Search

CN-122001569-A - Key distribution method and key distribution system based on hierarchical hash chain

CN122001569ACN 122001569 ACN122001569 ACN 122001569ACN-122001569-A

Abstract

The application discloses a key distribution method based on a hierarchical hash chain. The method is used for a password management service platform and comprises the steps of generating a session key and a key identification according to a received session key generation request sent by a first terminal, sending the session key and the key identification to the first terminal, receiving a session key acquisition request sent by a second terminal, checking the validity of the identity of the second terminal according to check information submitted by the second terminal, and sending the session key to the second terminal under the condition that the check is passed. Therefore, the service platform generates the first hash chain segment bound with the terminal authority, so that the password management service platform can not only verify the authenticity of the terminal identity in verification, but also accurately verify whether the terminal has legal key application authority, effectively block the path of an illegal user applying for a session key by stealing the key identification, reduce the risk of illegal stealing of the session key, and further ensure the safety and reliability of encrypted communication between the terminals.

Inventors

  • WANG DAWEI

Assignees

  • 中电信量子信息科技集团有限公司

Dates

Publication Date
20260508
Application Date
20251229

Claims (15)

  1. 1. A key distribution method based on a hierarchical hash chain, wherein the method is used for a password management service platform, and the method comprises: Generating a session key and a key identifier according to a received session key generation request sent by a first terminal, and sending the session key and the key identifier to the first terminal; Receiving a session key acquisition request sent by a second terminal, and checking the validity of the identity of the second terminal according to check information submitted by the second terminal, wherein the check information comprises a key identifier, application purpose information and a first hash chain segment, a service platform receives service information sent by the first terminal, the service information comprises the key identifier and a participation service terminal list, a permission identifier group is generated according to the participation service terminal list, the permission identifier group comprises a plurality of permission identifiers, the first hash chain segment corresponding to the second terminal is generated according to a first permission identifier, the first hash chain segment and the key identifier are sent to the second terminal, and the first permission identifier is one permission identifier in the permission identifier group; and under the condition that the verification is passed, the session key is issued to the second terminal.
  2. 2. The key distribution method according to claim 1, characterized in that the method further comprises: and receiving first identity information sent by the first terminal, wherein the first identity information comprises the first terminal equipment public key and a first equipment identifier.
  3. 3. The key distribution method according to claim 2, wherein the generating a session key and a key identification from the received session key generation request sent by the first terminal, and sending the session key and the key identification to the first terminal, comprises: Encrypting the session key according to the public key of the first terminal equipment to generate a first encrypted session key; And sending the first encrypted session key and the key identification to the first terminal, wherein the first terminal decrypts the first encrypted session key according to a first terminal device private key to obtain the session key.
  4. 4. The key distribution method according to claim 1, wherein the verification information further includes a first identity identifier and a second device identifier of the second terminal, the receiving a session key acquisition request sent by the second terminal, and verifying the validity of the identity of the second terminal according to the verification information submitted by the second terminal, includes: checking the validity of the second device identification based on the first identity identification, and/or The first authority identification in the first hash chain segment is extracted, whether the application information accords with the authority is confirmed according to the first authority identification and a group authority mapping table, wherein the service platform generates an identification group, a participant array, the group authority mapping table and a total root Ha Xihe sub-root hash group according to the service information, and synchronizes the group authority mapping table, the total root hash and the sub-root hash group to the password management service platform, the sub-root hash group comprises a plurality of sub-root hashes, the participant group comprises a plurality of participants, the identification group comprises a plurality of group identifications, the group authority mapping table comprises the mapping relation of the identification group, the authority identification group and the application information, and/or Checking the validity of the first hash chain segment according to a first sub-root hash, the first identity identifier and the first authority identifier, wherein the first sub-root hash is one sub-root hash in the sub-root hash group, and/or And verifying the validity of the first sub-root hash according to a first group identifier, the total root hash and a first participant, wherein the first participant is one participant in the participant array, and the first group identifier is one group identifier in the identifier group.
  5. 5. The key distribution method according to claim 1, wherein the issuing the session key to the second terminal in the case that the verification passes includes: under the condition that the verification is passed, encrypting the session key according to a second terminal equipment public key to generate a second encrypted session key, wherein the second terminal equipment public key is registered in advance to the password management service platform by the second terminal; And the second encrypted session key is issued to the second terminal, wherein the second terminal decrypts the second encrypted session key according to a second equipment private key to obtain the session key.
  6. 6. The key distribution method according to claim 1, characterized in that the method further comprises: transmitting error information to the second terminal under the condition that the verification fails; and under the condition that the number of times of failure of the session key acquisition request of the second terminal is larger than or equal to a preset number threshold, freezing the application of the key identification, and sending an investigation instruction to the service platform.
  7. 7. The key distribution method according to claim 1, characterized in that the method further comprises: According to a second hash chain segment and an identity mark group, verifying the validity of an update proof, wherein the service platform responds to an authority change instruction sent by the first terminal, generates the update proof according to the second hash chain segment and the identity mark group, wherein the authority change instruction comprises information for indicating that the authority mark of a newly added participating service terminal is replaced by a target authority mark, the identity mark group comprises a plurality of identity marks of the newly added participating service terminal, the second hash chain segment is a hash chain segment which is recently generated according to the target authority mark, an increment segment is generated according to the second hash chain segment and the second identity mark, and synchronizes the update proof, the increment segment and the identity mark group to the password management service platform, and the second identity mark is one identity mark in the identity mark group; Checking the validity of the delta segment if the update proves valid; And under the condition that the increment segment is confirmed to be effective, sending verification passing information to the newly added participation service terminal.
  8. 8. A key distribution method based on a hierarchical hash chain, wherein the method is used for a service platform, and the method comprises the following steps: Receiving service information sent by a first terminal, wherein the service information comprises a key identifier and a list of participating service terminals, generating the key identifier and a session key by a password management service platform according to a received session key generation request sent by the first terminal, and sending the session key and the key identifier to the first terminal; Generating a permission identification group according to the participation service terminal list, wherein the permission identification group comprises a plurality of permission identifications; Generating a first hash chain segment corresponding to a second terminal according to a first authority identifier, wherein the first authority identifier is one authority identifier in the authority identifier group; And sending the first hash chain segment and the key identification to the second terminal, wherein the password management service platform receives a session key acquisition request sent by the second terminal, verifies the validity of the second terminal identity according to verification information submitted by the second terminal, and issues the session key to the second terminal under the condition that the verification is passed, wherein the verification information comprises the key identification, application use information and the first hash chain segment.
  9. 9. The key distribution method according to claim 8, wherein the verification information further includes a first identity and a second device identity of the second terminal, the method further comprising: Generating an identification group, a participant array, a group authority mapping table and a total root Ha Xihe sub-root hash group according to the service information, wherein the sub-root hash group comprises a plurality of sub-root hashes, the participant array comprises a plurality of participant numbers, the identification group comprises a plurality of group identifications, and the group authority mapping table comprises mapping relations among the identification group, the authority identification group and the application information; The password management service platform checks the validity of the first sub-root hash according to the first identity identifier, and/or extracts the first authority identifier in the first hash chain segment, confirms whether the application use information accords with the authority according to the first authority identifier and the group authority mapping table, checks the validity of the first hash chain segment according to the first sub-root hash, the first identity identifier and the first authority identifier, and/or checks the validity of the first sub-root hash according to the first group identifier, the total root hash and the first participant number, wherein the first participant number is one of the sub-root hash groups, and the first group identifier is one of the identifier groups.
  10. 10. The key distribution method according to claim 9, wherein the service information further includes a service time, and the generating an identification group, a participant array, a group authority mapping table, a total root Ha Xihe sub-root hash group according to the service information includes: Generating the identification group, the participant array and the group authority mapping table according to the participant service terminal list; encrypting the key identification and the service time according to a private key of a service platform to generate the total root hash; and generating the sub-root hash group according to the total root hash, the identification group and the participant array.
  11. 11. The key distribution method according to claim 9, wherein the generating a first hash chain segment corresponding to the second terminal according to the first authority identifier includes: and generating the first hash chain segment according to the first sub-root hash, the first identity identifier and the first authority identifier.
  12. 12. The key distribution method according to claim 8, wherein the method further comprises: Generating an update proof according to a second hash chain segment and an identity mark group in response to an authority change instruction sent by the first terminal, wherein the authority change instruction comprises information for indicating that an authority mark of a newly added participation service terminal is replaced by a target authority mark, the identity mark group comprises a plurality of identity marks of the newly added participation service terminal, and the second hash chain segment is a hash chain segment generated recently according to the target authority mark; Generating an incremental fragment according to the second hash chain fragment and a second identity, wherein the second identity is one identity in the identity group; Synchronizing the update certificate, the increment segment and the identity mark group to the password management service platform, wherein the password management service platform verifies the validity of the update certificate according to the second hash chain segment and the identity mark group, verifies the validity of the increment segment under the condition that the update certificate is confirmed to be valid, and sends verification passing information to the newly added participation service terminal under the condition that the increment segment is confirmed to be valid.
  13. 13. A key distribution method based on a hierarchical hash chain, the method being for a second terminal, the method comprising: The method comprises the steps that a session key acquisition request is sent to a password management service platform, verification information is submitted, wherein the verification information comprises a key identifier, application purpose information and a first hash chain segment, the password management service platform generates a session key and the key identifier according to a received session key generation request sent by a first terminal, the session key and the key identifier are sent to the first terminal, the service platform receives service information sent by the first terminal, a permission identifier group is generated according to a participation service terminal list, the permission identifier group comprises a plurality of permission identifiers, the first hash chain segment corresponding to a second terminal is generated according to the first permission identifier, the first hash chain segment and the key identifier are sent to the second terminal, the first permission identifier is one permission identifier in the permission identifier group, the service information comprises the key identifier and the participation service terminal list, the password management service platform receives the session key acquisition request sent by the second terminal, the second terminal submits the second terminal identity according to the first permission identifier, and the second terminal passes verification of the second terminal verification information.
  14. 14. The key distribution method according to claim 13, wherein the method further comprises: receiving encrypted service data sent by the service platform, wherein the service data comprises the authority identification; extracting the first authority identification in the first hash chain segment, and comparing the first authority identification with the authority identification; under the condition that the first authority identification is the same as the authority identification, decrypting the encrypted service data according to the session key to obtain target service data; And stopping the decryption operation of the encrypted service data under the condition that the first authority identification and the authority identification are different.
  15. 15. A key distribution system based on a hierarchical hash chain is characterized in that the system comprises a password management service platform, a first terminal, a second terminal and a service platform, wherein, The password management service platform is configured to generate a session key and a key identifier according to a received session key generation request sent by the first terminal, and send the session key and the key identifier to the first terminal; Receiving a session key acquisition request sent by the second terminal, and checking the validity of the identity of the second terminal according to check information submitted by the second terminal, wherein the check information comprises the key identification, application use information and a first hash chain segment; The service platform is configured to receive service information sent by the first terminal, generate a permission identification group according to a participation service terminal list, generate the first hash chain segment corresponding to the second terminal according to a first permission identification, and send the first hash chain segment and the key identification to the second terminal, wherein the service information comprises the key identification and the participation service terminal list, the permission identification group comprises a plurality of permission identifications, and the first permission identification is one permission identification in the permission identification group; The password management service platform is configured to issue the session key to the second terminal if the verification passes.

Description

Key distribution method and key distribution system based on hierarchical hash chain Technical Field The application relates to the technical field of communication, in particular to a key distribution method based on a layered hash chain and a key distribution system based on the layered hash chain. Background In the related art, in the process of encrypted communication between terminals, when the terminals acquire a session key, the verification mode of the password management service platform on the terminal authority is simpler, so that the session key is easy to be stolen by an illegal terminal, and a certain hidden danger exists in the encrypted communication safety between the terminals. Disclosure of Invention The application provides a key distribution method based on a hierarchical hash chain and a key distribution system based on the hierarchical hash chain. The embodiment of the application provides a key distribution method based on a hierarchical hash chain, which is used for a password management service platform and comprises the following steps: Generating a session key and a key identifier according to a received session key generation request sent by a first terminal, and sending the session key and the key identifier to the first terminal; Receiving a session key acquisition request sent by a second terminal, and checking the validity of the identity of the second terminal according to check information submitted by the second terminal, wherein the check information comprises a key identifier, application purpose information and a first hash chain segment, a service platform receives service information sent by the first terminal, the service information comprises the key identifier and a participation service terminal list, a permission identifier group is generated according to the participation service terminal list, the permission identifier group comprises a plurality of permission identifiers, the first hash chain segment corresponding to the second terminal is generated according to a first permission identifier, the first hash chain segment and the key identifier are sent to the second terminal, and the first permission identifier is one permission identifier in the permission identifier group; and under the condition that the verification is passed, the session key is issued to the second terminal. Therefore, the service platform generates the first hash chain segment bound with the terminal authority, so that the password management service platform can not only verify the authenticity of the terminal identity in verification, but also accurately verify whether the terminal has legal key application authority, effectively block the path of an illegal user applying for a session key by stealing the key identification, reduce the risk of illegal stealing of the session key, and guarantee the safety and reliability of encrypted communication between terminals to a certain extent. In certain embodiments, the method further comprises: and receiving first identity information sent by the first terminal, wherein the first identity information comprises the first terminal equipment public key and a first equipment identifier. Therefore, by receiving the first identity information sent by the first terminal, the password management service platform can acquire the identity data of the first terminal in advance, establish an identity information file, provide reliable identity guarantee for the whole encryption communication flow, and improve the safety and the accuracy of key distribution to a certain extent. In some embodiments, the generating a session key and a key identifier according to a received session key generation request sent by a first terminal, and sending the session key and the key identifier to the first terminal includes: Encrypting the session key according to the public key of the first terminal equipment to generate a first encrypted session key; And sending the first encrypted session key and the key identification to the first terminal, wherein the first terminal decrypts the first encrypted session key according to a first terminal device private key to obtain the session key. Therefore, the public key of the first terminal equipment is utilized to encrypt and transmit the session key, so that only the legal first terminal can acquire the original session key through decryption of the private key of the first terminal, the problem that the session key is illegally intercepted, stolen or tampered in the transmission process is effectively avoided, the leakage risk of the session key in the transmission link is reduced to a certain extent, and a safe key foundation is provided for encrypted communication between the terminals. In some embodiments, the verification information further includes a first identity identifier and a second device identifier of the second terminal, the receiving a session key obtaining request sent by the second terminal, and verifying, a