KEY DOWNLOADING METHOD, MANAGEMENT METHOD, DOWNLOADING MANAGEMENT METHOD, DEVICE AND SYSTEM
First Claim
1. A key downloading method, comprising:
- sending a device sequence number DSN and a device identity authentication request to an RKS server via a device terminal;
receiving the working certificate public key RKS_WCRT_PK sent by the RKS server, via the device terminal;
verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT, and if so, encrypting a divergence factor by using RKS_WCRT_PK to obtain a divergence factor cipher text, and sending the divergence factor cipher text to the RKS server, via the device terminal;
receiving the cipher text AT_TK1 sent by the RKS server via the device terminal, wherein the cipher text AT_TK1 is obtained through encrypting the authentication token AT and the first transmission key component TK1 by the secondary device identity authentication key DIK2;
the DIK2 is generated by calling the secondary device identity authentication key generating function according to the device sequence number DSN and a primary device identity authentication key DIK1;
decrypting the cipher text AT_TK1 by using DIK2 to obtain clear texts AT and TK1, via the device terminal;
generating the third random number as the second transmission key component TK2, performing XOR on TK1 and TK2 to obtain a transmission key TK, calculating SHA256 verification value of TK to obtain TK_SHA2, via the device terminal;
encrypting AT, TK2, and TK_SHA2 by using RKS_WCRT_PK to obtain the cipher text AT_TK2_TK_SHA2, and sending the cipher text AT_TK2_TK_SHA2 to the RKS server, via the device terminal;
receiving a key cipher text sent by the RKS server via the device terminal, wherein the key cipher text is obtained through encrypting the key to be downloaded by TK;
decrypting the key cipher text by using TK to obtain a key clear text, storing the key in a security module, via the device terminal; and
judging if the key downloading is complete, and if complete, clearing AT, TK and RKS_WCRT_PK, via the device terminal.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a key downloading management method, comprising: a device end authorizing the validity of an RKS server by checking a digital signature of a work certificate public key of the RKS server, and the RKS server generating an authentication token (AT); encrypting by using an identity authentication secondary key DK2 of the device end, and sending the ciphertext to the device end; the device end decrypting the ciphertext by using the identity authentication secondary key DK2 saved thereby, encrypting the ciphertext by using the work certificate public key and then returning same to the RKS server; the RKS server decrypting same by using a work certificate private key thereof and then comparing whether the authentication token (AT) is the same as the generated authentication token (AT) or not, and if so, it is indicated that the device end is valid, thereby achieving bidirectional identity authentication.
-
Citations
6 Claims
-
1. A key downloading method, comprising:
-
sending a device sequence number DSN and a device identity authentication request to an RKS server via a device terminal; receiving the working certificate public key RKS_WCRT_PK sent by the RKS server, via the device terminal; verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT, and if so, encrypting a divergence factor by using RKS_WCRT_PK to obtain a divergence factor cipher text, and sending the divergence factor cipher text to the RKS server, via the device terminal; receiving the cipher text AT_TK1 sent by the RKS server via the device terminal, wherein the cipher text AT_TK1 is obtained through encrypting the authentication token AT and the first transmission key component TK1 by the secondary device identity authentication key DIK2;
the DIK2 is generated by calling the secondary device identity authentication key generating function according to the device sequence number DSN and a primary device identity authentication key DIK1;decrypting the cipher text AT_TK1 by using DIK2 to obtain clear texts AT and TK1, via the device terminal; generating the third random number as the second transmission key component TK2, performing XOR on TK1 and TK2 to obtain a transmission key TK, calculating SHA256 verification value of TK to obtain TK_SHA2, via the device terminal; encrypting AT, TK2, and TK_SHA2 by using RKS_WCRT_PK to obtain the cipher text AT_TK2_TK_SHA2, and sending the cipher text AT_TK2_TK_SHA2 to the RKS server, via the device terminal; receiving a key cipher text sent by the RKS server via the device terminal, wherein the key cipher text is obtained through encrypting the key to be downloaded by TK; decrypting the key cipher text by using TK to obtain a key clear text, storing the key in a security module, via the device terminal; and judging if the key downloading is complete, and if complete, clearing AT, TK and RKS_WCRT_PK, via the device terminal.
-
-
2. A key management method, comprising:
-
receiving a device sequence number DSN and a device identity authentication request sent from at least one device terminal via an RKS server; sending a working certificate public key RKS_WCRT_PK to the device terminal via the RKS server; receiving the divergence factor cipher text sent by the device terminal, via the RKS server; decrypting the divergence factor cipher text by using the working certificate private key RKS_WCRT_SK to obtain the divergence factor clear text, via the RKS server; taking the DSN as the index to read the corresponding primary device identity authentication key DIK1 from the primary device identity authentication key database via the RKS server; calling the secondary device identity authentication key generating function to generate a secondary device identity authentication key DIK2 according to the device sequence number DSN and DIK1; generating a 24-byte first random number as an authentication token AT and generating a second random number as a first transmission key component TK1 via the RKS server; encrypting AT and TK1 by using DIK2 to obtain the cipher text AT_TK1 and sending the cipher text AT_TK1 to the device terminal via the RKS server; receiving a cipher text AT_TK2_TK_SHA2 sent from the device terminal via the RKS server, wherein the cipher text AT_TK2_TK_SHA2 is obtained through encrypting AT, the second transmission key component TK2 and TK_SHA2 via the RKS_WCRT_PK, TK_SHA2 is the SHA256 verification value of the transmission key TK, TK is obtained through performing XOR on TK1 and TK2; decrypting the cipher text AT_TK2_TK_SHA2 by using the working certificate private key to obtain clear texts AT, TK2, and TK_SHA2 via the RKS server, wherein RKS_WCRT_PK and RKS_WCRT_SK are a non-symmetric key pair; judging if the received AT is equal to the sent AT, and and if so, performing XOR on TK1 and TK2 to obtain TK, calculating the SHA256 verification value of TK to obtain TK_256, via the RKS server; judging if TK_256 is equal to the received TK_SHA2, and if so, encrypting the key required to be downloaded by using TK to obtain the key cipher text, via the RKS server; sending the key cipher text to the device terminal by the RKS server; and clearing AT and TK by the RKS server to complete the key downloading process.
-
-
3. A key downloading management method, characterized by comprising:
-
sending a device sequence number DSN and a device identity authentication request to an RKS server via a device terminal; sending a working certificate public key RKS_WCRT_PK to the device terminal via the RKS server; verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT, and if so, encrypting a divergence factor by using RKS_WCRT_PK to obtain a divergence factor cipher text, via the device terminal; sending the divergence factor cipher text to the RKS server by the device terminal; decrypting the divergence factor cipher text by using the working certificate private key RKS_WCRT_SK to obtain the divergence factor clear text, via the RKS server; taking the DSN as the index to read the corresponding primary device identity authentication key DIK1 from the primary device identity authentication key database via the RKS server; calling the secondary device identity authentication key generating function to generate a secondary device identity authentication key DIK2 according to the device sequence number DSN and DIK1, via the RKS server; generating a 24-byte first random number as an authentication token AT and generating a second random number as a first transmission key component TK1 via the RKS server; encrypting AT and TK1 by using DIK2 to obtain the cipher text AT_TK1 and sending the cipher text AT_TK1 to the device terminal via the RKS server; decrypting the cipher text AT_TK1 by using DIK2 to obtain clear texts AT and TK1, by the device terminal; generating the third random number as the second transmission key component TK2, performing XOR on TK1 and TK2 to obtain a transmission key TK, calculating SHA256 verification value of TK to obtain TK_SHA2, via the device terminal; encrypting AT, TK2, and TK_SHA2 by using RKS_WCRT_PK to obtain the cipher text AT_TK2_TK_SHA2, and sending the cipher text AT_TK2_TK_SHA2 to the RKS server, via the device terminal; decrypting the cipher text AT_TK2_TKSHA2 by using the working certificate private key to obtain clear texts AT, TK2, and TK_SHA2 via the RKS server, wherein RKS_WCRT_PK and RKS_WCRT_PK are a non-symmetric key pair; judging if the received AT is equal to the sent AT, and if so, performing XOR on TK1 and TK2 to obtain TK, calculating the SHA256 verification value of TK to obtain TK_256, by the RKS server;
judging if TK_256 is equal to the received TK_SHA2, and if so, encrypting the key required to be downloaded by using TK to obtain the key cipher text and sending the key cipher text to the device terminal, by the RKS server;decrypting the key cipher text by using TK to obtain a key clear text, storing the key in a security module, by the device terminal; judging if the key downloading is complete, and if complete, clearing AT, TK and RKS_WCRT_PK, by the device terminal; and clearing AT and TK by the RKS server to complete the key downloading process.
-
-
4. A key downloading device, comprising:
-
an authentication request sending unit for sending a device sequence number DSN and a device identity authentication request to an RKS server; a first receiving unit for receiving a working certificate public key RKS_WCRT_PK sent by the RKS server; a server identity verifying unit for verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT; a first encrypting unit for encrypting the divergence factor by using RKS_WCRT_PK to obtain a divergence factor cipher text when the server verifying unit judges that the digital signature is valid; a first sending unit for sending the divergence factor cipher text to the RKS server; a second receiving unit for receiving the cipher text AT_TK1 sent by the RKS server, wherein the cipher text AT_TK1 is obtained through encrypting the authentication token AT and the first transmission key component TK1 by the secondary device identity authentication key DIK2;
the DIK2 is generated by calling the secondary device identity authentication key generating function according to the device sequence number DSN and a primary device identity authentication key DIK1;a first decrypting unit for decrypting the cipher text AT_TK1 by using DIK2 to obtain clear texts AT and TK1; a second transmission key component generating unit for generating a third random number as the second transmission key component TK2; a first transmission key computation unit for performing XOR on TK1 and TK2 to obtain a transmission key TK and calculating SHA256 verification value of TK to obtain TK_SHA2; a third receiving unit for receiving a key cipher text sent by the RKS server, wherein the key cipher text is obtained through encrypting the key to be downloaded by TK; a second decrypting unit for decrypting the key cipher text by using TK to obtain a key clear text; a key downloading unit for storing the key in a security module; and
,a first clearing unit for judging if the key downloading is complete, and when the downloading is complete, clearing AT, TK, and RKS_WCRT_PK.
-
-
5. A key management device, characterized by comprising:
-
an authentication request receiving unit for receiving a device sequence number DSN and a device identity authentication request sent from at least one device terminal; a second sending unit for sending a working certificate public key RKS_WCRT_PK to the device terminal; a fourth receiving unit for receiving a divergence factor cipher text sent by the device terminal, wherein the divergence factor cipher text is obtained through encrypting a divergence factor by using RKS_WCRT_PK; a third decrypting unit for decrypting the divergence factor cipher text by using the working certificate private key RKS_WCRT_SK to obtain the divergence factor clear text; a device identity authentication unit for taking the DSN as an index to read the corresponding primary device identity authentication key DIK1 from the primary device identity authentication key database; a secondary device identity authentication key generating unit for calling the secondary device identity authentication key generating function to generate a secondary device identity authentication key DIK2 according to the device sequence number DSN and DIK1; an authentication token generating unit for generating a 24-byte first random number as the authentication token AT; a first transmission key generating unit for generating a second random number as a first transmission key component TK1; a second encrypting unit for encrypting AT and TK1 by using DIK2 to obtain the cipher text AT_TK1; a third sending unit for sending the cipher text AT_TK1 to the device terminal; a fourth receiving unit for receiving a cipher text AT_TK2_TK_SHA2 sent from the device terminal, wherein the cipher text AT_TK2_TK_SHA2 is obtained through encrypting AT, the second transmission key component TK2 and TK_SHA2 by the RKS_WCRT_PK, TK_SHA2 is the SHA256 verification value of the transmission key TK, TK is obtained through performing XOR on TK1 and TK2; a fourth decrypting unit for decrypting the cipher text AT_TK2_TK_SHA2 by using the working certificate private key to obtain clear texts AT, TK2, and TK_SHA2, wherein RKS_WCRT_PK and RKS_WCRT_SK are a non-symmetric key pair; an authentication token verifying unit for judging if the received AT is equal to the sent AT; a second transmission key computation unit for performing XOR on TK1 and TK2 to obtain TK when judging that the received AT is equal to the sent AT, and calculating the SHA256 verification value of TK to obtain TK_256; a transmission key verifying unit for judging if TK_256 generated by the second transmission key computation unit is equal to the received TK_SHA2; a third encrypting unit for encrypting the key required to be downloaded by using TK to obtain the key cipher text when the transmission key verifying unit judges that the TK_256 generated by the second transmission key computation unit is equal to the received TK_SHA2; a third sending unit for sending the key cipher text to the device terminal; and a second clearing unit for clearing AT and TK to complete the key downloading process.
-
-
6. A key downloading management system, comprising an RKS server and at least one device terminal in communication connection with the RKS server;
-
wherein the RKS server comprises;
a key management device, the key management device comprising;an authentication request receiving unit for receiving a device sequence number DSN and a device identity authentication request sent from at least one device terminal; a device identity authentication unit for taking the DSN as an index to read the corresponding device identity authentication public key DIK_PK from the device identity authentication public key database; an authentication token generating unit for generating a 24-byte first random number as the authentication token AT; a first transmission key generating unit for generating a second random number as a first transmission key component TK1; a second encrypting unit for encrypting AT and TK1 by using DIK_PK to obtain a cipher text AT_TK1; a second sending unit for sending a working certificate public key RKS_WCRT_PK and the cipher text AT_TK1 to the device terminal; a third receiving unit for receiving a cipher text AT_TK2_TK_SHA2 sent from the device terminal, wherein the cipher text AT_TK2_TK_SHA2 is obtained through encrypting AT, the second transmission key component TK2 and TK_SHA2 by the RKS_WCRT_PK, TK_SHA2 is the SHA256 verification value of the transmission key TK, TK is obtained through performing XOR on TK1 and TK2; a third decrypting unit for decrypting the cipher text AT_TK2_TK_SHA2 by using the working certificate private key to obtain clear texts AT, TK2 and TK_SHA2, wherein RKS_WCRT_PK and RKS_WCRT_SK form a non-symmetric key pair; an authentication token verifying unit for judging if the received AT is equal to the sent AT; a second transmission key computation unit for performing XOR on TK1 and TK2 to obtain TK when judging that the received AT is equal to the sent AT, and calculating the SHA256 verification value of TK to obtain TK_256; a transmission key verifying unit for judging if TK_256 generated by the second transmission key computation unit is equal to the received TK_SHA2; a third encrypting unit for encrypting the key required to be downloaded by using TK to obtain the key cipher text when the transmission key verifying unit judges that the TK generated by the second transmission key computation unit is equal to the received TK_SHA2; a third sending unit for sending the key cipher text to the device terminal; and a second clearing unit for clearing AT and TK to complete the key downloading process; and the at least one device terminals comprising a key downloading device, the key downloading device comprising; an authentication request sending unit for sending a device sequence number DSN and a device identity authentication request to an RKS server; a first receiving unit for receiving a working certificate public key RKS_WCRT_PK and a cipher text AT_TK1 sent by the RKS server, wherein the cipher text AT_TK1 is obtained by encrypting an authentication token AT and the first transmission key component TK1 by using a device identity authentication pubic key DIK_PK; a server identity verifying unit for verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT; a first decrypting unit for decrypting the cipher text AT_TK1 by using a device identity authentication private key DIK_SK to obtain clear texts AT and TK1 when the server identity verifying unit verifies that the digital signature is valid, wherein DIK_PK and DIK_SK form a non-symmetric key pair; a second transmission key component generating unit for generating a third random number as the second transmission key component TK2; a first transmission key computation unit for performing XOR on TK1 and TK2 to obtain a transmission key TK and calculating SHA256 verification value of TK to obtain TK_SHA2; a first encrypting unit for encrypting AT, TK2, and TK_SHA2 by using RKS_WCRT_PK to obtain a cipher text AT_TK2 TK_SHA2; a first sending unit for sending the cipher text AT_TK2 TK_SHA2 to the RKS server; a second receiving unit for receiving a key cipher text sent by the RKS server, wherein the key cipher text is obtained through encrypting the key to be downloaded by TK; a second decrypting unit for decrypting the key cipher text by using TK to obtain a key clear text; a key downloading unit for storing the key in a security module; and a first clearing unit for judging if the key downloading is complete, and when the downloading is complete, clearing AT, TK, and RKS_WCRT_PK.
-
Specification