Search

CN-122027127-A - Offline key updating method, system, device and storage medium

CN122027127ACN 122027127 ACN122027127 ACN 122027127ACN-122027127-A

Abstract

The invention relates to the field of key updating and discloses an offline key updating method, system, equipment and storage medium, wherein the method comprises the steps of acquiring a key updating command through a KMC, generating a key updating request file according to the key updating command, and transmitting the key updating request file to a key injector; and transmitting the key updating request file to KMAC equipment through a key injector, wherein the KMAC equipment carries out key updating according to the key updating request file. The key injector device is introduced, management and injection of the key are automatically completed through the combination of a USB Mass Storage transmission protocol and application layer logic, operation efficiency is improved, transmission safety is improved by adopting a bidirectional identity authentication mechanism, a key reissue and resynchronization mechanism is automatically triggered when the key is not synchronized, safety communication is ensured, foreign DES (data encryption standard) systems are replaced by adopting a national secret SM4 algorithm, and autonomous controllability and safety of key management are enhanced.

Inventors

  • LIU YUE
  • ZHENG ZHIXIONG
  • ZHAO YAHENG
  • CHEN ZHIQIANG
  • WANG DONG
  • MENG FANYI
  • Tian hongda
  • SHI HAODONG
  • JING ZEKUN
  • Qiao Youyang
  • YANG XINHAO

Assignees

  • 北京全路通信信号研究设计院集团有限公司

Dates

Publication Date
20260512
Application Date
20260106

Claims (18)

  1. 1. An offline key updating method, comprising: acquiring a key update command through a KMC, generating a key update request file according to the key update command, and transmitting the key update request file to a key injector; transmitting the key update request file to the KMAC device through a key injector; And the KMAC equipment performs key updating according to the key updating request file.
  2. 2. The offline key updating method according to claim 1, wherein acquiring a key update command through a KMC, generating a key update request file according to the key update command, and transmitting the key update request file to a keylocker, comprises: inputting a key updating command to the KMC through the KMC terminal; The key update command includes replacing all authentication keys, deleting all keys, adding authentication keys, deleting authentication keys, replacing KMAC devices, and updating key expiration dates.
  3. 3. The offline key update method according to claim 1, wherein generating a key update request file according to the key update command comprises: The KMC constructs a key update request message according to the key type and the content which need to be updated in the key update command, wherein the key update request message comprises a message header and a message body, and the key update request message is in a binary format and is serialized in a large-end mode in a network; the KMC writes the built key update request message content into a binary file to form a key update request file.
  4. 4. The offline key update method according to claim 1, characterized in that before transmitting the key update request file to a key injector comprises: The key injector verifies the identity of the holder of the key injector through the PIN code; After the authentication is successful, the KMC sends a control command to the key injector through the USB interface, and initiates an authentication request; the KMC verifies the identity authenticity of the key injector through a random number challenge-response mechanism; after the key injector receives the random number challenge, a private key is built in the key injector, and an SM2 public key cryptographic algorithm is used for digitally signing the challenge data, so that a signature data packet is generated; The key injector sends the signature data packet and the digital certificate thereof back to the KMC through a USB Mass Storage protocol; the KMC verifies the signature data in the signature data packet by using the digital certificate and the public key of the key injector to confirm the identity of the key injector; after the authentication is successful, the KMC sends a confirmation message to the key injector, and the authentication phase is ended.
  5. 5. The offline key update method according to claim 1, characterized in that after transmitting the key update request file to a key injector comprises: The key injector deletes the key update request file which has been executed in the last period; the key injector confirms that the key update request file is correctly received by the key injector through a status packet, wherein the status packet comprises ACK, NAK and STALL; after receiving the key update request file, the key injector uses an SM3 hash algorithm to carry out integrity verification on the key update request file; and when the file verification result of the key update request is complete, the key injector sends a file receiving completion message to the KMC, which indicates that the file transmission and the integrity verification are successful, and the key update interaction is finished.
  6. 6. The offline key update method according to claim 1, characterized in that before transmitting the key update request file to the KMAC device by means of a keylocker comprises: The key injector verifies the identity of the holder of the key injector through the PIN code; performing bidirectional identity authentication between the KMAC device and the key injector by using a private key signature public key signature verification mode; After the identity authentication is successful, the key injector determines the position of the key update request file according to the device ID of the KMAC device.
  7. 7. The offline key update method according to claim 1, wherein after transmitting the key update request file to the KMAC device through the key injector, comprising: the KMAC device confirms that the key update request file is received correctly through a status packet, wherein the status packet comprises ACK, NAK and STALL; After receiving the key update request file, the KMAC device uses an SM3 hash algorithm to carry out integrity verification on the key update request file, uses a private key to decrypt the encrypted authentication key, and recovers the original authentication key; The KMAC device generates a key update confirmation message and transmits the key update confirmation message back to the annotator through a USB Mass Storage protocol, wherein the key update confirmation message is used for confirming that command information is received or a result of message processing is included; the key injector receives the key update confirmation message returned by the KMAC device, stores the key update confirmation message and returns the key update confirmation message to the KMC.
  8. 8. The offline key updating method according to claim 1, further comprising: summarizing the execution results of all key using devices through the key centralized management device, and carrying out consistency check on the execution results; When the execution results of the key using equipment are inconsistent, the key content reissue is automatically carried out, and the whole key updating process is completed.
  9. 9. An offline key update system, comprising: the KMC is used for acquiring a key update command, generating a key update request file according to the key update command, and transmitting the key update request file to the key injector; The key injector is used for transmitting the key update request file to the KMAC device; And the KMAC device is used for carrying out key updating according to the key updating request file.
  10. 10. The offline key updating system according to claim 9, characterized by comprising: the KMC terminal is used for inputting the key updating command into the KMC; The key update command includes replacing all authentication keys, deleting all keys, adding authentication keys, deleting authentication keys, replacing KMAC devices, and updating key expiration dates.
  11. 11. The offline key updating system according to claim 9, wherein KMC is specifically configured to: Constructing a key update request message according to the key type and the content which need to be updated in the key update command, wherein the key update request message comprises a message header and a message body, and the key update request message is in a binary format and is serialized in a large-end mode in a network; And writing the content of the constructed key update request message into a binary file to form a key update request file.
  12. 12. The offline key updating system according to claim 9, characterized by comprising: The key injector is used for verifying the identity of the holder of the key injector through the PIN code; The KMC is used for sending a control command to the key injector through the USB interface after the identity authentication is successful, and initiating an identity authentication request; a KMC for verifying the identity authenticity of the key injector through a random number challenge-response mechanism; the key injector is used for carrying out digital signature on challenge data by using an SM2 public key cryptographic algorithm and generating a signature data packet by utilizing a private key built in the key injector after receiving the random number challenge; The key injector is used for sending the signature data packet and the digital certificate thereof back to the KMC through a USB Mass Storage protocol; A KMC for verifying the signature data in the signature data packet using the digital certificate and the public key of the key locker to confirm the identity of the key locker; and the KMC is used for sending a confirmation message to the key injector after the authentication is successful, and ending the authentication stage.
  13. 13. The offline key updating system according to claim 9, wherein the key injector is specifically configured to: deleting the key update request file which has been executed in the previous period; confirming that the key update request file is properly received by the keylocker through a status packet, the status packet including ACK, NAK, and start; After receiving the key update request file, performing integrity verification on the key update request file by using an SM3 hash algorithm; And when the file verification result of the key update request is complete, sending a file receiving completion message to the KMC, wherein the file receiving completion message indicates that both file transmission and integrity verification are successful, and the key update interaction is ended.
  14. 14. The offline key updating system according to claim 9, characterized by comprising: The key injector is used for verifying the identity of the holder of the key injector through the PIN code; The authentication unit is used for performing bidirectional identity authentication between the KMAC device and the key injector in a private key signature public key signature verification mode; and the key injector is used for determining the position of the key update request file according to the device ID of the KMAC device after the identity authentication is successful.
  15. 15. The offline key updating system according to claim 9, characterized by comprising: a KMAC device configured to confirm correct receipt of the key update request file by a status packet, the status packet including ACK, NAK, and start; The KMAC device is used for carrying out integrity verification on the key update request file by using an SM3 hash algorithm after receiving the key update request file, decrypting the encrypted authentication key by using a private key and recovering the original authentication key; The KMAC device is used for generating a key update confirmation message and transmitting the key update confirmation message back to the key injector through a USB Mass Storage protocol, wherein the key update confirmation message is used for confirming that command information is received or a result of message processing is included; And the key injector is used for receiving the key update confirmation message returned by the KMAC device, storing the key update confirmation message and transmitting the key update confirmation message back to the KMC.
  16. 16. The offline key updating system according to claim 9, further comprising: The key centralized management equipment is used for summarizing the execution results of all key using equipment and carrying out consistency check on the execution results; and the key centralized management equipment is used for automatically carrying out the complement of the key content when the execution results of the key using equipment are inconsistent, so as to complete the whole key updating process.
  17. 17. An apparatus, comprising: A processor and a memory; The memory is used for storing a computer program, and the processor calls the computer program stored in the memory to execute the offline key updating method according to any one of claims 1 to 8.
  18. 18. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, enables the processor to perform the offline key updating method of any of claims 1 to 8.

Description

Offline key updating method, system, device and storage medium Technical Field The disclosure relates to the technical field of key updating, and in particular relates to an offline key updating method, system, device and storage medium. Background In the train control system of the grade of China CTCS-3 and the like, the train-ground signal equipment realizes bidirectional information interaction through a GSM-R communication network. In order to ensure the safety of the vehicle-ground interaction key information, when the safety communication is established each time, the two communication parties perform identity authentication through the authentication key and generate a session key to protect the authenticity and the integrity of the interaction information. The CTCS train control system employs a three-level key mechanism as shown in table 1. Table 1 three-level key mechanism table: The key management process includes three parts, key generation, key distribution and key injection. 1. The key generation is that the KMC is responsible for generating a transmission key and an authentication key for the KMAC device, and the two keys are 3DES keys. 2. The key distribution is that the KMC adopts an off-line mobile medium to distribute a plaintext transmission key and an encrypted authentication key to a signal manufacturer, uses a special tool to decrypt the authentication key, converts the authentication key into a key format file special for corresponding signal equipment, and most of the key format file after conversion is distributed in a plaintext or plaintext simple transformation mode, and a small number of the key format file is protected by a 3DES algorithm. 3. Key injection-signal manufacturers use special tools to inject authentication keys into secure signaling devices. In the process, an operator needs to manually intervene in a plurality of steps, and the authentication key has a link appearing in a plaintext, so that potential safety risks and operation difficulty in the key management process are obviously increased. The existing offline key management method in the rail transit field has the defects that 1, the key decryption, conversion, distribution and injection are required to be manually operated, the steps are complex, human errors are easy to introduce, and an automatic mechanism is lacked. 2. The existing key management method lacks identity authentication and integrity check between a mobile medium and equipment, and an attacker can forge the equipment to steal or tamper with the key, so that higher security risk exists. 3. The key updating process lacks a consistency judging mechanism for updating results of two opposite-end devices using keys, so that updating operations are asynchronous, keys among key devices are not matched, and normal communication among the devices is affected. 4. The existing key management method uses a DES key system, depends on foreign technology and cannot be compatible with the national secret key system. Disclosure of Invention The embodiment of the disclosure provides an offline key updating method, an offline key updating system, offline key updating equipment and an offline key updating storage medium, which are used for solving or relieving one or more of the above technical problems in the prior art. According to one aspect of the present disclosure, there is provided an offline key updating method, including: acquiring a key update command through a KMC, generating a key update request file according to the key update command, and transmitting the key update request file to a key injector; transmitting the key update request file to the KMAC device through a key injector; And the KMAC equipment performs key updating according to the key updating request file. In one possible implementation, obtaining, by the KMC, a key update command, generating a key update request file according to the key update command, and transmitting the key update request file to the keylocker includes: inputting a key updating command to the KMC through the KMC terminal; The key update command includes replacing all authentication keys, deleting all keys, adding authentication keys, deleting authentication keys, replacing KMAC devices, and updating key expiration dates. In one possible implementation, generating the key update request file according to the key update command includes: The KMC constructs a key update request message according to the key type and the content which need to be updated in the key update command, wherein the key update request message comprises a message header and a message body, and the key update request message is in a binary format and is serialized in a large-end mode in a network; the KMC writes the built key update request message content into a binary file to form a key update request file. In one possible implementation, before transmitting the key update request file to the key injector, the method includes: The key injector veri