Communication establishment method and apparatus, electronic device, and storage medium
By generating and exchanging key pairs between the server and the terminal device, and using the server's private key to decrypt the encrypted data of the terminal device, the legitimacy of the terminal device is verified. This solves the problem of security in communication between the digital key and the server, and enables secure and reliable data transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2022-02-07
- Publication Date
- 2026-06-19
Smart Images

Figure CN116600285B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of mobile communication technology, and more particularly to the field of intelligent vehicle connectivity technology, and more particularly to a communication establishment method, apparatus, electronic device and storage medium. Background Technology
[0002] With the continuous development of mobile communication and internet technologies, digital keys have come into view, allowing people to control their vehicles through digital keys on terminal devices. Digital keys combine the vehicle, terminal device, and cloud service to construct a three-in-one vehicle key protection system: a smart key lock cylinder (vehicle-side), a smart key safe (terminal device), and a smart key factory (cloud service). It also leverages the advantages of key digitization to provide users with personalized vehicle control services.
[0003] In related technologies, digital keys are generally stored as trusted applications (TAs) within the trusted execution environment (TEE) of the terminal device. Ensuring secure communication between the digital key and the server is a crucial issue in digital key technology. Summary of the Invention
[0004] This disclosure aims to at least partially address one of the technical problems in the related art.
[0005] Therefore, the present disclosure proposes the following technical solution:
[0006] A first aspect of this disclosure provides a communication establishment method, which is executed by a server, and the method includes:
[0007] The terminal device sends a communication request;
[0008] Receive second encrypted data with a signature sent by the terminal device in response to the communication request;
[0009] The private key in the first key pair stored on the server is used to decrypt the second encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and to obtain the device identifier of the terminal device.
[0010] Find the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier;
[0011] The signature of the second encrypted data is verified using the public key in the second key pair. If the verification is successful, secure communication with the digital key is established based on the public key in the third key pair.
[0012] Optionally, sending a communication request to the terminal device includes:
[0013] Send a communication request to the terminal device, wherein the communication request is signed using the private key in the first key pair;
[0014] The signature of the communication request is used by the terminal device to verify the request using the public key in the first key pair.
[0015] Optionally, the method further includes:
[0016] Through a trusted communication channel with the terminal device, the public key in the second key pair stored by the terminal device in an untrusted environment is read, as well as the device identifier of the terminal device is read;
[0017] Establish a correspondence between the device identifier and the public key in the second key pair.
[0018] Optionally, the method further includes:
[0019] Generate and store the first key pair;
[0020] The public key in the first key pair is written into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
[0021] A second aspect of this disclosure provides a communication establishment method, which is executed by a terminal device, the method comprising:
[0022] Receive communication requests sent by the server;
[0023] In response to the communication request, the public key in the first key pair stored in the terminal device is used to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data;
[0024] The second encrypted data is signed using the private key from the second key pair stored in the terminal device in an untrusted environment;
[0025] The server sends a second encrypted data with a signature to the server so that the server can decrypt and verify the second encrypted data with a signature, and establish secure communication with the digital key based on the public key in the third key pair obtained from the decryption.
[0026] Optionally, the communication request sent by the receiving server includes:
[0027] Receive a communication request sent by the server, the communication request being signed using the private key in the first key pair;
[0028] The signature of the communication request is verified using the public key from the first key pair.
[0029] Optionally, the method further includes:
[0030] Generate and store a second key pair in an untrusted environment;
[0031] The public key of the second key pair and the device identifier of the terminal device are sent to the server through a trusted communication channel.
[0032] Optionally, the method further includes:
[0033] Through a trusted communication channel with the server, the public key in the first key pair stored on the server is read and written into the trusted execution environment of the terminal.
[0034] A third aspect of this disclosure provides a communication establishment apparatus applied to a server, the apparatus comprising:
[0035] The sending module is used to send communication requests to the terminal device;
[0036] The receiving module is configured to receive second encrypted data with a signature sent by the terminal device in response to the communication request;
[0037] The decryption module is used to decrypt the second encrypted data using the private key in the first key pair stored on the server, to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and to obtain the device identifier of the terminal device.
[0038] The lookup module is used to find the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier;
[0039] The verification module is used to verify the signature of the second encrypted data using the public key in the second key pair. If the verification is successful, it establishes secure communication with the digital key based on the public key in the third key pair.
[0040] Optionally, the sending module is specifically used for:
[0041] Send a communication request to the terminal device, wherein the communication request is signed using the private key in the first key pair;
[0042] The signature of the communication request is used by the terminal device to verify the request using the public key in the first key pair.
[0043] Optionally, the device further includes:
[0044] The reading module is used to read the public key in the second key pair stored by the terminal device in an untrusted environment, and to read the device identifier of the terminal device, through a trusted communication channel with the terminal device.
[0045] The association module is used to establish a correspondence between the device identifier and the public key in the second key pair.
[0046] Optionally, the device further includes:
[0047] A key generation module is used to generate and store the first key pair;
[0048] A pre-configured module is used to write the public key in the first key pair into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
[0049] A fourth aspect of this disclosure provides a communication establishment apparatus, which is applied to a terminal device, and the apparatus includes:
[0050] The receiving module is used to receive communication requests sent by the server.
[0051] An encryption module is used to respond to the communication request by using the public key in the first key pair stored in the terminal device to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and the device identifier of the terminal device, to obtain second encrypted data.
[0052] The signature module is used to sign the second encrypted data using the private key in the second key pair stored by the terminal device in an untrusted environment;
[0053] The sending module is used to send a second encrypted data with a signature to the server, so that the server can decrypt and verify the second encrypted data with a signature, and establish secure communication with the digital key based on the public key in the third key pair obtained by decryption.
[0054] Optionally, the receiving module is specifically used for:
[0055] Receive a communication request sent by the server, the communication request being signed using the private key in the first key pair;
[0056] The signature of the communication request is verified using the public key from the first key pair.
[0057] Optionally, the device further includes:
[0058] A key generation module is used to generate and store a second key pair in an untrusted environment;
[0059] The writing module is used to send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel with the server.
[0060] Optionally, the device further includes:
[0061] The reading module is used to read the public key in the first key pair stored by the server through a trusted communication channel with the server and write the public key in the first key pair into the trusted execution environment of the terminal.
[0062] A fifth aspect of this disclosure provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the communication establishment method as proposed in the first aspect of this disclosure.
[0063] A sixth aspect of this disclosure provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the communication establishment method as proposed in the second aspect of this disclosure.
[0064] A seventh aspect of this disclosure provides a non-transitory computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the communication establishment method as described in the first aspect of this disclosure.
[0065] An eighth aspect of this disclosure provides a non-transitory computer-readable storage medium having a computer program stored thereon that, when executed by a processor, implements the communication establishment method as described in the second aspect of this disclosure.
[0066] A ninth aspect of this disclosure provides a computer program product in which, when instructions in the computer program product are executed by a processor, a communication establishment method as described in a first aspect of this disclosure is performed.
[0067] A tenth aspect embodiment of this disclosure provides a computer program product in which, when instructions in the computer program product are executed by a processor, a communication establishment method as described in a second aspect embodiment of this disclosure is performed.
[0068] The technical solution disclosed herein involves sending a communication request to a terminal device, receiving second encrypted data with a signature sent by the terminal device in response to the communication request, decrypting the second encrypted data using the private key in the first key pair stored on the server, obtaining the public key in the third key pair stored in the trusted environment of the digital key in the terminal device, and obtaining the device identifier of the terminal device. The solution then searches for the public key in the second key pair stored in the untrusted environment of the terminal device corresponding to the device identifier, verifies the signature of the second encrypted data using the public key in the second key pair, and if the verification is successful, establishes secure communication with the digital key based on the public key in the third key pair. This allows the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public keys before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in a trusted environment.
[0069] Additional aspects and advantages of this disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of this disclosure. Attached Figure Description
[0070] The above and / or additional aspects and advantages of this disclosure will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, in which:
[0071] Figure 1 This is a flowchart illustrating a communication establishment method provided in an embodiment of the present disclosure;
[0072] Figure 2 A flowchart illustrating a communication establishment method provided in another embodiment of this disclosure;
[0073] Figure 3 This is a flowchart illustrating a communication establishment method provided in an embodiment of the present disclosure;
[0074] Figure 4 A flowchart illustrating a communication establishment method provided in another embodiment of this disclosure;
[0075] Figure 5 This is a schematic diagram of the structure of a communication establishment apparatus provided in an embodiment of the present disclosure;
[0076] Figure 6 This is a schematic diagram of the structure of a communication establishment apparatus provided in another embodiment of the present disclosure;
[0077] Figure 7 This is a schematic diagram of the structure of a communication establishment apparatus provided in an embodiment of the present disclosure;
[0078] Figure 8This is a schematic diagram of the structure of a communication establishment apparatus provided in another embodiment of the present disclosure;
[0079] Figure 9 A block diagram of an exemplary electronic device suitable for implementing embodiments of the present disclosure is shown. Detailed Implementation
[0080] Embodiments of this disclosure are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and intended to explain this disclosure, and should not be construed as limiting this disclosure.
[0081] The following description, with reference to the accompanying drawings, outlines a communication establishment method, apparatus, audio device, electronic device, and storage medium according to embodiments of the present disclosure.
[0082] Figure 1 This is a schematic flowchart illustrating a communication establishment method provided in an embodiment of this disclosure. It should be noted that the communication establishment method in this embodiment is executed by a server. Figure 1 As shown, the communication establishment method may include the following steps:
[0083] Step 101: Send a communication request to the terminal device.
[0084] In order to establish trusted communication with the digital key in the terminal device, the server can send a communication request to the terminal device.
[0085] In some implementations, the communication request is signed with the private key from the first key pair.
[0086] It should be noted that if the private key in the first key pair is used for signing, the corresponding public key in the first key pair must be used for verification.
[0087] The first key pair, consisting of a private key and a public key, is generated and stored by the server and represents the server. This first key pair can be used to verify the server's legitimacy; the private key is unique to the server. The server's identity can be verified by using the private key for signing and the public key for verification.
[0088] In some implementations, the server can write the public key of the first key pair to the terminal device through a trusted communication channel. That is, the terminal device can obtain the public key of the first key pair representing the server through the trusted communication channel. Optionally, the public key of the first key pair can be written to the trusted execution environment (TEE) of the terminal device, allowing a trusted application within the TEE to obtain the public key of the first key pair.
[0089] Step 102: Receive second encrypted data with a signature sent by the terminal device in response to the communication request.
[0090] After receiving a communication request from the server, the terminal device can respond by sending a second encrypted data with a signature to the server. The server can receive this second encrypted data.
[0091] Specifically, the second encrypted data is obtained by encrypting the public key of the third key pair stored in the trusted environment where the digital key in the terminal device resides, along with the device identifier of the terminal device, using the public key from the first key pair. The signature of the second encrypted data is performed by the terminal device using the private key from the second key pair.
[0092] The third key pair includes a private key and a public key, which are generated and stored in a trusted environment by the digital key in the terminal device, and represent the digital key. The private key in the third key pair is unique to that digital key.
[0093] Alternatively, the digital key can be stored as a trusted application (TA) in a trusted execution environment (TEE).
[0094] Similarly, the second key pair also includes a public key and a private key, which are generated and stored by the terminal device in an untrusted environment. This second key pair can represent the terminal device. It can be used to verify the legitimacy of the terminal device, and each terminal device can have its own corresponding second key pair.
[0095] Step 103: Use the private key in the first key pair stored on the server to decrypt the second encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key is located in the terminal device, and obtain the device identifier of the terminal device.
[0096] The server can use the private key in the first key pair stored in the storage to encrypt the second encrypted data using the public key in the first key pair, and then decrypt the encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device.
[0097] Step 104: Locate the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier.
[0098] The server can find the public key in the second key pair corresponding to the device identifier based on the device identifier.
[0099] In some implementations, the server can read the public key in the second key pair and the device identifier of the terminal device through a trusted communication channel with the terminal device, and can establish a correspondence between the device identifier and the public key in the second key pair.
[0100] In other words, the server can obtain the device identifier of the terminal device and the public key in the second key pair through a trusted communication channel, and can establish a correspondence between the two.
[0101] Step 105: Verify the signature of the second encrypted data using the public key in the second key pair. If the verification is successful, establish secure communication with the digital key based on the public key in the third key pair.
[0102] The second encrypted data is signed by the terminal device using the private key from the second key pair. Therefore, the server can verify the signature of the second encrypted data using the obtained public key from the second key pair. The server can then verify the legitimacy of the terminal device based on the verification of the signature of the second encrypted data.
[0103] If the verification is successful, it means that the terminal device has been confirmed as legitimate, and the server can establish secure communication with the digital key based on the public key in the third key pair.
[0104] The server obtains the public key from the third key pair stored in a trusted environment by the digital key in the terminal device. The server's public key is written into the trusted execution environment of the terminal device through a trusted communication channel. Both the server and the digital key can obtain each other's public key and verify each other's legitimacy. Both parties can establish trusted and secure communication based on each other's public key.
[0105] In this embodiment of the application, the server can use any encryption algorithm based on the public key in the third key pair to communicate securely with the digital key.
[0106] In some implementations, the server can encrypt communication data using any encryption algorithm based on the public key in the third key pair. Upon receiving data encrypted with the public key in the third key pair, the digital key can decrypt the encrypted data using the private key in the third key pair, thus achieving secure communication between the server and the digital key. It is understood that the digital key can also encrypt communication data using any encryption algorithm based on the public key in the first key pair, and the server can decrypt the encrypted data using the private key in the first key pair after receiving it.
[0107] In some implementations, the server can generate a symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the public key in the third key pair and the private key in the first key pair. This symmetric key is then used for secure communication with the digital key. It should be noted that the digital key can generate the same symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the private key in the third key pair and the public key in the first key pair. Furthermore, it should be noted that using the Diffie-Hellman key exchange / negotiation algorithm to generate the symmetric key for secure communication is computationally fast and can effectively reduce communication latency.
[0108] In the embodiments of this application, the secure communication can also be based on any security standard, such as the SCP03 (Secure Channel Protocol) standard. This application does not limit the key encryption algorithm or secure channel standard used to establish secure communication.
[0109] The communication establishment method of this disclosure embodiment involves sending a communication request to a terminal device, receiving second encrypted data with a signature sent by the terminal device in response to the communication request, decrypting the second encrypted data using the private key in the first key pair stored on the server, obtaining the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and obtaining the device identifier of the terminal device. The method then searches for the public key in the second key pair stored in the untrusted environment corresponding to the device identifier, verifies the signature of the second encrypted data using the public key in the second key pair, and if the verification is successful, establishes secure communication with the digital key based on the public key in the third key pair. This allows the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public key before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in a trusted environment.
[0110] It should be noted that, in the embodiments of this application, any encryption and decryption algorithm can be used to encrypt and decrypt the data, and any signature and verification algorithm can be used to sign and verify the data. The embodiments of this application do not limit the specific methods used.
[0111] Figure 2 This is a flowchart illustrating a communication establishment method provided in another embodiment of this disclosure. It should be noted that the communication establishment method in this embodiment is executed by a server. Figure 2 As shown, the communication establishment method may include the following steps:
[0112] Step 201: Generate and store the first key pair.
[0113] The server can generate and store a first key pair, which includes a private key and a public key, and is a key pair that can represent the server. For example, the first key pair includes a public key Server pk and a private key Server sk. This first key pair can be used to verify the legitimacy of the server, where the private key in the first key pair is unique to that server.
[0114] The server's identity can be verified by using the private key from the first key pair for signing and the public key from the first key pair for verification.
[0115] Step 202: Write the public key of the first key pair into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
[0116] The server can write the public key of the first key pair to the terminal device through a trusted communication channel with the terminal device.
[0117] Optionally, the public key of the first key pair can be written into the Trusted Execution Environment (TEE) of the terminal device. For example, the server can pre-install the Server pk in the TEE of the terminal device through a trusted communication channel with the terminal device.
[0118] It is understood that, in the embodiments of this application, the trusted communication channel between the server and the terminal device indicates that the data transmitted through this communication channel is legitimate and trustworthy, and the server and the terminal device can communicate and exchange their public keys through this trusted communication channel. Typically, this trusted communication channel is established within the official factory of the terminal device; that is, the writing process is usually completed within the official factory of the terminal device.
[0119] Step 203: Read the public key in the second key pair stored in the terminal device in an untrusted environment through a trusted communication channel with the terminal device, and read the device identifier of the terminal device.
[0120] The second key pair includes a public key and a private key, which are generated and stored by the terminal device in an untrusted environment. This second key pair represents the terminal device. For example, the second key pair might include the public key "Device root pk" and the private key "Device root sk". This second key pair can be used to verify the legitimacy of the terminal device, and each terminal device can have its own corresponding second key pair.
[0121] In this embodiment of the application, each terminal device also has a corresponding device identifier.
[0122] In this embodiment, the server can read the device identifier of the terminal device and the public key in the second key pair through a trusted communication channel with the terminal device. For example, the server can read the device root pk and the device identifier of the terminal device through a trusted communication channel with the terminal device.
[0123] Understandably, the server can communicate with at least one terminal device, and the server can read the device identifier of each terminal device and the public key in the second key pair corresponding to each terminal device.
[0124] Step 204: Establish the correspondence between the device identifier and the public key in the second key pair.
[0125] After reading the device identifier of the terminal device and the public key in the second key pair, the server can establish the correspondence between the two.
[0126] Understandably, the server can communicate with at least one terminal device. The server can read the device identifier of each terminal device and the public key in the corresponding second key pair of each terminal device, and establish the correspondence between the device identifier of each terminal device and the public key in the corresponding second key pair of each terminal device.
[0127] Step 205: Send a communication request to the terminal device, which is signed using the private key in the first key pair.
[0128] In order to establish trusted communication with the digital key in the terminal device, the server can send a communication request to the terminal device, which is signed with the private key in the first key pair.
[0129] It should be noted that while signing is performed using the private key from the first key pair, verification requires the corresponding public key from the same key pair. In this embodiment, the terminal device can verify the signature using the pre-set public key from the first key pair to validate the server's legitimacy.
[0130] Step 206: Receive second encrypted data with a signature sent by the terminal device in response to the communication request.
[0131] After receiving a communication request from the server, the terminal device can respond by sending a second encrypted data with a signature to the server. The server can receive this second encrypted data.
[0132] Specifically, the second encrypted data is obtained by encrypting the public key of the third key pair stored in the trusted environment where the digital key in the terminal device resides, along with the device identifier of the terminal device, using the public key from the first key pair. The signature of the second encrypted data is performed by the terminal device using the private key from the second key pair.
[0133] The third key pair includes a public key and a private key, which are generated and stored in a trusted environment by the digital key in the terminal device. This key pair represents the digital key. For example, the third key pair includes the public key `Devicedigitalkey pk` and the private key `Device digitalkey sk`. The private key in the third key pair is unique to the digital key.
[0134] Alternatively, the digital key can be stored as a trusted application (TA) in a trusted execution environment (TEE).
[0135] Step 207: Use the private key in the first key pair stored on the server to decrypt the second encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key is located in the terminal device, and obtain the device identifier of the terminal device.
[0136] The server can use the private key in the first key pair stored in the storage to encrypt the second encrypted data using the public key in the first key pair, and then decrypt the encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device.
[0137] Step 208: Locate the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier.
[0138] The server establishes a mapping between the device identifier and the public key in the second key pair, and can find the public key in the second key pair corresponding to the device identifier based on the device identifier.
[0139] Step 209: Verify the signature of the second encrypted data using the public key in the second key pair. If the verification is successful, establish secure communication with the digital key based on the public key in the third key pair.
[0140] The second encrypted data is signed by the terminal device using the private key from the second key pair. Therefore, the server can verify the signature of the second encrypted data using the obtained public key from the second key pair. The server can then verify the legitimacy of the terminal device based on the verification of the signature of the second encrypted data.
[0141] If the verification is successful, it means that the terminal device has been confirmed as legitimate, and the server can establish secure communication with the digital key based on the public key in the third key pair.
[0142] The server obtains the public key from the third key pair stored in a trusted environment by the digital key in the terminal device. The server's public key is written into the trusted execution environment of the terminal device through a trusted communication channel. Both the server and the digital key can obtain each other's public key and verify each other's legitimacy. Both parties can establish trusted and secure communication based on each other's public key.
[0143] In this embodiment of the application, the server can use any encryption algorithm based on the public key in the third key pair to communicate securely with the digital key.
[0144] In some implementations, the server can encrypt communication data using any encryption algorithm based on the public key in the third key pair. Upon receiving data encrypted with the public key in the third key pair, the digital key can decrypt the encrypted data using the private key in the third key pair, thus achieving secure communication between the server and the digital key. It is understood that the digital key can also encrypt communication data using any encryption algorithm based on the public key in the first key pair, and the server can decrypt the encrypted data using the private key in the first key pair after receiving it.
[0145] In some implementations, the server can generate a symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the public key in the third key pair and the private key in the first key pair. This symmetric key is then used for secure communication with the digital key. It should be noted that the digital key can generate the same symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the private key in the third key pair and the public key in the first key pair. Furthermore, it should be noted that using the Diffie-Hellman key exchange / negotiation algorithm to generate the symmetric key for secure communication is computationally fast and can effectively reduce communication latency.
[0146] In the embodiments of this application, the secure communication can also be based on any security standard, such as the SCP03 (Secure Channel Protocol) standard. This application does not limit the key encryption algorithm or secure channel standard used to establish secure communication.
[0147] The communication establishment method of this disclosure includes generating and storing a first key pair, writing the public key of the first key pair to the trusted execution environment of the terminal device through a trusted communication channel, reading the public key of a second key pair stored by the terminal device in an untrusted environment through the trusted communication channel, reading the device identifier of the terminal device, establishing a correspondence between the device identifier and the public key in the second key pair, sending a communication request to the terminal device, the communication request being signed with the private key of the first key pair, receiving the signed second encrypted data sent by the terminal device in response to the communication request, and encrypting the second data with the private key of the first key pair stored on the server. The data is decrypted to obtain the public key of the third key pair stored in the trusted environment where the digital key is located in the terminal device, as well as the device identifier of the terminal device. The public key of the second key pair stored in the untrusted environment corresponding to the device identifier is then searched. The public key in the second key pair is used to verify the signature of the second encrypted data. If the verification is successful, secure communication is established with the digital key based on the public key in the third key pair. This allows the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public key before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in the trusted environment.
[0148] Figure 3 This is a schematic flowchart illustrating a communication establishment method provided in an embodiment of this disclosure. It should be noted that the communication establishment method in this embodiment is executed by a terminal device. Figure 3 As shown, the communication establishment method may include the following steps:
[0149] Step 301: Receive the communication request sent by the server.
[0150] In order to establish trusted communication with the digital key in the terminal device, the server can send a communication request to the terminal device.
[0151] In some implementations, the communication request is signed using the private key from the first key pair. The terminal device can then verify the signature of the communication request using the public key from the first key pair.
[0152] The first key pair includes a private key and a public key, which are generated and stored by the server and represent the server. The private key in the first key pair is unique to that server. The server's identity can be verified by using the private key for signing and the public key for verification.
[0153] In some implementations, the terminal device can read the public key from the first key pair through a trusted communication channel with the server. That is, the terminal device can obtain the public key representing the server from the first key pair through the trusted communication channel. The server can write the public key from the first key pair to the terminal device's Trusted Execution Environment (TEE) through the trusted communication channel with the terminal device. The terminal device reads the public key from the first key pair and writes it into its TEE.
[0154] Step 302: In response to the communication request, the public key in the first key pair stored in the terminal device is used to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data.
[0155] After receiving a communication request from the server, the terminal device can respond to the communication request by using the public key in the first key pair to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data.
[0156] The third key pair includes a private key and a public key, which are generated and stored in a trusted environment by the digital key in the terminal device, and represent the digital key. The private key in the third key pair is unique to that digital key.
[0157] Alternatively, the digital key can be stored as a trusted application (TA) in a trusted execution environment (TEE).
[0158] Similarly, the second key pair also includes a public key and a private key, which are generated and stored by the terminal device in an untrusted environment. This second key pair can represent the terminal device. It can be used to verify the legitimacy of the terminal device, and each terminal device can have its own corresponding second key pair.
[0159] Step 303: Use the private key from the second key pair stored in the terminal device in an untrusted environment to sign the second encrypted data.
[0160] The terminal device can sign the second encrypted data using the private key from the second key pair. After receiving the signed second encrypted data, the server can verify it using the public key from the second key pair to verify the legitimacy of the terminal device.
[0161] Step 304: Send signed second encrypted data to the server so that the server can decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key in the decrypted third key pair.
[0162] The terminal device sends the signed second encrypted data to the server.
[0163] The server can decrypt the second encrypted data using the private key from the first key pair to obtain the public key from the third key pair. The server can then verify the signature of the second encrypted data using the obtained public key from the second key pair to confirm the legitimacy of the terminal device.
[0164] If the verification is successful, it means that the terminal device has been confirmed as legitimate, and the server can establish secure communication with the digital key based on the public key in the third key pair.
[0165] In some implementations, the terminal device can send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel. The server can then establish a correspondence between the device identifier and the public key in the second key pair. In other words, the server can obtain the device identifier of the terminal device and the public key of the second key pair through the trusted communication channel and establish a correspondence between them.
[0166] The terminal device can obtain the server's public key through a trusted communication channel, and the server obtains the public key of the third key pair stored in the trusted environment by the digital key in the terminal device. Both the server and the digital key can obtain each other's public key and verify each other's legitimacy. The two parties can establish trusted and secure communication based on each other's public key.
[0167] In this embodiment of the application, the server and the digital key can communicate securely using any encryption algorithm based on the public keys they have obtained from each other.
[0168] In some implementations, the digital key can encrypt communication data using any encryption algorithm based on the public key in the acquired first key pair. Upon receiving data encrypted with the public key of the first key pair, the server can decrypt the encrypted data using the private key of the first key pair, thus achieving secure communication between the server and the digital key. It is understood that the server can also encrypt communication data using any encryption algorithm based on the public key of the third key pair, and the digital key can decrypt the encrypted data using the private key of the third key pair after receiving it.
[0169] In some implementations, the digital key can generate a symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the private key from the third key pair and the public key from the first key pair. This symmetric key is then used for secure communication with the server. It should be noted that the server can generate the same symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the public key from the third key pair and the private key from the first key pair. Furthermore, it should be noted that using the Diffie-Hellman key exchange / negotiation algorithm to generate the symmetric key for secure communication is computationally fast and can effectively reduce communication latency.
[0170] In the embodiments of this application, the secure communication can also be based on any security standard, such as the SCP03 (Secure Channel Protocol) standard. This application does not limit the key encryption algorithm or secure channel standard used to establish secure communication.
[0171] The communication establishment method of this disclosure embodiment receives a communication request sent by a server, and in response to the communication request, uses the public key in the first key pair stored in the terminal device to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain second encrypted data. Then, it uses the private key in the second key pair stored in the untrusted environment of the terminal device to sign the second encrypted data, and sends the signed second encrypted data to the server. This allows the server to decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key in the decrypted third key pair. This enables the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public keys before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in a trusted environment.
[0172] It should be noted that, in the embodiments of this application, any encryption and decryption algorithm can be used to encrypt and decrypt the data, and any signature and verification algorithm can be used to sign and verify the data. The embodiments of this application do not limit the specific methods used.
[0173] Figure 4 This is a flowchart illustrating a communication establishment method according to another embodiment of this disclosure. It should be noted that the communication establishment method in this embodiment is executed by a terminal device. Figure 4 As shown, the communication establishment method may include the following steps:
[0174] Step 401: Generate and store the second key pair in an untrusted environment.
[0175] The second key pair includes a public key and a private key, which represent the terminal device. For example, the second key pair includes the public key "Device root pk" and the private key "Device root sk". This second key pair can be used to verify the legitimacy of the terminal device, and each terminal device can have a corresponding second key pair.
[0176] Step 402: Send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel.
[0177] The terminal device can send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel. For example, the terminal device can send the terminal device's Device root pk and the terminal device's device identifier to the server through a trusted communication channel.
[0178] It is understood that, in the embodiments of this application, the trusted communication channel between the server and the terminal device indicates that the data transmitted through this communication channel is legitimate and trustworthy, and the server and the terminal device can communicate and exchange their public keys through this trusted communication channel. Typically, this trusted communication channel is established within the official factory of the terminal device; that is, this process is usually completed within the official factory of the terminal device.
[0179] Step 403: Read the public key in the first key pair stored on the server through a trusted communication channel with the server, and write the public key in the first key pair into the trusted execution environment of the terminal.
[0180] The terminal device can read the public key in the first key pair through a trusted communication channel with the server, and write the public key in the first key pair into the terminal's Trusted Execution Environment (TEE).
[0181] The first key pair includes a private key and a public key, which are generated and stored by the server and represent the server. For example, the first key pair includes a public key Server pk and a private key Server sk. This first key pair can be used to verify the legitimacy of the server, and the private key in the first key pair is unique to that server.
[0182] The Trusted Execution Environment (TEE) in the terminal device can obtain the public key from the first key pair. For example, the server can pre-install the Server pk in the terminal device's TEE through a trusted communication channel with the terminal device.
[0183] Step 404: Receive a communication request sent by the server, which is signed using the private key in the first key pair.
[0184] In order to establish trusted communication with the digital key in the terminal device, the server can send a communication request to the terminal device, which is signed with the private key in the first key pair. The terminal device can then verify the signature of the communication request using the public key in the pre-set first key pair.
[0185] Step 405: In response to the communication request, the public key in the first key pair stored in the terminal device is used to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data.
[0186] After receiving a communication request from the server, the terminal device can respond to the communication request by using the public key in the first key pair to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data.
[0187] The third key pair includes a private key and a public key, which are generated and stored in a trusted environment by the digital key in the terminal device. This key pair represents the digital key. For example, the third key pair includes the public key `Devicedigitalkey pk` and the private key `Device digitalkey sk`. The private key in the third key pair is unique to the digital key.
[0188] Alternatively, the digital key can be stored as a trusted application (TA) in a trusted execution environment (TEE).
[0189] For example, in this embodiment of the application, the terminal device can use the server pk to encrypt the Device digitalkey pk and the device identifier of the terminal device to obtain the second encrypted data.
[0190] Step 406: Sign the second encrypted data using the private key from the second key pair stored in the terminal device in an untrusted environment.
[0191] The terminal device can sign the second encrypted data using the private key from the second key pair. After receiving the signed second encrypted data, the server can verify it using the public key from the second key pair to verify the legitimacy of the terminal device.
[0192] Step 407: Send signed second encrypted data to the server so that the server can decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key in the decrypted third key pair.
[0193] The terminal device sends the signed second encrypted data to the server.
[0194] The server can decrypt the second encrypted data using the private key from the first key pair to obtain the public key from the third key pair. The server can then verify the signature of the second encrypted data using the obtained public key from the second key pair to confirm the legitimacy of the terminal device.
[0195] If the verification is successful, it means that the terminal device has been confirmed as legitimate, and the server can establish secure communication with the digital key based on the public key in the third key pair.
[0196] In some implementations, the terminal device can send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel. The server can then establish a correspondence between the device identifier and the public key in the second key pair. In other words, the server can obtain the device identifier of the terminal device and the public key of the second key pair through the trusted communication channel and establish a correspondence between them.
[0197] The terminal device can obtain the server's public key through a trusted communication channel, and the server obtains the public key of the third key pair stored in the trusted environment by the digital key in the terminal device. Both the server and the digital key can obtain each other's public key and verify each other's legitimacy. The two parties can establish trusted and secure communication based on each other's public key.
[0198] In this embodiment of the application, the server and the digital key can communicate securely using any encryption algorithm based on the public keys they have obtained from each other.
[0199] In some implementations, the digital key can encrypt communication data using any encryption algorithm based on the public key in the acquired first key pair. Upon receiving data encrypted with the public key of the first key pair, the server can decrypt the encrypted data using the private key of the first key pair, thus achieving secure communication between the server and the digital key. It is understood that the server can also encrypt communication data using any encryption algorithm based on the public key of the third key pair, and the digital key can decrypt the encrypted data using the private key of the third key pair after receiving it.
[0200] In some implementations, the digital key can generate a symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the private key from the third key pair and the public key from the first key pair. This symmetric key is then used for secure communication with the server. It should be noted that the server can generate the same symmetric key using the Diffie-Hellman key exchange / negotiation algorithm based on the public key from the third key pair and the private key from the first key pair. Furthermore, it should be noted that using the Diffie-Hellman key exchange / negotiation algorithm to generate the symmetric key for secure communication is computationally fast and can effectively reduce communication latency.
[0201] In the embodiments of this application, the secure communication can also be based on any security standard, such as the SCP03 (Secure Channel Protocol) standard. This application does not limit the key encryption algorithm or secure channel standard used to establish secure communication.
[0202] The communication establishment method of this disclosure involves generating and storing a second key pair in an untrusted environment, sending the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel, reading the public key of the first key pair stored on the server through the trusted communication channel, receiving a communication request sent by the server, which is signed with the private key of the first key pair, and in response to the communication request, encrypting the public key of the third key pair stored in the trusted environment where the digital key in the terminal device is located, and the device identifier of the terminal device, using the public key of the first key pair stored on the terminal device, to obtain second encrypted data, signing the second encrypted data with the private key of the second key pair stored on the terminal device in the untrusted environment, and sending the signed second encrypted data to the server so that the server can decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key of the decrypted third key pair. This allows the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public key before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in a trusted environment.
[0203] Corresponding to the communication establishment method provided in the above embodiments, this disclosure also provides a communication establishment device. Since the communication establishment device provided in this disclosure corresponds to the communication establishment method provided in the above embodiments, the implementation of the communication establishment method is also applicable to the communication establishment device provided in this disclosure, and will not be described in detail in this disclosure.
[0204] Figure 5This is a schematic diagram of the communication establishment apparatus provided in an embodiment of the present disclosure.
[0205] like Figure 5 As shown, the communication establishment device 500 may include: a sending module 510, a receiving module 520, a decryption module 530, a searching module 540, and a verification module 550.
[0206] The sending module 510 is used to send a communication request to the terminal device;
[0207] The receiving module 520 is configured to receive second encrypted data with a signature sent by the terminal device in response to the communication request;
[0208] The decryption module 530 is used to decrypt the second encrypted data using the private key in the first key pair stored on the server, to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and to obtain the device identifier of the terminal device.
[0209] The lookup module 540 is used to look up the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier;
[0210] The verification module 550 is used to verify the signature of the second encrypted data using the public key in the second key pair. If the verification is successful, it establishes secure communication with the digital key based on the public key in the third key pair.
[0211] Optionally, the sending module 510 is specifically used for:
[0212] Send a communication request to the terminal device, wherein the communication request is signed using the private key in the first key pair;
[0213] The signature of the communication request is used by the terminal device to verify the request using the public key in the first key pair.
[0214] Optionally, such as Figure 6 As shown, Figure 6 This is a schematic diagram of a communication establishment apparatus provided in another embodiment of the present disclosure. The apparatus 500 further includes:
[0215] The reading module 560 is used to read the public key in the second key pair stored by the terminal device in an untrusted environment, and to read the device identifier of the terminal device through a trusted communication channel with the terminal device;
[0216] The association module 570 is used to establish a correspondence between the device identifier and the public key in the second key pair.
[0217] Optionally, the device 500 further includes:
[0218] The key generation module 580 is used to generate and store the first key pair;
[0219] The preset module 590 is used to write the public key in the first key pair into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
[0220] The file writing communication establishment apparatus of this embodiment sends a communication request to a terminal device, receives second encrypted data with a signature sent by the terminal device in response to the communication request, decrypts the second encrypted data using the private key in the first key pair stored on the server, obtains the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and obtains the device identifier of the terminal device. It then searches for the public key in the second key pair stored in the untrusted environment corresponding to the device identifier, verifies the signature of the second encrypted data using the public key in the second key pair, and if the verification is successful, establishes secure communication with the digital key based on the public key in the third key pair. This allows the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public key before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in the trusted environment.
[0221] Figure 7 This is a schematic diagram of the communication establishment apparatus provided in an embodiment of the present disclosure.
[0222] like Figure 7 As shown, the communication establishment device 700 may include: a receiving module 710, an encryption module 720, a signature module 730, and a sending module 740.
[0223] The receiving module 710 is used to receive communication requests sent by the server.
[0224] The encryption module 720 is used to respond to the communication request by using the public key in the first key pair stored in the terminal device to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and the device identifier of the terminal device, to obtain the second encrypted data.
[0225] The signature module 730 is used to sign the second encrypted data using the private key in the second key pair stored by the terminal device in an untrusted environment;
[0226] The sending module 740 is used to send signed second encrypted data to the server so that the server can decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key in the third key pair obtained by decryption.
[0227] Optionally, the receiving module 710 is specifically used for:
[0228] Receive a communication request sent by the server, the communication request being signed using the private key in the first key pair;
[0229] The signature of the communication request is verified using the public key from the first key pair.
[0230] Optionally, such as Figure 8 As shown, Figure 8 This is a schematic diagram of a communication establishment apparatus provided in another embodiment of the present disclosure. The apparatus 700 further includes:
[0231] The key generation module 750 is used to generate and store a second key pair in an untrusted environment;
[0232] The writing module 760 is used to send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel with the server.
[0233] Optionally, the device 700 further includes:
[0234] The reading module 770 is used to read the public key in the first key pair stored by the server through a trusted communication channel with the server, and write the public key in the first key pair into the trusted execution environment of the terminal.
[0235] The file writing communication establishment apparatus of this disclosure receives a communication request sent by a server, and in response to the communication request, uses the public key in the first key pair stored in the terminal device to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain second encrypted data. Then, it uses the private key in the second key pair stored in the untrusted environment of the terminal device to sign the second encrypted data, and sends the signed second encrypted data to the server. This allows the server to decrypt and verify the signed second encrypted data, and establish secure communication with the digital key based on the public key in the decrypted third key pair. This enables the digital key in the terminal device and the server to verify each other's legitimacy and possess each other's public keys before establishing communication, and to establish mutually trusted communication, effectively ensuring the security and reliability of data transmission between the digital key and the server in a trusted environment.
[0236] To implement the above embodiments, this disclosure also proposes an electronic device, including: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the present disclosure. Figures 1 to 2 The communication establishment method proposed in the embodiments, or the implementation as disclosed herein. Figures 3 to 4 The communication establishment method proposed in the embodiment.
[0237] To implement the above embodiments, this disclosure also proposes a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the present disclosure. Figures 1 to 2 The communication establishment method proposed in the embodiments, or the implementation as disclosed herein. Figures 3 to 4 The communication establishment method proposed in the embodiment.
[0238] To implement the above embodiments, this disclosure also proposes a computer program product, which, when executed by a processor, performs as described in this disclosure. Figures 1 to 2 The communication establishment method proposed in the embodiments, or the execution of the method as disclosed herein. Figures 3 to 4 The communication establishment method proposed in the embodiment.
[0239] Figure 9 This is a block diagram illustrating an electronic device according to an exemplary embodiment. For example, device 200 may be a mobile phone, computer, digital broadcasting terminal, messaging device, game console, tablet device, medical device, fitness device, personal digital assistant, etc.
[0240] Reference Figure 9 The device 900 may include one or more of the following components: a processing component 902, a memory 904, a power component 906, a multimedia component 908, an audio component 910, an input / output (I / O) interface 912, a sensor component 914, and a communication component 916.
[0241] Processing component 902 typically controls the overall operation of device 900, such as operations associated with display, telephone calls, data communication, camera operation, and recording operations. Processing component 902 may include one or more processors 920 to execute instructions to perform all or part of the steps of the methods described above. Furthermore, processing component 902 may include one or more modules to facilitate interaction between processing component 902 and other components. For example, processing component 902 may include a multimedia module to facilitate interaction between multimedia component 908 and processing component 902.
[0242] Memory 904 is configured to store various types of data to support the operation of device 900. Examples of this data include instructions for any application or method operating on device 900, contact data, phonebook data, messages, pictures, videos, etc. Memory 904 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.
[0243] The power supply component 906 provides power to the various components of the device 900. The power supply component 906 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power to the device 900.
[0244] Multimedia component 908 includes a screen that provides an output interface between the device 900 and the user. In some embodiments, the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touchscreen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensors may sense not only the boundaries of the touch or swipe action but also the duration and pressure associated with the touch or swipe operation. In some embodiments, multimedia component 908 includes a front-facing camera and / or a rear-facing camera. When the device 900 is in an operating mode, such as a shooting mode or a video mode, the front-facing camera and / or the rear-facing camera may receive external multimedia data. Each front-facing camera and rear-facing camera may be a fixed optical lens system or have focal length and optical zoom capabilities.
[0245] Audio component 910 is configured to output and / or input audio signals. For example, audio component 910 includes a microphone (MIC) configured to receive external audio signals when device 900 is in an operating mode, such as call mode, recording mode, and voice recognition mode. The received audio signals may be further stored in memory 904 or transmitted via communication component 916. In some embodiments, audio component 910 also includes a speaker for outputting audio signals.
[0246] I / O interface 912 provides an interface between processing component 902 and peripheral interface modules, such as keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to, home buttons, volume buttons, power buttons, and lock buttons.
[0247] Sensor assembly 914 includes one or more sensors for providing status assessments of various aspects of device 900. For example, sensor assembly 914 may detect the on / off state of device 900, the relative positioning of components such as the display and keypad of device 900, changes in position of device 900 or a component of device 900, the presence or absence of user contact with device 900, orientation or acceleration / deceleration of device 900, and temperature changes of device 900. Sensor assembly 914 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. Sensor assembly 914 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, sensor assembly 914 may also include an accelerometer, gyroscope, magnetometer, pressure sensor, or temperature sensor.
[0248] Communication component 916 is configured to facilitate wired or wireless communication between device 900 and other devices. Device 900 can access wireless networks based on communication standards, such as WiFi, 4G, or 5G, or combinations thereof. In one exemplary embodiment, communication component 916 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, communication component 916 also includes a near-field communication (NFC) module to facilitate short-range communication. For example, the NFC module may be implemented based on radio frequency identification (RFID) technology, Infrared Data Association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
[0249] In an exemplary embodiment, the apparatus 900 may be implemented by one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components to perform the methods described above.
[0250] In an exemplary embodiment, a non-transitory computer-readable storage medium including instructions is also provided, such as a memory 904 including instructions, which can be executed by a processor 920 of the device 900 to perform the above-described method. For example, the non-transitory computer-readable storage medium may be a ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.
[0251] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of this disclosure. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0252] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this disclosure, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.
[0253] Any process or method description in the flowchart or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing custom logic functions or processes, and the scope of preferred embodiments of this disclosure includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functions involved, as will be understood by those skilled in the art to which embodiments of this disclosure pertain.
[0254] The logic and / or steps represented in the flowchart or otherwise described herein, for example, can be considered as a sequenced list of executable instructions for implementing logical functions, and can be embodied in any computer-readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a processor-including system, or other system that can fetch and execute instructions from, an instruction execution system, apparatus, or device). For the purposes of this specification, "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transmit programs for use by, or in conjunction with, an instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of computer-readable media include: an electrical connection having one or more wires (electronic device), a portable computer disk drive (magnetic device), random access memory (RAM), read-only memory (ROM), erasable and programmable read-only memory (EPROM or flash memory), fiber optic devices, and portable optical disc read-only memory (CDROM). Alternatively, the computer-readable medium may be paper or other suitable media on which the program can be printed, since the program can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or otherwise processing as necessary, and then stored in a computer memory.
[0255] It should be understood that various parts of this disclosure can be implemented using hardware, software, firmware, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented using software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.
[0256] Those skilled in the art will understand that all or part of the steps of the methods in the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
[0257] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into a processing module, or each unit can exist physically separately, or two or more units can be integrated into a module. The integrated module can be implemented in hardware or as a software functional module. If the integrated module is implemented as a software functional module and sold or used as an independent product, it can also be stored in a computer-readable storage medium.
[0258] The storage medium mentioned above can be a read-only memory, a disk, or an optical disk, etc. Although embodiments of the present disclosure have been shown and described above, it is to be understood that the above embodiments are exemplary and should not be construed as limiting the present disclosure. Those skilled in the art can make changes, modifications, substitutions, and variations to the above embodiments within the scope of the present disclosure.
Claims
1. A method of communication establishment, characterized by The method is executed by the server, and the method includes: Send a communication request to the terminal device; The terminal device receives a second encrypted data with a signature sent in response to the communication request; wherein the second encrypted data is obtained by the terminal device encrypting the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and the device identifier of the terminal device using the public key in the first key pair generated by the server, and the device identifier of the terminal device; the signature of the second encrypted data is signed by the terminal device using the private key in the second key pair stored in the untrusted environment of the terminal device. The private key in the first key pair stored on the server is used to decrypt the second encrypted data to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and to obtain the device identifier of the terminal device. Find the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier; The signature of the second encrypted data is verified using the public key in the second key pair. If the verification is successful, secure communication with the digital key is established based on the public key in the third key pair.
2. The method of claim 1, wherein, Sending a communication request to the terminal device includes: Send a communication request to the terminal device, wherein the communication request is signed using the private key in the first key pair; The signature of the communication request is used by the terminal device to verify the request using the public key in the first key pair.
3. The method according to claim 1 or 2, characterized in that, The method further includes: Through a trusted communication channel with the terminal device, the public key in the second key pair stored by the terminal device in an untrusted environment is read, as well as the device identifier of the terminal device is read; Establish a correspondence between the device identifier and the public key in the second key pair.
4. The method according to claim 1 or 2, characterized in that, The method further includes: Generate and store the first key pair; The public key in the first key pair is written into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
5. A communication establishment method, characterized in that, The method is executed by a terminal device, and the method includes: Receive communication requests sent by the server; In response to the communication request, the public key in the first key pair stored in the terminal device is used to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain the second encrypted data; wherein, the public key in the first key pair is generated by the server; The second encrypted data is signed using the private key from the second key pair stored in the terminal device in an untrusted environment; The server sends a second encrypted data with a signature to the server so that the server can decrypt and verify the second encrypted data with a signature, and establish secure communication with the digital key based on the public key in the third key pair obtained from the decryption.
6. The method according to claim 5, characterized in that, The communication request sent by the receiving server includes: Receive a communication request sent by the server, the communication request being signed using the private key in the first key pair; The signature of the communication request is verified using the public key from the first key pair.
7. The method according to claim 5 or 6, characterized in that, The method further includes: Generate and store a second key pair in an untrusted environment; The public key of the second key pair and the device identifier of the terminal device are sent to the server through a trusted communication channel.
8. The method according to claim 5 or 6, characterized in that, The method further includes: Through a trusted communication channel with the server, the public key in the first key pair stored on the server is read and written into the trusted execution environment of the terminal.
9. A communication establishment device, characterized in that, The device is used in a server, and the device includes: The sending module is used to send communication requests to the terminal device; A receiving module is configured to receive second encrypted data with a signature sent by the terminal device in response to the communication request; wherein the second encrypted data is obtained by the terminal device encrypting the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and the device identifier of the terminal device using the public key in the first key pair generated by the server, and the device identifier of the terminal device; the signature of the second encrypted data is signed by the terminal device using the private key in the second key pair stored in the untrusted environment of the terminal device. The decryption module is used to decrypt the second encrypted data using the private key in the first key pair stored on the server, to obtain the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, and to obtain the device identifier of the terminal device. The lookup module is used to find the public key in the second key pair stored in an untrusted environment by the terminal device corresponding to the device identifier; The verification module is used to verify the signature of the second encrypted data using the public key in the second key pair. If the verification is successful, it establishes secure communication with the digital key based on the public key in the third key pair.
10. The apparatus according to claim 9, characterized in that, The sending module is specifically used for: Send a communication request to the terminal device, wherein the communication request is signed using the private key in the first key pair; The signature of the communication request is used by the terminal device to verify the request using the public key in the first key pair.
11. The apparatus according to claim 9 or 10, characterized in that, The device further includes: The reading module is used to read the public key in the second key pair stored by the terminal device in an untrusted environment, and to read the device identifier of the terminal device, through a trusted communication channel with the terminal device. The association module is used to establish a correspondence between the device identifier and the public key in the second key pair.
12. The apparatus according to claim 9 or 10, characterized in that, The device further includes: A key generation module is used to generate and store the first key pair; A pre-configured module is used to write the public key in the first key pair into the trusted execution environment of the terminal device through a trusted communication channel with the terminal device.
13. A communication establishment device, characterized in that, The device is used in a terminal device, and the device includes: The receiving module is used to receive communication requests sent by the server. An encryption module is used to respond to the communication request by using the public key in the first key pair stored in the terminal device to encrypt the public key in the third key pair stored in the trusted environment where the digital key in the terminal device is located, as well as the device identifier of the terminal device, to obtain second encrypted data; wherein, the public key in the first key pair is generated by the server; The signature module is used to sign the second encrypted data using the private key in the second key pair stored by the terminal device in an untrusted environment; The sending module is used to send a second encrypted data with a signature to the server, so that the server can decrypt and verify the second encrypted data with a signature, and establish secure communication with the digital key based on the public key in the third key pair obtained by decryption.
14. The apparatus according to claim 13, characterized in that, The receiving module is specifically used for: Receive a communication request sent by the server, the communication request being signed using the private key in the first key pair; The signature of the communication request is verified using the public key from the first key pair.
15. The apparatus according to claim 13 or 14, characterized in that, The device further includes: A key generation module is used to generate and store a second key pair in an untrusted environment; The writing module is used to send the public key of the second key pair and the device identifier of the terminal device to the server through a trusted communication channel with the server.
16. The apparatus according to claim 13 or 14, characterized in that, The device further includes: The reading module is used to read the public key in the first key pair stored by the server through a trusted communication channel with the server and write the public key in the first key pair into the trusted execution environment of the terminal.
17. An electronic device, characterized in that, It includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the communication establishment method as described in any one of claims 1-4.
18. An electronic device, characterized in that, It includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the communication establishment method as described in any one of claims 5-8.
19. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the communication establishment method as described in any one of claims 1-4.
20. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the communication establishment method as described in any one of claims 5-8.
21. A computer program product, characterized in that, When the instructions in the computer program product are executed by the processor, the communication establishment method as described in any one of claims 1-4 is performed.
22. A computer program product, characterized in that, When the instructions in the computer program product are executed by the processor, the communication establishment method as described in any one of claims 5-8 is performed.