CN113873513A - Method and apparatus for processing control key - Google Patents
Method and apparatus for processing control key Download PDFInfo
- Publication number
- CN113873513A CN113873513A CN202010617589.5A CN202010617589A CN113873513A CN 113873513 A CN113873513 A CN 113873513A CN 202010617589 A CN202010617589 A CN 202010617589A CN 113873513 A CN113873513 A CN 113873513A
- Authority
- CN
- China
- Prior art keywords
- key
- public
- data
- terminal equipment
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the application discloses a method and a device for processing a control key. One embodiment of the method comprises: acquiring a public key in a public and private key pair generated by security equipment, and generating a session key according to a private key in the public and private key pair generated by terminal equipment and the acquired public key; encrypting the signature of the terminal equipment, the random number of the terminal equipment and the certificate of the terminal equipment by using the session key to obtain verification data; sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment; acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and a random number corresponding to the control data; according to the embodiment, whether the control key is used for unlocking the security equipment is determined according to the random number corresponding to the control data, the encryption and decryption of the control key through the session key are realized, and the safety is improved.
Description
Technical Field
The embodiment of the application relates to the technical field of smart home, in particular to a method and a device for processing a control key.
Background
At present, security equipment can be controlled through a control key, wherein the control key can be generated by the security equipment and sent to terminal equipment using the security equipment, for example, the terminal equipment can be an electronic key or an entrance guard card, and thus, a user can send the control key to the security equipment when controlling the security equipment through the terminal equipment, and control of the security equipment through the control key is realized.
The control key can be encrypted between the security device and the terminal device through an asymmetric encryption algorithm, but the asymmetric encryption algorithm can cause the public key for encrypting the control key to be public, so that the safety is reduced.
Disclosure of Invention
The embodiment of the application provides a method and a device for processing a control key.
In one aspect, the present application provides a method for processing a control key, which is applied to a terminal device, and the method includes:
acquiring a public key in a public and private key pair generated by security equipment, and generating a session key according to a private key in the public and private key pair generated by the terminal equipment and the acquired public key;
encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data;
sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment;
acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data;
and determining whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data.
Optionally, the generating a session key according to a private key in a public-private key pair generated by the terminal device and the obtained public key includes:
generating a shared key according to a private key in a public and private key pair generated by the terminal equipment and the obtained public key;
and generating the session key according to the shared key and the identity of the terminal equipment.
Optionally, the signature of the terminal device is generated according to a public and private key pair generated by the terminal device and the identity of the terminal device.
Optionally, the generating, by the signature of the terminal device according to the public and private key pair generated by the terminal device and the identity of the terminal device, includes:
generating a hash value according to a public key in a public and private key pair generated by the terminal equipment and an identity of the terminal equipment;
and generating a signature of the terminal equipment according to the hash value and a private key in a public and private key pair generated by the terminal equipment.
Optionally, the method further includes: and if the second data corresponding to the control data is the same as the first data of the terminal equipment, storing the control key.
In another aspect, the present application provides a method for processing a control key, which is applied to a processor of a security device, and the method includes:
acquiring verification data generated by the terminal equipment and a public key in a public and private key pair generated by the terminal equipment, and generating a session key according to a private key in the public and private key pair generated by the security equipment and the acquired public key;
decrypting the verification data through the session key to obtain a signature of the terminal equipment, first data of the terminal equipment and a certificate of the terminal equipment, and verifying the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result;
if the verification result shows that the signature of the terminal equipment and the certificate of the terminal equipment are legal, generating a control key, and encrypting the control key and the first data of the terminal equipment through the session key to obtain control data;
and sending the control data to the terminal equipment.
Optionally, the verifying the signature of the terminal device and the certificate of the terminal device to obtain a verification result includes:
acquiring a certificate abstract and a certificate signature corresponding to the certificate of the terminal equipment;
and verifying the certificate abstract and the certificate signature through a public key of the certificate of the terminal equipment, and verifying the signature of the terminal equipment through the obtained public key to obtain the verification result.
Optionally, the generating a session key according to a private key in a public-private key pair generated by the security device and the obtained public key includes:
generating a shared key according to a private key in a public and private key pair generated by the security equipment and the obtained public key;
and generating the session key according to the shared key and the identity of the terminal equipment, wherein the identity of the terminal equipment is obtained through an equipment selection request.
In another aspect, the present application provides an apparatus for processing a control key, which is applied in a terminal device, and the apparatus includes:
the terminal equipment comprises a first obtaining unit, a second obtaining unit and a third obtaining unit, wherein the first obtaining unit is configured to obtain a public key in a public and private key pair generated by security equipment, and generate a session key according to a private key in the public and private key pair generated by the terminal equipment and the obtained public key;
the encryption unit is configured to encrypt the signature of the terminal device, the first data of the terminal device and the certificate of the terminal device through the session key to obtain verification data;
the sending unit is configured to send the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment;
the second acquisition unit is configured to acquire the control data generated by the security equipment, decrypt the control data through the session key and obtain a control key and second data corresponding to the control data;
the determining unit is configured to determine whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data.
Optionally, the first obtaining unit is specifically configured to generate a shared key according to a private key in a public and private key pair generated by the terminal device and the obtained public key; and generating the session key according to the shared key and the identity of the terminal equipment.
Optionally, the signature of the terminal device is generated according to a public and private key pair generated by the terminal device and the identity of the terminal device.
Optionally, the generating, by the signature of the terminal device according to the public and private key pair generated by the terminal device and the identity of the terminal device, includes: generating a hash value according to a public key in a public and private key pair generated by the terminal equipment and an identity of the terminal equipment; and generating a signature of the terminal equipment according to the hash value and a private key in a public and private key pair generated by the terminal equipment.
Optionally, the apparatus further comprises: and the storage unit is configured to store the control key if the second data corresponding to the control data is the same as the first data of the terminal equipment.
In another aspect, the present application provides an apparatus for processing a control key, which is applied to a processor of a security device, the apparatus including:
a key obtaining unit configured to obtain verification data generated by the terminal device and a public key in a public and private key pair generated by the terminal device, and generate a session key according to the private key in the public and private key pair generated by the security device and the obtained public key;
a decryption unit configured to decrypt the verification data through the session key to obtain a signature of the terminal device, first data of the terminal device, and a certificate of the terminal device;
the verification unit is configured to verify the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result;
a key generation unit configured to generate a control key if the verification result indicates that the signature of the terminal device and the certificate of the terminal device are legal;
an encryption unit configured to encrypt the control key and first data of the terminal device by the session key to obtain control data;
a transmitting unit configured to transmit the control data to the terminal device.
Optionally, the verification unit is specifically configured to obtain a certificate digest and a certificate signature corresponding to the certificate of the terminal device; and verifying the certificate abstract and the certificate signature through a public key of the certificate of the terminal equipment, and verifying the signature of the terminal equipment through the obtained public key to obtain the verification result.
Optionally, the key generation unit is specifically configured to generate a shared key according to a private key in a public and private key pair generated by the security device and the acquired public key; and generating the session key according to the shared key and the identity of the terminal equipment, wherein the identity of the terminal equipment is obtained through an equipment selection request.
In yet another aspect, the present application is directed to a system for processing a control key, the system comprising: terminal equipment and security equipment;
the terminal equipment is configured to acquire a public key in a public and private key pair generated by security equipment, and generate a session key according to a private key in the public and private key pair generated by the terminal equipment and the acquired public key; encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data; sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment; acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data; determining whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data;
the security device is configured to acquire verification data generated by the terminal device and a public key in a public and private key pair generated by the terminal device, and generate a session key according to the private key in the public and private key pair generated by the security device and the acquired public key; decrypting the verification data through the session key to obtain a signature of the terminal equipment, first data of the terminal equipment and a certificate of the terminal equipment, and verifying the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result; if the verification result shows that the signature of the terminal equipment and the certificate of the terminal equipment are legal, generating a control key, and encrypting the control key and the first data of the terminal equipment through the session key to obtain control data; and sending the control data to the terminal equipment.
The method and the device for processing the control key provided by the embodiment of the application generate a public and private key pair through the terminal device and generate a public and private key pair through the security device, generate a session key according to the obtained public key and a private key in the generated public and private key pair at the terminal device side and the security device side, obtain verification data at the terminal device side through the session key and decrypt control data through the session key to obtain the control key, decrypt the verification data through the session key at the security device side and encrypt the control key through the session key to generate control data, realize the encryption and decryption of the control key through the session key, and for the terminal device side and the security device side, the data interacted between the two sides also comprises the public key and the verification data of the two sides besides the control data, and the public key has the function of obtaining the session key, the authentication data is used for authentication of the security device, so that although the control data, the public key of both parties and the authentication data are disclosed, the session key corresponding to encryption and decryption cannot be known through the data, and thus, the security is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some examples or embodiments of the present application, and that for a person skilled in the art, other drawings can be obtained from the provided drawings without inventive effort, and that the present application can also be applied to other similar scenarios from the provided drawings. Unless otherwise apparent from the context, or otherwise indicated, like reference numbers in the figures refer to the same structure or operation.
FIG. 1 is an exemplary system architecture diagram to which some embodiments of the present application may be applied;
FIG. 2 is a flow diagram for one embodiment of a method for processing a control key according to the present application;
FIG. 3 is a flow diagram of yet another embodiment of a method for processing a control key according to the present application;
FIG. 4 is a timing diagram for one embodiment of a method for processing a control key according to the present application;
FIG. 5 is a schematic block diagram illustrating one embodiment of an apparatus for processing control keys according to the present application;
FIG. 6 is a schematic block diagram of yet another embodiment of an apparatus for processing control keys according to the present application;
fig. 7 is a schematic structural diagram of a terminal device for processing a control key according to the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. The described embodiments are only some embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be understood that "system", "apparatus", "unit" and/or "module" as used herein is a method for distinguishing different components, elements, parts or assemblies at different levels. However, other words may be substituted by other expressions if they accomplish the same purpose.
As used in this application and the appended claims, the terms "a," "an," "the," and/or "the" are not intended to be inclusive in the singular, but rather are intended to be inclusive in the plural unless the context clearly dictates otherwise. In general, the terms "comprises" and "comprising" merely indicate that steps and elements are included which are explicitly identified, that the steps and elements do not form an exclusive list, and that a method or apparatus may include other steps or elements. An element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
In the description of the embodiments herein, "/" means "or" unless otherwise specified, for example, a/B may mean a or B; "and/or" herein is merely an association describing an associated object, and means that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, in the description of the embodiments of the present application, "a plurality" means two or more than two.
In the following, the terms "first", "second" are used for descriptive purposes only and are not to be understood as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.
Flow charts are used herein to illustrate operations performed by systems according to embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in the exact order in which they are performed. Rather, the various steps may be processed in reverse order or simultaneously. Meanwhile, other operations may be added to the processes, or a certain step or several steps of operations may be removed from the processes.
The inventor of the application finds out through research that: the control key is encrypted by an asymmetric encryption algorithm, so that the public key is public, and other users can forge the public key to encrypt the control key, thereby reducing the security. The inventor further researches and discovers that the prior art solves the problem by introducing a certificate mode. The technical scheme adopted by the application for solving the problem is as follows:
the method comprises the steps that a public and private key pair is generated through terminal equipment and a public and private key pair is generated through security equipment, a session key is generated on a terminal equipment side and the security equipment side according to an obtained public key and a private key in the public and private key pair generated by the terminal equipment side and the security equipment side, verification data is obtained through the session key on the terminal equipment side, control data is decrypted through the session key to obtain a control key, the verification data is decrypted through the session key on the security equipment side, the control key is encrypted through the session key to generate control data, and encryption and decryption of the control key through the session key are achieved. Although the public keys of the terminal device side and the security device side are disclosed, the session key for encrypting and decrypting the control key is generated according to the private key of the session key and the public key of the other party, so that the probability of obtaining the session key is low even if the public key is disclosed, and the security is improved while the control key is encrypted and decrypted through the session key.
The security equipment can be an intelligent lock, an access control device, equipment needing identity authentication and the like, the terminal equipment can be an access control card, an electronic key, identity authentication input equipment and the like, and the access control card and the electronic key can communicate with the security equipment based on an NFC (Near Field Communication) technology. For example, the terminal device may be an access card based on the NFC technology, the security device may be an intelligent lock, and the access card based on the NFC technology applies the method for processing the control key provided in the embodiment of the present application to control unlocking of the intelligent lock.
Fig. 1 shows an exemplary system architecture 100 to which some embodiments of the method for processing control keys or the apparatus for processing control keys of the present application may be applied.
As shown in fig. 1, the system architecture 100 may include a terminal device 101, a network 102, and a processor 103 of security devices. The network 102 is used to provide a medium for a communication link between the terminal device 101 and the processor 103 of the security device. Network 102 may include various wireless connection types such as bluetooth, near field communication, or radio frequency communication, among others.
A user may use the terminal device 101 to interact with the processor 103 of the security device over the network 102 to receive or send messages or the like. Various client applications, such as a door lock control application, etc., may be installed on the terminal device 101.
The terminal apparatus 101 may be hardware or software. When the terminal device 101 is hardware, it may be various electronic devices, including but not limited to a smartphone, a tablet computer, a wearable device, an Augmented Reality (AR)/Virtual Reality (VR) device, an electronic key, an access card, a gateway, and other terminal devices, such as an access card and an electronic key based on the NFC technology. When the terminal apparatus 101 is software, it can be installed in the electronic apparatuses listed above. It may be implemented as multiple pieces of software or software modules, or as a single piece of software or software module. The embodiment of the present application does not set any limit to the specific type of the terminal device.
The processor 103 of the security device may respond to the received public key and the verification data sent by the terminal device 101, verify the verification data according to the session key generated by the public key, obtain a verification result, generate a control key if the verification result indicates legitimacy, encrypt and send the control key to the terminal device through the session key.
It should be noted that the methods for processing the control key provided in the embodiments of the present application may be capable of being executed by the terminal device 101 and by the processor 103 of the security device, respectively, the methods for processing the control key executed by the terminal device 101 and the processor 103 of the security device are slightly different, and the following detailed description will be made accordingly, the means for processing the control key is provided in the terminal device 101 and the processor 103 of the security device, respectively, and the means for processing the control key provided in the terminal device 101 and the processor 103 of the security device are slightly different.
It should be understood that the number of processors of the terminal device, the network, and the security device in fig. 1 is merely illustrative. There may be any number of processors in the terminal device, network, and security devices, as desired for implementation.
With continued reference to FIG. 2, a flow 200 of one embodiment of a method for processing a control key in accordance with the present application is shown. The method for processing the control key is applied to the terminal equipment and comprises the following steps:
In step 203, the terminal device sends the verification data and the public key in the public and private key pair generated by the terminal device to the security device.
And step 204, the terminal equipment acquires the control data generated by the security equipment, and decrypts the control data through the session key to obtain the control key and second data corresponding to the control data.
And step 205, the terminal device determines whether the control key is used for controlling the security device corresponding to the control key according to the second data corresponding to the control data. For example, the security device is an intelligent lock, the control key indicates to unlock the intelligent lock, and the terminal device determines whether the control key is used for unlocking the intelligent lock according to second data corresponding to the control data. If the security device is a mobile phone which needs identity authentication, the control key can indicate that the screen of the mobile phone is switched from the first state to the second state (if the screen is opened), and the terminal device determines whether the control key is used for switching the state of the screen of the mobile phone according to second data corresponding to the control data.
In this embodiment, the second data is also data used by one of the terminal devices for authentication, which may also be represented as a random number, but is different from the random number as the first data: the random number as the second data is obtained by decrypting the control data and is associated with the control data, while the random number as the first data is independent of the other data.
With continued reference to FIG. 3, a flow 300 of yet another embodiment of a method for processing a control key in accordance with the present application is shown. The method for processing the control key is applied to a processor of security equipment and comprises the following steps:
And step 304, the processor of the security equipment sends control data to the terminal equipment.
For better understanding of the method for processing the control key provided by the embodiment of the present application, with continued reference to fig. 4, the method for processing the control key is described from interaction between the terminal device and the processor of the security device, and may include the following steps:
step 401, the terminal equipment generates a public and private key pair: the public key Card _ Puk _ T and the private key Card _ Prk _ T. In which the public key Card _ Puk _ T can be published, the private key Card _ Prk _ T is reserved for use by the terminal device, the terminal device can generate a public and private key pair through an existing algorithm, for example, the terminal device can generate a public and private key pair through ECC (elliptic cryptogrammer algorithm), and the public and private key pair can be a temporary public and private key pair generated by the terminal device through ECC.
The so-called temporary public-private key pair indicates that a terminal-generated public-private key pair is time-critical and valid for a certain time. For example, the key pair is valid within a certain time (for example, a valid time is preset) from the time when the terminal device generates the public and private key pair, and if the time when the terminal device generates the public and private key pair exceeds the certain time, the terminal device generates a temporary public and private key pair again, and the previously generated public and private key pair is invalid (i.e., becomes invalid).
Step 402, a processor of the security device generates a public and private key pair: the public key Device _ Puk _ T and the private key Device _ Prk _ T. Similarly, for the processor of the security Device, the public key Device _ Puk _ T may be published, the private key Device _ Prk _ T is reserved for use by the processor of the security Device, and the processor of the security Device is generated by an existing algorithm, which is not described in this embodiment. The public and private key pair generated by the processor of the security device may also be a temporary public and private key pair, and the description refers to step 401, which is not described in this embodiment.
In step 403, the processor of the security Device sends the public key Device _ Puk _ T in the public and private key pair to the terminal Device.
In this embodiment, when data interaction is performed between the processor of the security Device and the terminal Device, data is transmitted according to a two-party agreed protocol, so that the processor of the security Device transmits the public key Device _ Puk _ T according to the two-party agreed protocol when sending the public key Device _ Puk _ T to the terminal Device. For example, the processor of the security Device and the terminal Device follow a near field communication protocol, the security Device sends the public key Device _ Puk _ T to the terminal Device, and the processor of the security Device encapsulates the public key Device _ Puk _ T according to the requirements of the near field communication protocol to send.
The points to be explained here are: step 401 and step 402 may be executed simultaneously, or step 402 may be executed first and then step 401 is executed, and in this execution sequence, step 403 and step 401 may be executed simultaneously.
In step 404, the terminal Device generates a session key SessionKey according to the private key Card _ Prk _ T and the public key Device _ Puk _ T.
Step 405, the terminal device encrypts the signature Sign of the terminal device, the Random _ Card of the terminal device, and the certificate CERT of the terminal device through the session key SessionKey to obtain the Encrypted _ data of the verification data, where the Random _ Card is a mode of the first data.
As can be seen from steps 404 and 405, although the terminal Device generates the public key Card _ Puk _ T and the private key Card _ Prk _ T, the terminal Device uses the session key SessionKey generated from the private key Card _ Prk _ T and the public key Device _ Puk _ T generated by the processor of the security Device when encrypting, so that even if the public keys generated by the processors of the terminal Device and the security Device are disclosed, the probability of acquiring the session key is low. Even though other devices acquire the private keys generated by the processors of the terminal device and the security device, but the ways of generating the session key are many, the other devices need to try in sequence to generate the session key, so that the probability of acquiring the session key used for encryption by the terminal device is very low.
For example, the terminal device may generate the session key SessionKey through, but not limited to, any one of an ECDH (electronic compatibility Diffie-Hellman) algorithm and a Message digest algorithm, such as a HAMC (Hash Message Authentication Code) algorithm.
In this embodiment, the certificate CERT of the terminal device is written into the terminal device when the terminal device is shipped from the factory, and the certificate CERT of the terminal device is issued and unique by the certificate center authority (so-called, the certificate CERTs of different terminal devices are unique); the signature Sign of the terminal device and the Random number Random _ Card of the terminal device are data generated by the terminal device and used to assist in authentication.
After the terminal device obtains the certificate, the signature and the random number, the terminal device may encrypt using a symmetric encryption algorithm, which is used because a private key of a public and private key pair generated by the terminal device is used to generate a session key, encrypt with the session key, instead of directly using the private key for encryption, this means that the terminal device and the processor of the security device do not use the public and private key pair generated by the terminal device for encryption and decryption, which means that the asymmetric encryption algorithm is not suitable for the session key, therefore, the terminal device in this embodiment uses a symmetric Encryption algorithm for Encryption, for example, the terminal device may use, but is not limited to, AES (Advanced Encryption Standard) algorithm and DES (Data Encryption Standard) algorithm for Encryption, such as authentication Data Encrypted _ Data ═ AES (SessionKey, Sign + CERT + Random _ Card).
Compared with the existing asymmetric encryption algorithm, when the terminal equipment adopts the symmetric encryption algorithm, the bit number of the adopted session key SessionKey is smaller than that of the key adopted by the terminal equipment adopting the asymmetric encryption algorithm, so that the terminal equipment can use less resources when calculating and storing the session key SessionKey, and the method is suitable for the terminal equipment with limited resources.
In step 406, the terminal device sends the Encrypted data and the public key Card _ Puk _ T to the processor of the security device. Similarly, the terminal device needs to follow the agreement agreed by both parties to transmit the authentication data Encrypted _ data and the public key Card _ Puk _ T to the processor of the security device.
In step 407, after receiving the Encrypted _ data and the public key Card _ Puk _ T of the verification data, the processor of the security Device generates a session key SessionKey according to the private key Device _ Prk _ T and the public key Card _ Puk _ T.
In this embodiment, the processor of the security device may generate the session key SessionKey through an existing key generation algorithm, for example, the processor of the security device may generate the session key SessionKey through but not limited to any one of an ECDH algorithm and a message digest algorithm, for example, the processor of the security device generates the session key SessionKey through an HAMC algorithm.
And step 408, the processor of the security device decrypts the Encrypted data through the session key of the processor of the security device to obtain the signature Sign of the terminal device, the Random number Random _ Card of the terminal device and the certificate CERT of the terminal device.
In this embodiment, the terminal device uses which algorithm to encrypt the signature Sign of the terminal device, the Random number Random _ Card of the terminal device, and the certificate CERT of the terminal device, and the processor of the security device uses the same algorithm to decrypt the Encrypted data Encrypted _ data. From the above analysis, in this embodiment, the terminal device uses a symmetric encryption algorithm to perform encryption, and the processor of the corresponding security device uses a symmetric encryption algorithm to perform decryption. If the terminal device uses AES for encryption, the processor of the security device uses AES algorithm for decryption, such as Sign + CERT + Random _ Card ═ AES (SessionKey, Encrypted _ data).
Similarly, for the security Device, although the processor of the security Device generates the public key Device _ Puk _ T and the private key Device _ Prk _ T, the processor of the security Device encrypts the session key SessionKey generated according to the private key Device _ Prk _ T and the public key Card _ Puk _ T generated by the terminal Device, so that the session key is less likely to be obtained even if the public keys generated by the processor of the security Device and the terminal Device are disclosed. Even though other devices acquire the private keys generated by the processor of the security device and the terminal device, but the ways of generating the session key are many, the other devices need to try in sequence to generate the session key, so that the probability of acquiring the session key used for encryption by the processor of the security device is very low.
And 409, verifying the signature Sign of the terminal equipment and the certificate CERT of the terminal equipment by the processor of the security equipment to obtain a verification result, so as to improve the security by double verification of the signature Sign of the terminal equipment and the certificate CERT of the terminal equipment.
And step 410, if the verification result shows that the signature Sign of the terminal equipment and the certificate CERT of the terminal equipment are legal, the processor of the security equipment generates a control key AuthKey.
If the verification result shows that the signature Sign of the terminal device and the certificate CERT of the terminal device are legal, the signature Sign of the terminal device and the certificate CERT of the terminal device obtained by the processor of the security device through decryption belong to the terminal device, and at this time, the processor of the security device can generate a control key AuthKey.
In this embodiment, one way for the processor of the security device to generate the control key AuthKey is as follows: the method includes the steps of obtaining an identity CID of the terminal device and a true random number MK of a processor of the security device, and generating a control key AuthKey according to the identity CID of the terminal device and the true random number MK of the processor of the security device, for example, generating the control key AuthKey through an existing key generation algorithm, where the control key AuthKey is HAMC (MK, CID).
The points to be explained here are: the processor of the security device has only one true Random number MK, and the true Random numbers MK of the processors of different security devices are different, and for the Random number Random _ Card of the terminal device, the terminal device may have multiple Random numbers Random _ Card, and the Random numbers Random _ Card between different terminal devices may be the same.
In step 411, the processor of the security device encrypts the control key AuthKey and the Random number Random _ Card of the terminal device through the session key SessionKey of the processor of the security device to obtain control data.
In this embodiment, the processor of the security device also encrypts the control key AuthKey and the Random number Random _ Card of the terminal device by using a symmetric encryption algorithm, and please refer to the above description for why the processor of the security device uses the symmetric encryption algorithm. Such as control data AES (SessionKey, AuthKey + Random _ Card).
In step 412, the processor of the security device sends the control data to the terminal device.
In step 413, the terminal device decrypts the control data through the session key SessionKey of the terminal device to obtain the control key AuthKey and the random number corresponding to the control data, where the random number corresponding to the control data is a mode of the second data.
Similarly, the processor of the security device encrypts to obtain the control data by using which algorithm, and the terminal device decrypts by using the same algorithm, for example, the processor of the security device uses an AES algorithm, and the control data is AES (SessionKey, AuthKey + Random _ Card), then the terminal device also decrypts by using the AES algorithm, and the AuthKey + Random _ Card is AES (SessionKey, control data), and it is noted that the SessionKey when the terminal device decrypts is the terminal device.
And step 414, the terminal device determines whether the control key is used for controlling the security device corresponding to the control key according to the random number corresponding to the control data. One way in which the terminal device determines whether the control key is used to control the security device corresponding to the control key is: if the two data are consistent, it is indicated that the second data corresponding to the control data is the first data generated by the terminal device, which means that the terminal device can perform control corresponding to the control key on the security device through the control key. In addition, the method for processing the control key provided by the present application may further include: and if the second data corresponding to the control data is the same as the first data of the terminal equipment, storing the control key.
When the terminal device determines that the control key is used for controlling the security device corresponding to the control key, the terminal device may further send a success instruction to the security device, where the success instruction indicates that the control key is valid/the terminal device can control the security device corresponding to the control key by using the control key, and the security device stores the identity of the terminal device, and if the identity of the terminal device is added to a white list, the security device executes a control action corresponding to the control key after a subsequent terminal device triggers a control operation corresponding to the control key for the security device.
If the terminal equipment determines that the control key cannot be used for controlling the security equipment corresponding to the control key, the terminal equipment gives up the control key, at the moment, the terminal equipment sends a failure instruction to the security equipment, and the security equipment adds the identity of the terminal equipment into a blacklist.
In this embodiment, an optional implementation manner of the terminal device generating the session key is as follows: the terminal equipment generates a shared key according to a private key in a public and private key pair generated by the terminal equipment and the obtained public key; and the terminal equipment table generates a session key according to the shared key and the identity of the terminal equipment. The embodiment of the key generation algorithm used by the terminal device to generate the shared key and the session key is not limited, for example, an optional implementation manner of the terminal device to generate the shared key is as follows: a shared key ShareKey of the terminal Device is ECDH (Device _ Puk _ T, Card _ Prk _ T); the session key SessionKey of the terminal device is HMAC (ShareKey + CID).
For the security device, the way of generating the session key by the processor of the security device is similar to that of the terminal device, but the difference is that the data based on which the processor of the security device generates the session key is different from the data based on which the terminal device generates the session key, for example, an optional implementation way of generating the session key by the processor of the security device is as follows:
the processor of the security equipment generates a shared key according to a private key in a public and private key pair generated by the processor of the security equipment and the acquired public key; the processor of the security equipment generates a session key according to the shared key and the identity of the terminal equipment, the identity of the terminal equipment is obtained through an equipment selection request, namely the processor of the security equipment sends the equipment selection request to the terminal equipment, and the terminal equipment feeds back the identity of the terminal equipment to the processor of the security equipment.
The process of generating the session key by the terminal device and the session key by the processor of the security device is known as follows: the processors of the terminal device and the security device generate a session key according to a private key generated by the processors of the terminal device and the security device, a public key generated by the other party, and an identity of the terminal device, and a key generation algorithm adopted when the processors of the terminal device and the security device generate the session key is not limited in the application.
In this embodiment, an optional implementation manner of generating the signature by the terminal device is as follows: and the terminal equipment generates a signature according to the public and private key pair generated by the terminal equipment and the identity of the terminal equipment. One alternative is: the terminal device generates a HASH value according to a public key in a public and private key pair generated by the terminal device and an identity of the terminal device, for example, the HASH value has is SHA256(Card _ Puk _ T + CID), and SHA is a secure HASH algorithm with 256 HASH values generated in the existing secure HASH algorithm; the terminal device generates a signature of the terminal device according to the HASH value and a private key in a public and private key pair generated by the terminal device, for example, the terminal device generates the signature by using an existing signature algorithm, for example, the signature Sign is ECDSA (Card _ Prk _ LT, HASH), and ECDSA is an elliptic curve digital signature algorithm in the existing signature algorithm.
In this embodiment, an optional implementation manner of the processor of the security device verifying the signature of the terminal device and the certificate of the terminal device to obtain the verification result is as follows:
a processor of the security equipment acquires a certificate abstract and a certificate signature corresponding to a certificate of the terminal equipment; and the processor of the security device verifies the certificate abstract and the certificate signature through the public key of the certificate of the terminal device, and verifies the signature of the terminal device through the obtained public key to obtain a verification result.
Wherein the certificate of the terminal device comprises: the public key of the certificate, the private key of the certificate, the certificate abstract, the certificate signature, the identity of the terminal equipment and the residual data are a combination of special fields which are introduced by a certificate center authority according to the certificate specification defined by the EMV (European Master Card Visa) standard. The certificate abstract can be obtained through the residual data and a public key in a public and private key pair generated by the terminal equipment, and the certificate signature can be obtained through the certificate abstract and a private key of the certificate, and the process is as follows:
certificate digest Cert _ HASH 256(Card _ Puk _ LT + remaining data);
the certificate signature CERT _ Sign ═ Sign (CA _ PRK, CERT _ HASH), CA _ PRK, is the private key of the certificate.
After the terminal device obtains the certificate digest and the certificate signature, the terminal device may perform verification through an existing signature algorithm, for example, the verification process is Verify (ECDSA) (CA _ PUK, CERT _ Sign, CERT _ HASH). The same terminal device may also Verify the signature of the terminal device by using an existing signature algorithm, where the verification process is Verify ═ ECDSA (Card _ Puk _ LT, Sign, HASH), where HASH ═ SHA256(Card _ Puk _ T + CID), and HASH may also be obtained by other methods, which is not described in this embodiment.
It can be known from the foregoing technical solutions that, in the method for processing a control key provided in this embodiment of the application, a public-private key pair and a security device are generated by a terminal device to generate a public-private key pair, a session key is generated on a terminal device side and a security device side according to an acquired public key and a private key in the generated public-private key pair, authentication data is obtained on the terminal device side through the session key and control data is decrypted through the session key to obtain the control key, the authentication data is decrypted through the session key on the security device side and the control key is encrypted through the session key to generate control data, encryption and decryption of the control key through the session key are implemented, and for the terminal device side and the security device side, data interacted between the terminal device side and the security device side includes both the public key and the authentication data, the public key functions to obtain the session key, the authentication data is used for authentication of the security device, so that although the control data, the public key of both parties and the authentication data are disclosed, the session key corresponding to encryption and decryption cannot be known through the data, and thus, the security is improved.
When studying the method for processing the control key provided by the application, the inventor of the application finds that the most adopted communication mode between the security device and the terminal device is short-distance radio frequency communication, and the security device and the terminal device are easily attacked by man-in-the-middle attack, replay/flood attack and dictionary attack in the communication mode.
Therefore, in the application, the processor of the security device and the terminal device generate a pair of secure session keys for the control keys, and for other devices, the processor of the security device and the terminal device disclose limited air interface packet data, such as the public keys, the verification data, and the control data of the processor of the security device and the terminal device, but the session keys are not disclosed and secure, so that the security is improved. Aiming at man-in-the-middle attacks, replay/flood attacks and dictionary attacks, the method adopts the following mode:
man-in-the-middle attack: the signature of the terminal equipment is participated by a public and private key pair of the terminal equipment, and man-in-the-middle attack is resisted at the security equipment end through double verification of a certificate of the terminal equipment and the signature of the terminal equipment;
replay/flood attacks: a processor of the security equipment and a public and private key pair generated by the terminal equipment can be a temporary public and private key pair, and replay/flood attack is resisted through a random number generated by the terminal equipment;
dictionary attack: and the dictionary attack is resisted through the random number generated by the terminal equipment and the double verification of the certificate of the terminal equipment and the signature of the terminal equipment at the security equipment end.
The method for processing the control key provided by the application is described below with reference to an application scenario, for example, the security device may be an intelligent lock, the terminal device may be an access control card based on an NFC technology, the access control card and the intelligent lock communicate with each other through an NFC protocol, and the access control card stores a control key for controlling unlocking of the intelligent lock, and the access control card and the intelligent lock may control unlocking of the intelligent lock through the control key when contacting each other, and the corresponding intelligent lock and the access control card generate the control key and control the intelligent lock to unlock by using the method for processing the control key provided by the application as follows:
the intelligent lock and the access control card respectively generate a public and private key pair, and a public key in the generated public and private key pair is sent to the other party; the access control card generates a session key according to a private key generated by the access control card and a public key of the intelligent lock, and then encrypts a signature of the access control card, a random number generated by the access control card and a certificate of the access control card through the session key to obtain verification data, wherein the verification data can be sent to the intelligent lock along with the public key of the access control card.
And the intelligent lock generates a session key according to the private key generated by the intelligent lock and the public key of the access card under the condition that the intelligent lock receives the verification data and the public key of the access card, and decrypts the verification data by using the session key generated by the intelligent lock so as to obtain the signature of the access card, the random number generated by the access card and the certificate of the access card. If the intelligent lock verifies that the signature of the access control card and the certificate of the access control card are legal, a control key is generated, the control key and the random number generated by the access control card are encrypted to generate control data, and the control data are sent to the access control card.
After the access control card obtains the control data, the session key of the access control card is used for decrypting the control data to obtain the control key and the random number corresponding to the control data, if the random number corresponding to the control data is the same as the random number generated by the access control card, the access control card has the authority of unlocking the intelligent lock, and at the moment, the intelligent lock is unlocked.
The entrance guard card can directly use the control key when controlling the intelligent lock to unblank once more, if the entrance guard card is based on NFC technique and intelligent lock communication, give the entrance guard card with the control data transmission that the intelligent lock verified before entrance guard card and intelligent lock, verify the random number that the control data corresponds by the entrance guard card to can control the intelligent lock to unblank when verifying that the random number that generates with the entrance guard card is the same. Or after the access control card unlocks the intelligent lock through the control key, the intelligent lock stores the identity of the access control card; when the entrance guard card again controls the intelligent lock to unlock, the intelligent lock verifies whether the identity of the entrance guard card is stored in the intelligent lock, and if the identity of the entrance guard card is stored in the intelligent lock, the intelligent lock can be controlled to unlock.
The method for processing the control key provided by the application can be applied to other devices besides the intelligent lock and the access card based on the NFC technology, for example, the security device can be a device which needs identity authentication, such as a household device (device 1 for short, for example, a television) which needs identity authentication, the terminal device can be an identity authentication input device (device 2 for short, for example, a microphone), the voice data of a user is collected through the microphone for identity authentication, the device 1 can generate the control data according to the flow of the intelligent lock, the device 2 can decrypt the control data according to the flow of the access card, if the decrypted random number is the same as the random number generated by the device 2, the device 1 is controlled to switch states through the decrypted control key, and if the state switching can be a preset switching, for example, the control device 1 performs channel switching or power off, etc., and the state switching may be changed according to the user's needs. During the state switching process of the device 1, the identity of the device 2 (e.g. the voice data of the user corresponding to the device 2) may also be saved, and when the device 2 controls the device 1 to switch the state again, the device 1 may verify whether the identity of the device 2 is saved in the device 1, and if the identity is saved in the device 1, the device 1 may be controlled to switch the state.
With further reference to fig. 5, as an implementation of the methods shown in some of the above figures, the present application provides an embodiment of an apparatus for processing a control key, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various terminal devices.
As shown in fig. 5, the apparatus 500 for processing a control key of the present embodiment includes: a first acquisition unit 501, an encryption unit 502, a transmission unit 503, a second acquisition unit 504, and a determination unit 505.
The first obtaining unit 501 is configured to obtain a public key in a public-private key pair generated by the security device, and generate a session key according to a private key in the public-private key pair generated by the terminal device and the obtained public key.
An encryption unit 502 configured to encrypt the signature of the terminal device, the first data of the terminal device, and the certificate of the terminal device by the session key to obtain the verification data.
And a sending unit 503 configured to send the verification data and the public key in the public and private key pair generated by the terminal device to the security device.
And a second obtaining unit 504, configured to obtain the control data generated by the security device, and decrypt the control data through the session key to obtain a second data corresponding to the control key and the control data.
And a determining unit 505 configured to determine whether the control key is used for performing control corresponding to the control key on the security device according to the second data corresponding to the control data.
In this embodiment, specific processing of the first obtaining unit 501, the encrypting unit 502, the sending unit 503, the second obtaining unit 504 and the determining unit 505 and technical effects thereof may refer to a related description of the embodiment from step 201 to step 205 in the embodiment corresponding to fig. 2 and a related description of steps in the embodiment corresponding to fig. 4, which are not repeated herein.
In some optional implementations of this embodiment, the first obtaining unit 501 is specifically configured to generate a shared key according to a private key in a public-private key pair generated by the terminal device and the obtained public key; and generating a session key according to the shared key and the identity of the terminal equipment.
The signature of the terminal device to be encrypted in the encryption unit 502 is generated according to the public and private key pair generated by the terminal device and the identity of the terminal device. If the signature of the terminal equipment is generated according to the public and private key pair generated by the terminal equipment and the identity of the terminal equipment, the method comprises the following steps: generating a hash value according to a public key in a public and private key pair generated by the terminal equipment and an identity of the terminal equipment; and generating the signature of the terminal equipment according to the hash value and a private key in a public and private key pair generated by the terminal equipment.
In some optional implementations of this embodiment, the apparatus 500 for processing a control key further includes: the storing unit is configured to store the control key if the second data corresponding to the control data is the same as the first data of the terminal device, for a description, refer to the above method embodiment, which is not described herein again.
With further reference to fig. 6, as an implementation of the methods shown in some of the above figures, the present application provides an embodiment of an apparatus for processing a control key, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 3, and the apparatus may be specifically applied to processors of various security devices.
As shown in fig. 6, the apparatus 600 for processing a control key of the present embodiment includes: a key acquisition unit 601, a decryption unit 602, an authentication unit 603, a key generation unit 604, an encryption unit 605, and a transmission unit 606.
A key obtaining unit 601 configured to obtain the verification data generated by the terminal device and the public key in the public and private key pair generated by the terminal device, and generate a session key according to the private key in the public and private key pair generated by the security device and the obtained public key.
A decryption unit 602 configured to decrypt the verification data with the session key to obtain the signature of the terminal device, the first data of the terminal device, and the certificate of the terminal device.
The verifying unit 603 is configured to verify the signature of the terminal device and the certificate of the terminal device, and obtain a verification result.
The key generation unit 604 is configured to generate the control key if the verification result indicates that the signature of the terminal device and the certificate of the terminal device are legal.
An encryption unit 605 configured to encrypt the control key and the first data of the terminal device by the session key to obtain the control data.
A sending unit 606 configured to send the control data to the terminal device.
In this embodiment, specific processes of the key obtaining unit 601, the decryption unit 602, the verification unit 603, the key generating unit 604, the encryption unit 605 and the sending unit 606 and technical effects brought by the specific processes may refer to the relevant descriptions of the embodiments from step 301 to step 304 in the embodiment corresponding to fig. 3 and the relevant descriptions of the steps in the embodiment corresponding to fig. 4, which are not repeated herein.
In some optional implementations of this embodiment, the verifying unit 603 is specifically configured to obtain a certificate digest and a certificate signature corresponding to a certificate of the terminal device; and verifying the certificate abstract and the certificate signature through the public key of the certificate of the terminal equipment, and verifying the signature of the terminal equipment through the obtained public key to obtain a verification result.
In some optional implementations of this embodiment, the key generating unit 604 is specifically configured to generate a shared key according to a private key in a public-private key pair generated by the security device and the obtained public key; and generating a session key according to the shared key and the identity of the terminal equipment, wherein the identity of the terminal equipment is obtained through an equipment selection request.
It should be noted that at least one of the apparatus 500 for processing a control key and the apparatus 600 for processing a control key may be a chip, a component or a module, the apparatus 500 for processing a control key may include a processor and a memory, the first obtaining unit 501, the encrypting unit 502, the sending unit 503, the second obtaining unit 504, the determining unit 505, and the like are all stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor may include a kernel, which calls the corresponding program unit from the memory. The kernel can be provided with one or more, and the security is improved by adjusting kernel parameters. The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
Also, the apparatus 600 for processing a control key may include a processor and a memory, and the key obtaining unit 601, the decryption unit 602, the authentication unit 603, the key generation unit 604, the encryption unit 605, the transmission unit 606, and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor may include a kernel, which calls the corresponding program unit from the memory. The kernel can be provided with one or more, and the security is improved by adjusting kernel parameters. The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
The apparatus for processing a control key according to the above embodiments of the present application generates a public and private key pair by a terminal device and a public and private key pair by a security device, generates a session key by a terminal device side and a security device side according to an acquired public key and a private key in the generated public and private key pair, obtains authentication data by the session key and decrypts control data by the session key to obtain the control key, decrypts the authentication data by the session key and encrypts the control key by the session key to generate control data, realizes encryption and decryption of the control key by the session key, and for the terminal device side and the security device side, data interacted between both sides includes both public keys and authentication data in addition to the control data, and the public key functions to obtain the session key, the verification data is used for verifying the security device, so that although the control data, the public key of both sides and the verification data are disclosed, the session key corresponding to encryption and decryption cannot be known through the data, and the purpose of improving the security is achieved.
Further, the present application shows a system for processing a control key, the system for processing a control key comprising: as shown in fig. 1, a processor of the terminal device and the security device is taken as an example for description.
The terminal equipment is configured to acquire a public key in a public and private key pair generated by the security equipment and generate a session key according to a private key in the public and private key pair generated by the terminal equipment and the acquired public key; encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data; sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment; acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data; and determining whether the control key is used for controlling the security equipment corresponding to the control key according to the second data corresponding to the control data.
The security device is configured to acquire verification data generated by the terminal device and a public key in a public and private key pair generated by the terminal device, and generate a session key according to a private key in the public and private key pair generated by the security device and the acquired public key; decrypting the verification data through the session key to obtain a signature of the terminal equipment, first data of the terminal equipment and a certificate of the terminal equipment, and verifying the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result; if the verification result shows that the signature of the terminal equipment and the certificate of the terminal equipment are legal, generating a control key, and encrypting the control key and first data of the terminal equipment through a session key to obtain control data; and sending the control data to the terminal equipment.
For the timing chart of the terminal device and the security device, reference may be made to fig. 4, which is not described herein again.
Referring now to fig. 7, shown is a block diagram of a terminal device 700 suitable for use in implementing some embodiments of the present application. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 7, the terminal device 700 may include a processor 701, a memory 702, a communication interface 703, an input unit 704, an output unit 705, and a communication bus 706. Wherein the processor 701 and the memory 702 are connected to each other via a communication bus 706. A communication interface 703, an input unit 704 and an output unit 705 are also connected to the communication bus 706.
The communication interface 703 may be an interface of a communication module, such as an interface of a GSM module. The communication interface 703 may be configured to send the verification data and a public key in a public-private key pair generated by the terminal device to the security device, and the communication interface 703 is further configured to receive control data generated by the security device.
In the embodiment of the present application, the processor 701 may be a Central Processing Unit (CPU), an application-specific integrated circuit (ASIC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA), or other programmable logic devices.
In one possible implementation, the memory 702 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as an encryption/decryption function, an authentication function, and the like), and the like; the storage data area may store data created according to the use of the computer, such as a public key, a private key, first data, second data, and control data, etc.
Further, the memory 702 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The processor 701 may call a program stored in the memory 702, and in particular, the processor 701 may execute the method for processing the control key as shown in any of the embodiments of fig. 2 and 4 above.
The memory 702 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 702 stores at least the program for realizing the following functions:
acquiring a public key in a public and private key pair generated by security equipment, and generating a session key according to a private key in the public and private key pair generated by terminal equipment and the acquired public key;
encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data;
sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment;
acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data;
and determining whether the control key is used for controlling the security equipment corresponding to the control key according to the second data corresponding to the control data.
The present application may further include an input unit 705, and the input unit 705 may include at least one of a touch sensing unit that senses a touch event on the touch display panel, a keyboard, a mouse, a camera, a microphone, and the like.
The output unit 704 may include: at least one of a display, a speaker, a vibration mechanism, a light, and the like. The display may comprise a display panel, such as a touch display panel or the like. In one possible case, the Display panel may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. The vibration mechanism may displace the electronic device 700 during operation, and in one possible implementation, the vibration mechanism includes a motor and an eccentric vibrator, and the motor drives the eccentric vibrator to rotate so as to generate vibration. The brightness and/or color of the lamp can be adjusted, in a possible implementation manner, different information can be embodied through at least one of the on-off, brightness and color of the lamp, for example, the alarm information can be embodied through red light emitted by the lamp.
Of course, the structure of the terminal device 700 shown in fig. 7 does not constitute a limitation of the terminal device in the embodiment of the present application, and in practical applications, the terminal device may include more or less components than those shown in fig. 7, or some components may be combined.
The present application provides a computer readable medium, on which a computer program is stored, where the program is executed by a processor to implement the method for pushing information described in the above method embodiments.
The present application provides a processor, which is configured to execute a program, where the program executes to implement the method for processing a control key described in the above method embodiments.
The present application further provides a computer program product which, when executed on a data processing device, causes the data processing device to implement the method for processing a control key as described in the above method embodiments.
In addition, the terminal device, the processor, the computer readable medium, or the computer program product provided in the foregoing embodiments of the present application may all be configured to execute the corresponding method provided above, and therefore, the beneficial effects achieved by the terminal device, the processor, the computer readable medium, or the computer program product may refer to the beneficial effects in the corresponding method provided above, and are not described herein again.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, which include both non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only for the purpose of illustrating the preferred embodiments of the present application and the technical principles applied, and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. The scope of the invention according to the present application is not limited to the specific combinations of the above-described features, and may also cover other embodiments in which the above-described features or their equivalents are arbitrarily combined without departing from the spirit of the invention. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (11)
1. A method for processing a control key, applied to a terminal device, the method comprising:
acquiring a public key in a public and private key pair generated by security equipment, and generating a session key according to a private key in the public and private key pair generated by the terminal equipment and the acquired public key;
encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data;
sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment;
acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data;
and determining whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data.
2. The method of claim 1, wherein generating a session key according to a private key of a public-private key pair generated by the terminal device and the obtained public key comprises:
generating a shared key according to a private key in a public and private key pair generated by the terminal equipment and the obtained public key;
and generating the session key according to the shared key and the identity of the terminal equipment.
3. The method of claim 1, wherein the signature of the terminal device is generated according to a public and private key pair generated by the terminal device and an identity of the terminal device.
4. The method of claim 3, wherein the generating of the signature of the terminal device according to the public and private key pair generated by the terminal device and the identity of the terminal device comprises:
generating a hash value according to a public key in a public and private key pair generated by the terminal equipment and an identity of the terminal equipment;
and generating a signature of the terminal equipment according to the hash value and a private key in a public and private key pair generated by the terminal equipment.
5. The method of claim 1, further comprising: and if the second data corresponding to the control data is the same as the first data of the terminal equipment, storing the control key.
6. A method for processing a control key, applied to a processor of a security device, the method comprising:
acquiring verification data generated by the terminal equipment and a public key in a public and private key pair generated by the terminal equipment, and generating a session key according to a private key in the public and private key pair generated by the security equipment and the acquired public key;
decrypting the verification data through the session key to obtain a signature of the terminal equipment, first data of the terminal equipment and a certificate of the terminal equipment, and verifying the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result;
if the verification result shows that the signature of the terminal equipment and the certificate of the terminal equipment are legal, generating a control key, and encrypting the control key and the first data of the terminal equipment through the session key to obtain control data;
and sending the control data to the terminal equipment.
7. The method of claim 6, wherein the verifying the signature of the terminal device and the certificate of the terminal device comprises:
acquiring a certificate abstract and a certificate signature corresponding to the certificate of the terminal equipment;
and verifying the certificate abstract and the certificate signature through a public key of the certificate of the terminal equipment, and verifying the signature of the terminal equipment through the obtained public key to obtain the verification result.
8. The method of claim 6, wherein generating a session key according to a private key of a public-private key pair generated by the security device and the obtained public key comprises:
generating a shared key according to a private key in a public and private key pair generated by the security equipment and the obtained public key;
and generating the session key according to the shared key and the identity of the terminal equipment, wherein the identity of the terminal equipment is obtained through an equipment selection request.
9. An apparatus for processing a control key, wherein the apparatus is applied to a terminal device, and the apparatus comprises:
the terminal equipment comprises a first obtaining unit, a second obtaining unit and a third obtaining unit, wherein the first obtaining unit is configured to obtain a public key in a public and private key pair generated by security equipment, and generate a session key according to a private key in the public and private key pair generated by the terminal equipment and the obtained public key;
the encryption unit is configured to encrypt the signature of the terminal device, the first data of the terminal device and the certificate of the terminal device through the session key to obtain verification data;
the sending unit is configured to send the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment;
the second acquisition unit is configured to acquire the control data generated by the security equipment, decrypt the control data through the session key and obtain a control key and second data corresponding to the control data;
the determining unit is configured to determine whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data.
10. An apparatus for processing a control key, applied to a processor of a security device, the apparatus comprising:
a key obtaining unit configured to obtain verification data generated by the terminal device and a public key in a public and private key pair generated by the terminal device, and generate a session key according to the private key in the public and private key pair generated by the security device and the obtained public key;
a decryption unit configured to decrypt the verification data through the session key to obtain a signature of the terminal device, first data of the terminal device, and a certificate of the terminal device;
the verification unit is configured to verify the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result;
a key generation unit configured to generate a control key if the verification result indicates that the signature of the terminal device and the certificate of the terminal device are legal;
an encryption unit configured to encrypt the control key and first data of the terminal device by the session key to obtain control data;
a transmitting unit configured to transmit the control data to the terminal device.
11. A system for processing a control key, the system comprising: terminal equipment and security equipment;
the terminal equipment is configured to acquire a public key in a public and private key pair generated by security equipment, and generate a session key according to a private key in the public and private key pair generated by the terminal equipment and the acquired public key; encrypting the signature of the terminal equipment, the first data of the terminal equipment and the certificate of the terminal equipment through the session key to obtain verification data; sending the verification data and a public key in a public and private key pair generated by the terminal equipment to the security equipment; acquiring control data generated by the security equipment, and decrypting the control data through the session key to obtain a control key and second data corresponding to the control data; determining whether the control key is used for controlling the security equipment corresponding to the control key according to second data corresponding to the control data;
the security device is configured to acquire verification data generated by the terminal device and a public key in a public and private key pair generated by the terminal device, and generate a session key according to the private key in the public and private key pair generated by the security device and the acquired public key; decrypting the verification data through the session key to obtain a signature of the terminal equipment, first data of the terminal equipment and a certificate of the terminal equipment, and verifying the signature of the terminal equipment and the certificate of the terminal equipment to obtain a verification result; if the verification result shows that the signature of the terminal equipment and the certificate of the terminal equipment are legal, generating a control key, and encrypting the control key and the first data of the terminal equipment through the session key to obtain control data; and sending the control data to the terminal equipment.
Priority Applications (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010617589.5A CN113873513A (en) | 2020-06-30 | 2020-06-30 | Method and apparatus for processing control key |
| PCT/CN2021/103621 WO2022002146A1 (en) | 2020-06-30 | 2021-06-30 | Smart device control method and system |
| EP21831982.0A EP4161033A4 (en) | 2020-06-30 | 2021-06-30 | Smart device control method and system |
| US18/146,986 US20230140203A1 (en) | 2020-06-30 | 2022-12-27 | Smart device control methods and systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010617589.5A CN113873513A (en) | 2020-06-30 | 2020-06-30 | Method and apparatus for processing control key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113873513A true CN113873513A (en) | 2021-12-31 |
Family
ID=78981818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010617589.5A Pending CN113873513A (en) | 2020-06-30 | 2020-06-30 | Method and apparatus for processing control key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113873513A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103580853A (en) * | 2012-08-03 | 2014-02-12 | 英飞凌科技股份有限公司 | Mobile electronic device |
| US20160149908A1 (en) * | 2014-02-18 | 2016-05-26 | Panasonic Intellectual Property Corporation Of America | Authentication method and authentication system |
| CN105900375A (en) * | 2014-01-13 | 2016-08-24 | 维萨国际服务协会 | Efficient methods for protecting identity in authenticated transmissions |
| US20170055148A1 (en) * | 2015-08-21 | 2017-02-23 | Kiban Labs, Inc. | Apparatus and method for sharing wifi security data in an internet of things (iot) system |
| CN109493488A (en) * | 2018-11-23 | 2019-03-19 | 北京小米移动软件有限公司 | Smart card authentication method, smart lock, smart card, system and device |
-
2020
- 2020-06-30 CN CN202010617589.5A patent/CN113873513A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103580853A (en) * | 2012-08-03 | 2014-02-12 | 英飞凌科技股份有限公司 | Mobile electronic device |
| CN105900375A (en) * | 2014-01-13 | 2016-08-24 | 维萨国际服务协会 | Efficient methods for protecting identity in authenticated transmissions |
| US20160149908A1 (en) * | 2014-02-18 | 2016-05-26 | Panasonic Intellectual Property Corporation Of America | Authentication method and authentication system |
| US20170055148A1 (en) * | 2015-08-21 | 2017-02-23 | Kiban Labs, Inc. | Apparatus and method for sharing wifi security data in an internet of things (iot) system |
| CN109493488A (en) * | 2018-11-23 | 2019-03-19 | 北京小米移动软件有限公司 | Smart card authentication method, smart lock, smart card, system and device |
Non-Patent Citations (2)
| Title |
|---|
| 张楠等: "开放式RFID双向认证协议及安全性分析", 《计算机应用》 * |
| 杨义先编著: "《应用密码学》", 1 June 2013, 北京邮电大学出版社 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7119040B2 (en) | Data transmission method, device and system | |
| CN105162772B (en) | A kind of internet of things equipment certifiede-mail protocol method and apparatus | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| US10601801B2 (en) | Identity authentication method and apparatus | |
| CN107743133B (en) | Mobile terminal and access control method and system based on trusted security environment | |
| EP3633913A1 (en) | Provisioning a secure connection using a pre-shared key | |
| US10015159B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| US20170195121A1 (en) | Token binding using trust module protected keys | |
| JP2020526146A (en) | Symmetric mutual authentication method between first application and second application | |
| EP3695561B1 (en) | Secure provisioning of data to client device | |
| CN103532713A (en) | Sensor authentication and sharing key generating method, sensor authentication and sharing key generating system and sensor | |
| KR20150079489A (en) | Instant messaging method and system | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| JP2019514314A (en) | Method, system and medium for using dynamic public key infrastructure to send and receive encrypted messages | |
| CN113132087A (en) | Internet of things, identity authentication and secret communication method, chip, equipment and medium | |
| CN112311543B (en) | GBA key generation method, terminal and NAF network element | |
| CN113556230A (en) | Data security transmission method, certificate correlation method, server, system and medium | |
| CN114553590A (en) | Data transmission method and related equipment | |
| CN110268675B (en) | Programmable hardware security module and method on programmable hardware security module | |
| CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
| CN111654481B (en) | Identity authentication method, identity authentication device and storage medium | |
| CN116346341A (en) | Private key protection and server access method, system, equipment and storage medium | |
| US11240661B2 (en) | Secure simultaneous authentication of equals anti-clogging mechanism | |
| US9876774B2 (en) | Communication security system and method | |
| CN111064577A (en) | Security authentication method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211231 |
|
| RJ01 | Rejection of invention patent application after publication |