Search

CN-121547175-B - Method and system for realizing secret key issuing

CN121547175BCN 121547175 BCN121547175 BCN 121547175BCN-121547175-B

Abstract

The invention discloses a method and a system for realizing key issuing, and relates to the field of information security. The background service generates a first ciphertext of the TPK, a second ciphertext of the TPK, a first signature result, a first ciphertext of the DEK, a second ciphertext of the DEK and a second signature result through a cipher machine, stores the first ciphertext of the TPK, the second ciphertext of the DEK and the second signature result in a database corresponding to the usable times and the index value, backs up other data except the usable times in the database to a cache pool, returns part of the second ciphertext of the TPK, the first signature result, the second ciphertext of the DEK, the second signature result and the index value in the cache pool to the SDK, and decrypts the SDK to obtain the TPK, the DEK and the index value corresponding to be stored. The method has the advantages that the data group in the database can be reused according to the usable times, the key ciphertext to be issued can be quickly queried and read in the buffer pool, the method is suitable for a high-concurrency key issuing scene, and a certain number of keys are stored in the SDK and the background service, so that different keys are used for each data transmission, and the data security is improved.

Inventors

  • LU ZHOU

Assignees

  • 飞天诚信科技股份有限公司

Dates

Publication Date
20260512
Application Date
20260114

Claims (12)

  1. 1. The implementation method for key issuing is characterized in that the method is suitable for a system comprising android equipment and background services, an application program is installed in the android equipment, an SDK is built in the application program, the method comprises a workflow of the background services and a workflow of the SDK, and the workflow of the SDK comprises the following steps: Step S1, when a key generation interface of the SDK is called by the application program, a first key pair is generated and stored, and a first public key in the first key pair is uploaded to the background service; Step S2, when the SDK receives a first certificate returned by the background service, the first certificate is stored, a key obtaining request is generated according to a first preset number and is sent to the background service, and if the key is issued for the first time, the number of keys required in the key obtaining request is the first preset number; Step 3, when the SDK receives a terminal PIN key TPK second ciphertext, a first signature result, a data encryption key DEK second ciphertext, a second signature result, an index value and a second certificate, the first signature result and the second signature result are verified by using the TPK second ciphertext and the second certificate, the DEK second ciphertext and the second certificate, if verification is successful, the TPK second ciphertext and the DEK second ciphertext are decrypted by using a first private key in the first key pair respectively to obtain TPK and DEK, and the TPK and the DEK are saved and the corresponding index value are reported if verification is failed; The workflow of the background service comprises: When the background service receives a first public key sent by the SDK, generating a first certificate according to the first public key and returning the first certificate to the SDK, generating and storing a second certificate according to a second public key in a generated second key pair, generating a second preset number of TPK first ciphertext, TPK second ciphertext, a first signature result, DEK first ciphertext, DEK second ciphertext and a second signature result by using a built-in cryptographic machine according to the first public key, the first certificate, a second private key in the second key pair and the second certificate, storing the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result, corresponding index values and usable times in a database, and backing up all the TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result and the corresponding index values in the database into a cache pool; And step T2, when the background service receives the key obtaining request sent by the SDK, obtaining a corresponding number of TPK second ciphertexts, a first signature result, DEK second ciphertexts, a second signature result and a corresponding index value from the cache pool according to the number of keys required in the key obtaining request, and returning the corresponding number of TPK second ciphertexts, the first signature result, the DEK second ciphertexts, the second signature result and the corresponding index value to the SDK together with a second certificate.
  2. 2. The method of claim 1, wherein the workflow of the SDK further comprises generating an acquire key request according to a difference between the first preset number and the number of available TPKs and DEKs and sending the acquire key request to the background service when the SDK detects that the number of stored and available TPKs and DEKs is smaller than a first value at regular time, and executing step S3, if the acquire key request is a non-first time issued key, the number of keys required in the acquire key request is the difference between the first preset number and the number of available TPKs and DEKs stored in the SDK.
  3. 3. The method of claim 1, wherein step T1 further comprises updating the corresponding number of available uses based on the backup data; the workflow of the background service further comprises: step T3, when the background service detects that the number of the available TPK second ciphertext and DEK second ciphertext stored in the cache pool is smaller than a second numerical value at regular time, acquiring all available times in the database, judging whether the acquired number of the available times is smaller than a difference value between the second numerical value and the number of the available index values stored in the cache pool, if yes, executing step T4, otherwise, backing up the corresponding number of available TPK first ciphertext, TPK second ciphertext, a first signature result, DEK first ciphertext, DEK second ciphertext, a second signature result and index values in the database into the cache pool according to the difference value, and updating the corresponding available times according to the backed-up data; and step T4, the background service generates a TPK first ciphertext, a TPK second ciphertext, a first signature result, a DEK first ciphertext, a DEK second ciphertext and a second signature result by using a built-in cipher machine according to the first public key, the first certificate and the second private key in the second key pair, and stores the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result, the corresponding index value and the usable times in the database until the number of the usable times in the database reaches a second preset number, and backs up the corresponding number of the usable TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext, the second signature result and the index value in the database to the cache pool according to the difference value and updates the corresponding usable times according to backup data.
  4. 4. The method of claim 1, wherein said step T1 comprises: Step T11, when the background service receives the first public key sent by the SDK, generating a first certificate according to the first public key and returning the first certificate to the SDK, generating a second key pair, generating a second certificate according to the second public key in the second key pair and storing the second certificate; Step T12, the background service transmits the first public key, the first certificate, the second private key in the second key pair and the second certificate to a built-in cipher machine; Step T13, the crypto-machine uses the first certificate to verify the validity of the first public key, if the verification is successful, a first random number and a second random number are generated, the first random number and the second random number are respectively encrypted by using a built-in local master key LMK to obtain a TPK first ciphertext and a DEK first ciphertext, the first random number and the second random number are respectively encrypted by using the first public key to obtain a TPK second ciphertext and a DEK second ciphertext, trust information in the second certificate is obtained, the second ciphertext and the trust information are signed by using the second private key to obtain a first signature result, the second ciphertext and the trust information are signed by using the second private key to obtain a second signature result, and the TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext and the preset second ciphertext are returned to the service platform to generate the signature result; And step T14, analyzing the data returned by the cipher machine by the background service to obtain the TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result, storing the first ciphertext, the DEK second ciphertext and the second signature result in the database together with the corresponding index value and the usable times, judging whether the number of the index values is equal to a second preset number, if yes, backing up all the TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext, the second signature result and the index value in the database into the cache pool, otherwise, returning to step T12.
  5. 5. The method according to claim 3, wherein the step T4 comprises the step of generating and storing a new second certificate according to a second public key in a newly generated second key pair by the background service, generating a TPK first ciphertext, a TPK second ciphertext, a first signature result, a DEK first ciphertext, a DEK second ciphertext and a second signature result by using a built-in cryptographic machine according to the first public key, the first certificate, a second private key in the second key pair and the newly generated second certificate, storing the TPK first ciphertext, the TPK second ciphertext, the DEK first signature result, the DEK second ciphertext and the second signature result in a database together with a corresponding index value and a usable number in the database until the number of usable numbers in the database reaches a second preset number, and backing up the corresponding usable number in the database according to the difference value.
  6. 6. The method of claim 1, wherein the workflow of the SDK further comprises: S4, when the encryption interface of the SDK is called by the application program, receiving a payment password input by a user and reading card data in a card, encrypting the card data and the payment password by using the stored DEK and TPK to obtain a card data ciphertext and a payment password ciphertext, sending the payment password ciphertext, the card data ciphertext and index values corresponding to the used DEK and TPK to the background service through the application program, and destroying the used DEK, the used TPK and the corresponding index values; the workflow of the background service further comprises: And step T5, when the background service receives the payment cipher ciphertext, the card data ciphertext and the index value which are sent by the SDK, acquiring corresponding TPK first ciphertext and DEK first ciphertext from the cache pool according to the index value, decrypting the payment cipher ciphertext and the card data ciphertext by using the cipher machine according to the TPK first ciphertext and the DEK first ciphertext to obtain payment ciphers and card data, encrypting the card data and the payment ciphers by using a stored acquirer key to obtain a first encryption result, sending the first encryption result to an acquirer for verification, returning transaction results returned by the acquirer to the application program, and destroying all corresponding data in the cache pool according to the index value.
  7. 7. The method of claim 6, wherein the destroying the used DEK, the TPK and the corresponding index value is performed by the SDK, specifically by the SDK clearing or marking the used TPK, DEK and the corresponding index value as used; And destroying all corresponding data in the cache pool according to the index value, specifically, the background service clears or marks the same index value and the corresponding TPK first ciphertext, TPK second ciphertext, a first signature result, DEK first ciphertext, DEK second ciphertext and a second signature result in the cache pool as used according to the received index value.
  8. 8. The method according to claim 6, wherein said decrypting the payment cryptogram and the card data cryptogram using the crypto machine based on the TPK first cryptogram and the DEK first cryptogram in step T5 includes the background service passing the TPK first cryptogram, the DEK first cryptogram, the payment cryptogram, the card data cryptogram into the crypto machine; The cipher machine uses a built-in LMK to decrypt the first ciphertext of the TPK and the first ciphertext of the DEK which are respectively input to obtain the TPK and the DEK, uses the TPK to decrypt the ciphertext of the payment cipher to obtain the payment cipher, uses the DEK to decrypt the ciphertext of the card data to obtain the card data, and returns the payment cipher and the card data to the background service.
  9. 9. The system for realizing key issuing is characterized by comprising an SDK and a background service, wherein the SDK is arranged in an application program of android equipment, a cipher machine is arranged in the background service, and the SDK and the background service are matched to work and are used for realizing the method of any one of claims 1-8.
  10. 10. An electronic device comprising at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, the at least one processor executing the instructions to implement the method of any one of claims 1 to 8.
  11. 11. A computer readable storage medium, characterized in that the computer readable storage medium comprises a computer program which, when run on an electronic device, causes the electronic device to perform the method of any one of claims 1 to 8.
  12. 12. A chip system comprising a chip coupled to a memory for executing a computer program stored in the memory for performing the method of any of claims 1-8.

Description

Method and system for realizing secret key issuing Technical Field The present invention relates to the field of information security, and in particular, to a method and a system for implementing key issuing. Background With technological advancement and development of computer industry, users pay more and more attention to personal information security, so that the personal information is encrypted by using a key and then transmitted. The key used in the encryption process is generally a fixed key and is relatively single, the security is not enough, the key needs to be updated, the traditional key issuing and updating mechanism often depends on modes such as timing tasks, manual updating or static key files, and the like, and the problems that the device cannot normally communicate due to untimely issuing, the key pool management is lacking, a large number of key requests of the device cannot be met in a high concurrency mode, random or strategic key distribution cannot be realized, predictability risks exist, dynamic updating and notification are not supported, and the device cannot be notified at the first time especially when the key is about to expire or cancel. For this reason, it is highly desirable to provide a flexible and secure key distribution implementation. Disclosure of Invention The invention aims to overcome the defects of the prior art and provides a method and a system for realizing secret key issuing. In a first aspect, an embodiment of the present invention provides a method for implementing key distribution, where the method is applicable to a system including an android device and a background service, where an application program is installed in the android device, and an SDK is built in the application program, and the method includes a workflow of the background service and a workflow of the SDK, where the workflow of the SDK includes: Step S1, when a key generation interface of the SDK is called by the application program, a first key pair is generated and stored, and a first public key in the first key pair is uploaded to the background service; Step S2, when the SDK receives a first certificate returned by the background service, the first certificate is stored, a key obtaining request is generated according to a first preset number, and the key obtaining request is sent to the background service; Step 3, when the SDK receives a TPK second ciphertext, a first signature result, a DEK second ciphertext, a second signature result, an index value and a second certificate, the TPK second ciphertext, the second certificate, the DEK second ciphertext and the second certificate are used for verifying the first signature result and the second signature result, if verification is successful, a first private key in the first key pair is used for decrypting the TPK second ciphertext and the DEK second ciphertext to obtain the TPK and the DEK, and the TPK and the DEK are stored with the corresponding index value, if verification fails, errors are reported; The workflow of the background service comprises: When the background service receives a first public key sent by the SDK, generating a first certificate according to the first public key and returning the first certificate to the SDK, generating and storing a second certificate according to a second public key in a generated second key pair, generating a second preset number of TPK first ciphertext, TPK second ciphertext, a first signature result, DEK first ciphertext, DEK second ciphertext and a second signature result by using a built-in cryptographic machine according to the first public key, the first certificate, a second private key in the second key pair and the second certificate, storing the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result, corresponding index values and usable times in a database, and backing up all the TPK first ciphertext, the TPK second ciphertext, the first signature result, the DEK first ciphertext, the DEK second ciphertext and the second signature result and the corresponding index values in the database into a cache pool; And step T2, when the background service receives the key obtaining request sent by the SDK, obtaining a corresponding number of TPK second ciphertexts, a first signature result, DEK second ciphertexts, a second signature result and a corresponding index value from the cache pool according to the number of keys required in the key obtaining request, and returning the corresponding number of TPK second ciphertexts, the first signature result, the DEK second ciphertexts, the second signature result and the corresponding index value to the SDK together with a second certificate. In a second aspect, an embodiment of the present invention further provides a system for implementing key issuing, where the system includes an SDK and a background service, where the SDK is set in an application program of an android device, and a cryptog