetric key Metric is encrypted in SM4 algorithm, generates ciphertext metric;
S23: public key, private key pair of the credible equipment based on the close SM2 algorithm of creditable calculation modules founder utilize the close SM3 of state Algorithm calculates the first digest value of ciphertext metric, and the first digest value is encrypted using private key, generates ciphertext measurement The digital signature of value;
S24: the verification information including public key, ciphertext metric, digital signature is sent to certificate server.
Fig. 3 is the trust authentication method flow schematic diagram applied to certificate server of the embodiment of the present invention.As shown, Trust authentication method applied to certificate server, comprising:
S30: certificate server receives the integrality verification request that credible equipment is sent;
S31: certificate server generates random number using the close SM3 algorithm of state, and random number is sent to credible equipment;
S32: certificate server, which receives the verifying including public key, ciphertext metric, digital signature that credible equipment is sent, to be believed Breath, therefrom parses public key, ciphertext metric, digital signature;
S33: certificate server is decrypted digital signature using public key, generates the second abstract of ciphertext metric Value, the first digest value of received ciphertext metric is calculated using the close SM3 algorithm of state;
S34: the first digest value is compared with the second digest value, and signature verification passes through if consistent, executes step S35;If inconsistent then follow the steps S38;
S35: certificate server is decrypted ciphertext metric using the close SM4 algorithm of state using random number as symmetric key Processing generates plaintext metric;
S36: the benchmark metric value for the credible equipment that plaintext metric and certificate server save is compared, if unanimously Then credible equipment integrity verification passes through, and step S37 is executed, if inconsistent then follow the steps S38;
S37: integrity verification is sent by message to credible equipment, verifying terminates;
S38: integrity verification is sent to credible equipment and does not pass through message.
In the embodiment of the present invention, credible equipment constructs chain-of-trust, after saving integrity measurement value, using certificate server Integrity verification is carried out to credible equipment.According to fig. 2, the integrity verification procedures of method flow diagram shown in 3, credible equipment are: Credible equipment sends integrality verification request to certificate server, and certificate server receives integrality verification request, close based on state SM3 algorithm generates random number, and random number is sent to credible equipment;Credible equipment receives random number, is pair with the random number Claim key, the metric read out from PCR register is encrypted based on the close SM4 algorithm of state, generates ciphertext measurement Value;Later, credible equipment signs to ciphertext metric, specifically generates public and private key pair based on creditable calculation modules, is based on The close SM3 algorithm of state calculates the first digest value of ciphertext metric, and the first digest value is encrypted using the private key of generation, Generate the digital signature of ciphertext metric;Credible equipment sends the verification information including public key, ciphertext metric, digital signature To certificate server, integrity verification is carried out to credible equipment by certificate server.
Certificate server receives the verification information that credible equipment is sent, and therefrom parses public key, ciphertext metric, number label Name;First the digital signature of ciphertext metric is verified, to verify the authenticity of ciphertext metric, specifically using received Received digital signature is decrypted in public key, the second digest value of ciphertext metric is generated, based on the close SM3 algorithm of state First digest value is compared with the second digest value, signs if inconsistent by the first digest value for calculating received ciphertext metric Name verifying does not pass through, and ciphertext metric may be tampered, and sends integrity verification to credible equipment and does not pass through message, if consistent Signature verification passes through, and continues integrity verification procedures, comprising: certificate server is based on state using random number as symmetric key Received ciphertext metric is decrypted in close SM4 algorithm, plaintext metric is generated, by plaintext metric and authentication service The benchmark metric value for the credible equipment that device saves is compared, and integrity verification does not pass through if inconsistent, is sent out to credible equipment Integrity verification is sent not pass through message, integrity verification passes through if consistent, sends integrity verification by disappearing to credible equipment Breath.Wherein, plaintext metric is compared with benchmark metric value, that is, refers to and arranges plaintext measurement value list and benchmark metric value Corresponding metric is compared respectively in table, if having one of them it is inconsistent think verifying do not pass through.
Wherein, the benchmark metric value that certificate server saves is that credible equipment is complete for the first time by certificate server progress Property verification process in, utilize above-mentioned steps S30-S35 method during generate plaintext metric, that is, by credible equipment with recognize Benchmark metric value of the plaintext metric that card server generate in first time verification process as credible equipment.
Fig. 4 is the trust authentication apparatus structure schematic diagram of the credible equipment of the embodiment of the present invention.As shown, the present invention is real The trust authentication device of example offer is provided, comprising:
Metric module step by step during measurement building chain-of-trust, utilizes the close SM3 algorithm of state for being powered in credible equipment Every grade of metric by metric data is calculated, metric is stored in the PCR register of creditable calculation modules;Optionally, will Metric is stored in PCR register with PCR extended method.
The trust authentication device further include:
First data transmit-receive module, for sending integrality verification request, and reception authentication service to certificate server The random number that device is generated using the close SM3 algorithm of state, and sending to certificate server includes public key, ciphertext metric, number label The verification information of name, and receive the integrity verification that certificate server is sent and do not passed through by message or integrity verification and disappeared Breath;
Encrypting module is used for using received random number as symmetric key, using the close SM4 algorithm of state to from PCR register The metric read out is encrypted, and generates ciphertext metric;
Signature blocks utilize private key pair for public key, private key pair based on the close SM2 algorithm of creditable calculation modules founder Ciphertext metric is encrypted, and generates the digital signature of ciphertext metric.
Fig. 5 is the trust authentication apparatus structure schematic diagram of the certificate server of the embodiment of the present invention.As shown, described recognize It demonstrate,proves server to be used to carry out integrity verification to credible equipment, certificate server includes trust authentication device, trust authentication device Include:
Second data transmit-receive module, for receiving the integrality verification request of credible equipment transmission, and to credible equipment Send random number, and receive credible equipment send include public key, ciphertext metric, digital signature verification information, and If signature verification module obtains, signature verification does not pass through or integrity verification module obtains integrity verification and do not pass through, Xiang Kexin Equipment sends integrity verification and does not pass through message, passes through if integrity verification module obtains integrity verification, sends out to credible equipment Integrity verification is sent to pass through message;
Random number generation module is generated random for integrality verification request based on the received using the close SM3 algorithm of state Number;
Signature verification module parses public key, ciphertext metric, digital signature for verification information based on the received, benefit Digital signature is decrypted with public key, generates the second digest value of ciphertext metric, calculates solution using the close SM3 algorithm of state First digest value is compared by the first digest value of the ciphertext metric of precipitation with the second digest value, if the first digest value with Unanimously then signature verification passes through second digest value, and signature verification does not pass through if inconsistent;
Integrity verification module, for according to the signature verification of signature verification module as a result, if signature verification passes through, with Machine number is symmetric key, and ciphertext metric is decrypted using state's close SM4 algorithm, generates plaintext metric, will in plain text The benchmark metric value for the credible equipment that metric is saved with certificate server is compared, the integrality of credible equipment if consistent It is verified, the integrity verification of credible equipment does not pass through if inconsistent.
Trust authentication method and device of the invention is realized based on credible equipment, first in the chain-of-trust structure of credible equipment During building, the metrics at different levels by metric data are calculated using national secret algorithm, metric is stored in creditable calculation modules In PCR register.Later, credible equipment carries out integrity verification procedures by certificate server, utilizes state close in verification process The integrity verification of algorithm progress signature verification and metric.The present invention is based on the chain-of-trust structures that national secret algorithm realizes credible equipment It builds and integrity verification, can guarantee the safety and controllability of credible equipment.
The above is presently preferred embodiments of the present invention and its technical principle used, for those skilled in the art For, without departing from the spirit and scope of the present invention, any equivalent change based on the basis of technical solution of the present invention Change, simple replacement etc. is obvious changes, all fall within the protection scope of the present invention.

Claims (8)

1. a kind of trust authentication method is applied to credible equipment, the credible equipment is configured with creditable calculation modules, and feature exists In method includes:
Construct chain-of-trust: the credible equipment power-up is calculated step by step during measurement building chain-of-trust using the close SM3 algorithm of state The metric is stored in the PCR register of the creditable calculation modules by every grade of metric by metric data.
2. the method according to claim 1, wherein the metric is stored in the PCR with PCR extended method In register.
3. the method according to claim 1, wherein further include:
After the credible equipment starting, integrality verification request is sent to certificate server;
Receive the random number that the certificate server is generated using the close SM3 algorithm of state;
The metric is read out from the PCR register, using the random number as symmetric key, utilizes the close SM4 algorithm of state The metric is encrypted, ciphertext metric is generated;
Based on public key, the private key pair of the close SM2 algorithm of the creditable calculation modules founder, using described in the close SM3 algorithm calculating of state First digest value of ciphertext metric is encrypted first digest value using the private key, generates the ciphertext The digital signature of metric;
Verification information including the public key, ciphertext metric, digital signature is sent to the certificate server, is recognized by described It demonstrate,proves server and integrity verification is carried out to the credible equipment according to the verification information.
4. a kind of trust authentication method is applied to certificate server characterized by comprising
Receive the integrality verification request that credible equipment is sent;
Random number is generated using the close SM3 algorithm of state, random number is sent to the credible equipment;
Receive that the credible equipment sends include public key, ciphertext metric, digital signature verification information, therefrom parse institute State public key, ciphertext metric, digital signature;
The digital signature is decrypted using the public key, the second digest value of ciphertext metric is generated, utilizes state Close SM3 algorithm calculates the first digest value of the ciphertext metric;
First digest value is compared with second digest value, is sent completely if inconsistent to the credible equipment Property verifying do not pass through message;If consistent:
Using the random number as symmetric key, the ciphertext metric is decrypted using state's close SM4 algorithm, is generated bright Literary metric;
The benchmark metric value for the credible equipment that the plaintext metric and the certificate server save is compared, if It is consistent then send integrity verification by message to the credible equipment, integrality is sent to the credible equipment if inconsistent Verifying does not pass through message.
5. a kind of trust authentication device is applied to credible equipment, the credible equipment is configured with creditable calculation modules, and feature exists In, comprising:
Metric module step by step during measurement building chain-of-trust, utilizes the close SM3 algorithm of state for being powered in the credible equipment Every grade of metric by metric data is calculated, the metric is stored in the PCR register of the creditable calculation modules.
6. device according to claim 5, which is characterized in that the metric is stored in the PCR with PCR extended method In register.
7. device according to claim 5, which is characterized in that further include:
First data transmit-receive module, for sending integrality verification request, and the reception authentication service to certificate server The random number that device is generated using the close SM3 algorithm of state, and sending to the certificate server includes public key, ciphertext metric, number The verification information of word signature, and receive the integrity verification that the certificate server is sent and pass through message or integrity verification Do not pass through message;
Encrypting module, for being read from the PCR register using the close SM4 algorithm of state using the random number as symmetric key The metric of taking-up is encrypted, and generates the ciphertext metric;
Signature blocks utilize the private for public key, private key pair based on the close SM2 algorithm of the creditable calculation modules founder The ciphertext metric is encrypted in key, generates the digital signature of the ciphertext metric.
8. a kind of trust authentication device is applied to certificate server, for carrying out integrity verification to credible equipment, feature exists In described device includes:
Second data transmit-receive module, the integrality verification request sent for receiving the credible equipment, and to described credible Equipment sends random number, and receives the verifying including public key, ciphertext metric, digital signature that the credible equipment is sent and believe Breath, and if signature verification module obtain that signature verification does not pass through or integrity verification module obtains integrity verification and do not lead to It crosses, Xiang Suoshu credible equipment sends integrity verification and does not pass through message, passes through if integrity verification module obtains integrity verification, Integrity verification, which is sent, to the credible equipment passes through message;
Random number generation module, for generating the random number using the close SM3 algorithm of state according to the integrality verification request;
Signature verification module is utilized for parsing the public key, ciphertext metric, digital signature according to the verification information The digital signature is decrypted in the public key, generates the second digest value of the ciphertext metric, utilizes the close SM3 of state Algorithm calculates the first digest value of the ciphertext metric, and first digest value is compared with second digest value, Signature verification passes through if first digest value is consistent with second digest value, if inconsistent signature verification does not pass through;
Integrity verification module, for according to the signature verification of the signature verification module as a result, if the signature verification passes through, Using the random number as symmetric key, the ciphertext metric is decrypted using state's close SM4 algorithm, generates plaintext degree The benchmark metric value for the credible equipment that the plaintext metric and the certificate server save is compared by magnitude, The integrity verification of the credible equipment passes through if consistent, if the integrity verification of the inconsistent credible equipment does not lead to It crosses.
CN201811477343.1A 2018-12-05 2018-12-05 A kind of trust authentication method and device Pending CN109586920A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811477343.1A CN109586920A (en) 2018-12-05 2018-12-05 A kind of trust authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811477343.1A CN109586920A (en) 2018-12-05 2018-12-05 A kind of trust authentication method and device

Publications (1)

Publication Number Publication Date
CN109586920A true CN109586920A (en) 2019-04-05

Family

ID=65926221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811477343.1A Pending CN109586920A (en) 2018-12-05 2018-12-05 A kind of trust authentication method and device

Country Status (1)

Country Link
CN (1) CN109586920A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110347479A (en) * 2019-07-10 2019-10-18 大唐高鸿信安(浙江)信息科技有限公司 A kind of construction method and system of chain-of-trust
CN111783097A (en) * 2020-05-28 2020-10-16 东方红卫星移动通信有限公司 Information integrity measurement verification method and system for satellite-borne computing system
CN112000935A (en) * 2019-05-27 2020-11-27 阿里巴巴集团控股有限公司 Remote authentication method, device, system, storage medium and computer equipment
CN112287399A (en) * 2019-07-22 2021-01-29 科大国盾量子技术股份有限公司 Digital signature method, system and device
CN112769800A (en) * 2020-12-31 2021-05-07 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Switch integrity verification method and device and computer storage medium
WO2021135978A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Method for proving trusted state and related device
CN113518071A (en) * 2021-04-13 2021-10-19 北京航空航天大学 Robot sensor information security enhancing device and method

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090172378A1 (en) * 2007-12-28 2009-07-02 Kazmierczak Gregory J Method and system for using a trusted disk drive and alternate master boot record for integrity services during the boot of a computing platform
CN101477602A (en) * 2009-02-10 2009-07-08 浪潮电子信息产业股份有限公司 Remote proving method in trusted computation environment
CN102136044A (en) * 2010-07-14 2011-07-27 华为技术有限公司 Safe starting method, device and computer system
CN104410580A (en) * 2014-11-28 2015-03-11 深圳市华威世纪科技股份有限公司 Trusted security WiFi (Wireless Fidelity) router and data processing method thereof
CN107145802A (en) * 2017-05-09 2017-09-08 郑州云海信息技术有限公司 A kind of BIOS integrity measurement methods, baseboard management controller and system
CN107493271A (en) * 2017-07-28 2017-12-19 大唐高鸿信安(浙江)信息科技有限公司 Credible and secure network system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090172378A1 (en) * 2007-12-28 2009-07-02 Kazmierczak Gregory J Method and system for using a trusted disk drive and alternate master boot record for integrity services during the boot of a computing platform
CN101477602A (en) * 2009-02-10 2009-07-08 浪潮电子信息产业股份有限公司 Remote proving method in trusted computation environment
CN102136044A (en) * 2010-07-14 2011-07-27 华为技术有限公司 Safe starting method, device and computer system
CN104410580A (en) * 2014-11-28 2015-03-11 深圳市华威世纪科技股份有限公司 Trusted security WiFi (Wireless Fidelity) router and data processing method thereof
CN107145802A (en) * 2017-05-09 2017-09-08 郑州云海信息技术有限公司 A kind of BIOS integrity measurement methods, baseboard management controller and system
CN107493271A (en) * 2017-07-28 2017-12-19 大唐高鸿信安(浙江)信息科技有限公司 Credible and secure network system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112000935A (en) * 2019-05-27 2020-11-27 阿里巴巴集团控股有限公司 Remote authentication method, device, system, storage medium and computer equipment
CN110347479A (en) * 2019-07-10 2019-10-18 大唐高鸿信安(浙江)信息科技有限公司 A kind of construction method and system of chain-of-trust
CN112287399A (en) * 2019-07-22 2021-01-29 科大国盾量子技术股份有限公司 Digital signature method, system and device
CN112287399B (en) * 2019-07-22 2022-09-27 科大国盾量子技术股份有限公司 Digital signature method, system and device
WO2021135978A1 (en) * 2019-12-31 2021-07-08 华为技术有限公司 Method for proving trusted state and related device
CN111783097A (en) * 2020-05-28 2020-10-16 东方红卫星移动通信有限公司 Information integrity measurement verification method and system for satellite-borne computing system
CN112769800A (en) * 2020-12-31 2021-05-07 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Switch integrity verification method and device and computer storage medium
CN112769800B (en) * 2020-12-31 2022-10-04 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Switch integrity verification method and device and computer storage medium
CN113518071A (en) * 2021-04-13 2021-10-19 北京航空航天大学 Robot sensor information security enhancing device and method

Similar Documents

Publication Publication Date Title
CN109586920A (en) A kind of trust authentication method and device
CN102271042B (en) Certificate authorization method, system, universal serial bus (USB) Key equipment and server
CN103067402B (en) The generation method and system of digital certificate
CN111224788B (en) Electronic contract management method, device and system based on block chain
CN109257328B (en) Safe interaction method and device for field operation and maintenance data
CN103078742B (en) Generation method and system of digital certificate
CN105227319A (en) A kind of method of authentication server and device
CN111435913A (en) Identity authentication method and device for terminal of Internet of things and storage medium
CN105099705B (en) A kind of safety communicating method and its system based on usb protocol
JP2008507203A (en) Method for transmitting a direct proof private key in a signed group to a device using a distribution CD
CN104216830B (en) Method and system for detecting consistency of equipment software
CN109474419A (en) A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system
CN103269271A (en) Method and system for back-upping private key in electronic signature token
CN104050431A (en) Self-signing method and self-signing device for RFID chips
CN111130798A (en) Request authentication method and related equipment
CN115795513A (en) File encryption method, file decryption method, file encryption device, file decryption device and equipment
CN114448605A (en) Encrypted ciphertext verification method, system, equipment and computer readable storage medium
CN106953731B (en) Authentication method and system for terminal administrator
CN106453430A (en) Method and device for verifying encrypted data transmission paths
CN109889344A (en) The transmission method and computer readable storage medium of terminal, data
CN112910641A (en) Verification method and device for cross-link transaction supervision, relay link node and medium
CN112383577A (en) Authorization method, device, system, equipment and storage medium
CN112583594A (en) Data processing method, acquisition device, gateway, trusted platform and storage medium
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN114884714B (en) Task processing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190405

RJ01 Rejection of invention patent application after publication