Search

CN-121984713-A - Secure writing method, system, terminal and storage medium for device key and certificate

CN121984713ACN 121984713 ACN121984713 ACN 121984713ACN-121984713-A

Abstract

The invention relates to the technical field of information security, and discloses a method, a system, a terminal and a storage medium for safely writing a device key and a certificate. The method comprises the steps of generating a device private key, a device certificate and a random number by a server, encrypting the device private key and the device certificate based on a preset basic key and the random number to obtain a first encrypted data packet, encrypting and packaging the random number according to a basic key and a device identifier of target equipment to obtain a second encrypted data packet, sending the first encrypted data packet and the second encrypted data packet to the target equipment, processing the second encrypted data packet by the target equipment based on the basic key and the device identifier stored locally to obtain the random number, processing the first encrypted data packet according to the basic key and the random number to obtain the device private key and the device certificate, and safely writing the device private key and the device certificate. The invention can save the decrypted computing resource and reduce the sensitivity to the network stability and the response time of the back-end service.

Inventors

  • PAN LANLAN

Assignees

  • 深圳开鸿数字产业发展有限公司

Dates

Publication Date
20260505
Application Date
20251229

Claims (20)

  1. 1. A secure writing method of a device key and a certificate, characterized in that the secure writing method of a device key and a certificate comprises: The method comprises the steps that a server side generates a device private key, a device certificate and a random number, encrypts the device private key and the device certificate based on a preset basic key and the random number, and obtains a first encrypted data packet; the server side encrypts and encapsulates the random number according to the basic key and the equipment identifier of the target equipment to obtain a second encrypted data packet, and sends the first encrypted data packet and the second encrypted data packet to the target equipment; The target device processes the second encrypted data packet based on the locally stored basic key and the self device identifier, and the random number is obtained if the second encrypted data packet is successful; and the target equipment processes the first encrypted data packet according to the basic key and the random number, and successfully obtains the equipment private key and the equipment certificate and performs secure writing on the equipment private key and the equipment certificate.
  2. 2. The method for securely writing a device key and a certificate according to claim 1, wherein the server generates a device private key, a device certificate and a random number, encrypts the device private key and the device certificate based on a preset basic key and the random number, and obtains a first encrypted data packet, and the method comprises: The server generates a random number as a derivative factor and an asymmetric key pair, wherein the asymmetric key pair comprises a device public key and a device private key; The server generates a device certificate based on the device model and the production batch, and embeds the device public key into the device certificate; the server combines the basic key with the random number through a key derivation function to derive a session key; and the server encrypts the equipment private key and the equipment certificate by using the session key through an authentication encryption algorithm to obtain the first encrypted data packet.
  3. 3. The method of secure writing of device keys and certificates of claim 2, wherein the random numbers are generated by a hardware random number generator.
  4. 4. The method for securely writing the device key and the certificate according to claim 2, wherein the server encrypts and encapsulates the random number according to the base key and the device identifier of the target device to obtain a second encrypted data packet, and sends the first encrypted data packet and the second encrypted data packet to the target device, and the method comprises: the server combines the basic key with the equipment identifier through a key derivation function to derive an equipment root key; the server uses the equipment root key to encrypt and package the random number to obtain the second encrypted data packet; And the server side constructs a layered data packet according to the first encrypted data packet and the second encrypted data packet, and sends the layered data packet to the target device.
  5. 5. The method of claim 4, wherein the device identification is a chip serial number or a hardware unique identifier.
  6. 6. The method for securely writing device keys and certificates according to claim 1, wherein said target device processes said second encrypted data packet based on a locally stored base key and its own device identification, and successfully obtains said random number, comprising: the target device obtains a base key and a self device identifier based on local storage, and derives a device root key according to the base key and the self device identifier; the target device decrypts the second encrypted data packet through the device root key; The target device obtains the random number from the decrypted second encrypted data packet.
  7. 7. The method for securely writing a device key and a certificate according to claim 1, wherein the target device processes the first encrypted data packet according to the base key and the random number, and successfully obtains the device private key and the device certificate, and securely writes the device private key and the device certificate, comprising: the target device combines the basic key and the random number through a key derivation function to derive a session key; The target device decrypts the first data packet according to the session key to obtain the device private key and the device certificate; The target device performs secure writing on the device private key and the device certificate.
  8. 8. The method of claim 7, wherein the key derivation function is HMAC-SHA256 algorithm.
  9. 9. The secure writing method of device keys and certificates of claim 7, wherein the target device securely writes the device private key and the device certificate, comprising: writing the device private key into a secure storage area of a hardware security module or a trusted execution environment of the target device; Writing the device certificate into a common file system or a preset protected storage area of the target device.
  10. 10. The method for securely writing device keys and certificates according to claim 1, wherein the server generates a device private key, a device certificate and a random number, further comprising: Presetting the same basic key on the target equipment and the server; And establishing a secure communication channel between the server and the target equipment.
  11. 11. A device key and certificate security writing system for implementing the device key and certificate security writing method according to any one of claims 1 to 10, the device key and certificate security writing system comprising: the first encryption module is used for generating a device private key, a device certificate and a random number through a server, and encrypting the device private key and the device certificate based on a preset basic key and the random number to obtain a first encrypted data packet; The second encryption module is used for generating a second encrypted data packet through the server according to the basic key and the equipment identifier of the target equipment, and sending the first encrypted data packet and the second encrypted data packet to the target equipment; the processing module is used for processing the second encrypted data packet through the target equipment based on the locally stored basic key and the self equipment identifier, and acquiring the random number if the second encrypted data packet is successful; And the writing module is used for processing the first encrypted data packet according to the basic key and the random number, obtaining the equipment private key and the equipment certificate if the first encrypted data packet is successful, and safely writing the equipment private key and the equipment certificate.
  12. 12. The device key and certificate security writing system of claim 11, wherein the first encryption module comprises: a key pair generating unit, configured to generate a random number as a derivative factor through the server, and generate an asymmetric key pair, where the asymmetric key pair includes a device public key and a device private key; the public key embedding unit is used for generating a device certificate based on the device model and the production batch through the server and embedding the device public key into the device certificate; A first key derivation unit, configured to combine, by the server, the base key and the random number through a key derivation function, and derive a session key; the first encryption unit is used for encrypting the equipment private key and the equipment certificate through the server side by using the session key through an authentication encryption algorithm to obtain the first encrypted data packet.
  13. 13. The secure write system of a device key and certificate according to claim 12, wherein the second encryption module comprises: a first root key deriving unit, configured to combine, by using the server, the base key with the device identifier through a key derivation function, and derive a device root key; The second encryption unit is used for encrypting and packaging the random number by using the equipment root key through the server to obtain the second encrypted data packet; And the layered data packet construction unit is used for constructing a layered data packet through the server according to the first encrypted data packet and the second encrypted data packet and sending the layered data packet to the target equipment.
  14. 14. The device key and certificate security write system of claim 13, wherein the processing module comprises: The second root key deriving unit is used for obtaining a base key and a self equipment identifier based on local storage through the target equipment and deriving an equipment root key according to the base key and the self equipment identifier; A first decryption unit configured to decrypt the second encrypted data packet by the target device through the device root key; and the random number acquisition unit is used for acquiring the random number from the decrypted second encrypted data packet through the target device.
  15. 15. The device key and certificate security write system of claim 14, wherein the write module comprises: a second key derivation unit, configured to combine the base key and the random number by using the target device through a key derivation function, and derive a session key; The second decryption unit is used for decrypting the first data packet through the target equipment according to the session key to obtain the equipment private key and the equipment certificate; and the secure writing unit is used for performing secure writing on the device private key and the device certificate through the target device.
  16. 16. The secure write system of a device key and certificate according to claim 15, wherein the secure write unit comprises: The first secure writing subunit is used for writing the device private key into a secure storage area of a hardware security module or a trusted execution environment of the target device; And the second secure writing subunit is used for writing the device certificate into a common file system or a preset protected storage area of the target device.
  17. 17. The secure write system for a device key and certificate according to claim 11, further comprising a configuration module comprising: a basic key presetting unit, configured to preset the same basic key on the target device and the server; And the communication channel establishing unit is used for establishing a secure communication channel between the server and the target equipment.
  18. 18. A terminal comprising a memory, a processor and a device key and certificate security writing program stored on the memory and executable on the processor, the device key and certificate security writing program when executed by the processor implementing the steps of the device key and certificate security writing method according to any of claims 1-10.
  19. 19. The terminal of claim 18, wherein the preset base key of the terminal is written by secure hardware at the time of shipment, the terminal is an internet of things device, and the internet of things device comprises an intelligent home device, a vehicle-mounted terminal or a sensor.
  20. 20. A computer readable storage medium, characterized in that the computer readable storage medium stores a secure write program of a device key and a certificate, which when executed by a processor, implements the steps of the secure write method of a device key and a certificate according to any one of claims 1-10.

Description

Secure writing method, system, terminal and storage medium for device key and certificate Technical Field The present invention relates to the field of information security technologies, and in particular, to a method, a system, a terminal, and a storage medium for securely writing a device key and a certificate. Background With the rapid development of internet of things and distributed device interconnection technology, device identity authentication and secure communication become vital. For this purpose, it is generally necessary to inject a globally unique device private key and its digital certificate into each terminal device (e.g. smart home device, vehicle terminal, sensor, etc.) at the factory production stage for proving its own identity and establishing a secure channel in the subsequent operation. There are two main injection schemes currently in use: The first scheme is that a terminal device generates a key pair on a production line in real time and applies a certificate to a certificate issuing server on line. The scheme is seriously dependent on network connectivity and real-time availability of issuing services, long in production delay, and has single-point fault risks, so that the overall production efficiency is affected. And in the second scheme, a key pair and a certificate are generated in advance by a factory server, encrypted by using a preset shared symmetric key and then issued to equipment. The device must completely decrypt the data packet to verify that the device identification in the certificate matches itself. The process has invalid decryption overhead, and if the server issues wrong data, the device can still find out after the decryption operation is finished, so that the computing resource is wasted and the potential security risk exists. Accordingly, the prior art is still in need of improvement and development. Disclosure of Invention The invention mainly aims to provide a safe writing method, a system, a terminal and a computer readable storage medium of a device key and a certificate, which aim to solve the problems of low efficiency and potential safety hazard caused by delay caused by an online request and verification after decryption when the device key and the certificate are written in the prior art. In order to achieve the above object, the present invention provides a method for securely writing a device key and a certificate, the method for securely writing a device key and a certificate comprising the steps of: The method comprises the steps that a server side generates a device private key, a device certificate and a random number, encrypts the device private key and the device certificate based on a preset basic key and the random number, and obtains a first encrypted data packet; the server side encrypts and encapsulates the random number according to the basic key and the equipment identifier of the target equipment to obtain a second encrypted data packet, and sends the first encrypted data packet and the second encrypted data packet to the target equipment; The target device processes the second encrypted data packet based on the locally stored basic key and the self device identifier, and the random number is obtained if the second encrypted data packet is successful; and the target equipment processes the first encrypted data packet according to the basic key and the random number, and successfully obtains the equipment private key and the equipment certificate and performs secure writing on the equipment private key and the equipment certificate. Further, the server generates a device private key, a device certificate and a random number, encrypts the device private key and the device certificate based on a preset basic key and the random number, and obtains a first encrypted data packet, including: The server generates a random number as a derivative factor and an asymmetric key pair, wherein the asymmetric key pair comprises a device public key and a device private key; The server generates a device certificate based on the device model and the production batch, and embeds the device public key into the device certificate; the server combines the basic key with the random number through a key derivation function to derive a session key; and the server encrypts the equipment private key and the equipment certificate by using the session key through an authentication encryption algorithm to obtain the first encrypted data packet. Further, the random number is generated by a hardware random number generator. Further, the server encrypts and encapsulates the random number according to the basic key and the device identifier of the target device to obtain a second encrypted data packet, and sends the first encrypted data packet and the second encrypted data packet to the target device, including: the server combines the basic key with the equipment identifier through a key derivation function to derive an equipment root key; the server uses the equip