[go: up one dir, main page]

WO2024139734A1 - Key updating method and apparatus, electronic device, and computer readable storage medium - Google Patents

Key updating method and apparatus, electronic device, and computer readable storage medium Download PDF

Info

Publication number
WO2024139734A1
WO2024139734A1 PCT/CN2023/129923 CN2023129923W WO2024139734A1 WO 2024139734 A1 WO2024139734 A1 WO 2024139734A1 CN 2023129923 W CN2023129923 W CN 2023129923W WO 2024139734 A1 WO2024139734 A1 WO 2024139734A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
server
update
information
encrypted information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/129923
Other languages
French (fr)
Chinese (zh)
Inventor
杨坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Midea Group Co Ltd
GD Midea Air Conditioning Equipment Co Ltd
Original Assignee
Midea Group Co Ltd
GD Midea Air Conditioning Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Midea Group Co Ltd, GD Midea Air Conditioning Equipment Co Ltd filed Critical Midea Group Co Ltd
Publication of WO2024139734A1 publication Critical patent/WO2024139734A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present application relates to the technical field of Internet of Things, and in particular to a key updating method, device, electronic device and computer-readable storage medium.
  • a typical Internet of Things system consists of many Internet of Things devices, a cloud service end, and a console.
  • an embodiment of the present application further provides a computer program product, including a computer program, wherein the computer program implements the above-mentioned key updating method when executed by a processor.
  • the key update mechanism proposed in this embodiment performs challenge response between the device and the server, synchronizes the key update action, and performs the same key processing mechanism on each side, and updates the shared key by inputting the update conditions.
  • the above key update mechanism can not only solve the problem of sensitive information not being transmitted, but also trigger the refresh of the shared key information of the device and the server according to a variety of update conditions, and has the characteristics of being synchronizable, controllable, and securely updateable.
  • the challenge response mechanism is that the authentication server sends a different "challenge” string to the device each time the authentication is performed. After the client program receives the "challenge” string, it makes a corresponding "response". For example, the device can send a challenge message to the server, and the server sends a response message to the device after receiving the challenge message.
  • the key update actions of the device and the server of the IoT system can be synchronized through the challenge response mechanism. That is, if the device receives the response information returned by the server after sending the challenge information, it can be determined that the device has synchronized the key update action. The device can then return a confirmation message to the server, and the server can determine that the server has synchronized the key update action after receiving the confirmation message. The end also synchronizes the key update action.
  • the device side of the Internet of Things system in this embodiment sends a challenge message to the server side of the Internet of Things system; the server side returns a response message to the device side based on the challenge message; the device side synchronizes the key update action based on the response message and sends a confirmation message to the server side; the server side synchronizes the key update action based on the confirmation message.
  • the key synchronization tables at both ends can ensure a certain cache volume, for example, maintaining 10 groups of data; at this time, the shared key is refreshed and the two ends are synchronized.
  • the trigger condition includes: the number of times the device and the server communicate reaches a preset number threshold.
  • the above-mentioned device includes: a key synchronization table cache module, which is used to update the key identifier of the device side and the server side; wherein the key identifier represents the number of times the key is updated; cache the key and key identifier of the device side to the key synchronization table of the device side; cache the key and key identifier of the server side to the key synchronization table of the server side.
  • the above-mentioned encrypted information communication module is also used to send an error message to the device side if the decryption of the encrypted information by other keys cached in the key synchronization table of the server side fails; based on the error information, the device side encrypts the target information by other keys except the first key cached in the key synchronization table of the device side in order of the number of updates from large to small, so as to obtain encrypted information.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • An embodiment of the present application also provides an electronic device for running the above-mentioned key update method; referring to the structural diagram of an electronic device shown in FIG8 , the electronic device includes a memory 100 and a processor 101, wherein the memory 100 is used to store one or more computer instructions, and the one or more computer instructions are executed by the processor 101 to implement the above-mentioned key update method.
  • the electronic device shown in FIG. 8 further includes a bus 102 and a communication interface 103 , and the processor 101 , the communication interface 103 and the memory 100 are connected via the bus 102 .
  • the memory 100 may include a high-speed random access memory (RAM). Access Memory), and may also include non-volatile memory, such as at least one disk storage.
  • RAM random access memory
  • the communication connection between the system network element and at least one other network element is realized through at least one communication interface 103 (which can be wired or wireless), and the Internet, wide area network, local area network, metropolitan area network, etc. can be used.
  • Bus 102 can be ISA bus, PCI bus or EISA bus, etc.
  • the bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one bidirectional arrow is used in Figure 8, but it does not mean that there is only one bus or one type of bus.
  • the processor 101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit in the processor 101 or the instruction in the form of software.
  • the above processor 101 can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the methods, steps and logic block diagrams disclosed in the embodiments of the present application can be implemented or executed.
  • the general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor for execution, or a combination of hardware and software modules in the decoding processor for execution.
  • the software module may be located in a storage medium mature in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, or an electrically erasable programmable memory, a register, etc.
  • the storage medium is located in the memory 100, and the processor 101 reads the information in the memory 100 and completes the steps of the method of the above embodiment in combination with its hardware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present application provides a key updating method and apparatus, an electronic device, and a computer readable storage medium, applied to an Internet of things system. The method comprises: synchronizing key updating actions of a device end and a serving end of an Internet of things system on the basis of a preset challenge response mechanism; updating keys of the device end and the serving end on the basis of a preset trigger condition; and performing communication of encrypted information of the device end and the serving end by means of the updated keys. The keys of the device end and the serving end of the Internet of things system are updated on the basis of the challenge response mechanism without issuing a key updating instruction, and the risk of being eavesdropped due to leakage of transmission channels does not exist, such that the security of key updating can be improved.

Description

密钥更新方法、装置、电子设备和计算机可读存储介质Key updating method, device, electronic device and computer readable storage medium

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请要求于2022年12月27日提交的申请号为202211686973.6,发明名称为“密钥更新方法、装置、电子设备和计算机可读存储介质”的中国专利申请的优先权,其通过引用方式全部并入本申请。This application claims priority to Chinese patent application No. 202211686973.6, filed on December 27, 2022, and entitled “Key update method, device, electronic device and computer-readable storage medium”, which is incorporated herein by reference in its entirety.

技术领域Technical Field

本申请涉及物联网技术领域,尤其是涉及一种密钥更新方法、装置、电子设备和计算机可读存储介质。The present application relates to the technical field of Internet of Things, and in particular to a key updating method, device, electronic device and computer-readable storage medium.

背景技术Background technique

物联网技术在工业自动化、智能家居、智慧医疗、网联汽车等领域得到了广泛的应用,典型的物联网系统由众多物联网设备端、一个云服务端、一个控制台组成。Internet of Things technology has been widely used in industrial automation, smart home, smart medical care, connected cars and other fields. A typical Internet of Things system consists of many Internet of Things devices, a cloud service end, and a console.

发明内容Summary of the invention

有鉴于此,本申请的目的在于提供一种密钥更新方法、装置、电子设备和计算机可读存储介质,以提高物联网系统中密钥更新的安全性。In view of this, the purpose of the present application is to provide a key update method, device, electronic device and computer-readable storage medium to improve the security of key update in an Internet of Things system.

第一方面,本申请实施例提供了一种密钥更新方法,应用于物联网系统,方法包括:基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;基于预先设置的触发条件更新设备端和服务端的密钥;通过更新后的密钥进行设备端和服务端的加密信息的通信。In a first aspect, an embodiment of the present application provides a key update method, which is applied to an Internet of Things system, and the method includes: synchronizing the key update actions of a device and a server of the Internet of Things system based on a pre-set challenge response mechanism; updating the keys of the device and the server based on pre-set trigger conditions; and communicating encrypted information between the device and the server through the updated keys.

第二方面,本申请实施例还提供一种密钥更新装置,应用于物联网系统,装置包括:密钥更新同步模块,用于基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;密钥更新模块,用于基于预先设置的触发条件更新设备端和服务端的密钥;加密信息通信模块,用于通过更新后的密钥进行设备端和服务端的加密信息的通信。In the second aspect, an embodiment of the present application also provides a key update device, which is applied to an Internet of Things system. The device includes: a key update synchronization module, which is used to synchronize the key update actions of the device and server sides of the Internet of Things system based on a pre-set challenge response mechanism; a key update module, which is used to update the keys of the device and server sides based on pre-set trigger conditions; and an encrypted information communication module, which is used to communicate encrypted information between the device and server sides through the updated key.

第三方面,本申请实施例还提供了一种电子设备,包括处理器和存储器,该存储器存储有能够被该处理器执行的计算机可执行指令,该处理器 执行该计算机可执行指令以实现上述密钥更新方法。In a third aspect, an embodiment of the present application further provides an electronic device, comprising a processor and a memory, wherein the memory stores computer executable instructions that can be executed by the processor, and the processor The computer executable instructions are executed to implement the key updating method.

第四方面,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现上述密钥更新方法。In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions. When the computer-executable instructions are called and executed by a processor, the computer-executable instructions prompt the processor to implement the above-mentioned key update method.

第五方面,本申请实施例还提供了一种计算机程序产品,包括计算机程序,其中,所述计算机程序被处理器执行时实现上述密钥更新方法。In a fifth aspect, an embodiment of the present application further provides a computer program product, including a computer program, wherein the computer program implements the above-mentioned key updating method when executed by a processor.

本申请实施例带来了以下有益效果:The embodiments of the present application bring the following beneficial effects:

本申请实施例提供了一种密钥更新方法、装置、电子设备和计算机可读存储介质,基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;基于触发条件更新设备端和服务端的密钥;通过更新后的密钥进行设备端和服务端的加密信息的通信。基于挑战应答机制更新物联网系统的设备端和服务端的密钥,无需下发更新密钥指令,不存在因传输通道泄露导致被窃听的危险,可以提高密钥更新的安全性。The embodiments of the present application provide a key update method, device, electronic device, and computer-readable storage medium, which synchronize the key update actions of the device and server of the IoT system based on a pre-set challenge response mechanism; update the key of the device and server based on trigger conditions; and communicate encrypted information between the device and server through the updated key. The key of the device and server of the IoT system is updated based on the challenge response mechanism, without issuing a key update instruction, and there is no risk of eavesdropping due to leakage of the transmission channel, which can improve the security of key update.

本公开的其他特征和优点将在随后的说明书中阐述,或者,部分特征和优点可以从说明书推知或毫无疑义地确定,或者通过实施本公开的上述技术即可得知。Other features and advantages of the present disclosure will be set forth in the following description, or some features and advantages may be inferred or unambiguously determined from the description, or may be learned by implementing the above-mentioned technology of the present disclosure.

为使本公开的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objectives, features and advantages of the present disclosure more obvious and easy to understand, preferred embodiments are specifically cited below and described in detail with reference to the accompanying drawings.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请具体实施方式或现有技术中的技术方案,下面将对具体实施方式或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the specific implementation methods of the present application or the technical solutions in the prior art, the drawings required for use in the specific implementation methods or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are some implementation methods of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例提供的一种密钥更新方法的流程图;FIG1 is a flow chart of a key updating method provided in an embodiment of the present application;

图2为本申请实施例提供的另一种密钥更新方法的流程图;FIG2 is a flow chart of another key updating method provided in an embodiment of the present application;

图3为本申请实施例提供的一种的设备端和服务端共享密钥的示意图;FIG3 is a schematic diagram of a device-side and a server-side shared key provided in an embodiment of the present application;

图4为本申请实施例提供的一种的挑战应答机制的示意图;FIG4 is a schematic diagram of a challenge response mechanism provided in an embodiment of the present application;

图5为本申请实施例提供的一种通过计数器确定是否满足触发条件的 示意图;FIG. 5 is a method for determining whether a trigger condition is met by a counter according to an embodiment of the present application. Schematic diagram;

图6为本申请实施例提供的一种密钥更新组件的示意图;FIG6 is a schematic diagram of a key update component provided in an embodiment of the present application;

图7为本申请实施例提供的一种密钥更新装置的结构示意图;FIG7 is a schematic diagram of the structure of a key updating device provided in an embodiment of the present application;

图8为本申请实施例提供的一种电子设备的结构示意图。FIG8 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.

具体实施方式Detailed ways

为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution of the present application will be clearly and completely described below in conjunction with the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present application.

目前,物联网技术在工业自动化、智能家居、智慧医疗、网联汽车等领域得到了广泛的应用,典型的物联网系统由众多物联网设备端、一个云服务端、一个控制台组成,在云服务端与物联网设备端进行数据通信前,为了保证通信链路的安全性,需要分别设置密钥,典型的有2种处理方式:At present, IoT technology has been widely used in industrial automation, smart home, smart medical care, connected cars and other fields. A typical IoT system consists of many IoT devices, a cloud service, and a console. Before the cloud service and IoT devices communicate data, keys need to be set separately to ensure the security of the communication link. There are two typical processing methods:

(1)预置设备公私钥,物联网设备端与云服务端在通信前通过交换信息建立会话连接,即通过密钥协商的手段进行会话密钥的生成,且每次生成的会话密钥不同,从而保证安全通信。(2)为节省资源,物联网设备端与云服务端预置对称密钥信息,进行直接的加密通信。(1) Preset the public and private keys of the device. The IoT device and the cloud service establish a session connection by exchanging information before communication. That is, the session key is generated by means of key negotiation, and the session key generated each time is different, thereby ensuring secure communication. (2) In order to save resources, the IoT device and the cloud service preset symmetric key information for direct encrypted communication.

其中,第一种处理方式相对来说更加消耗资源,在处理能力较强的物联网设备端可以使用,每次建立的对称会话密钥安全性也会较高,不容易遭受信息窃取。第二种处理方式为静态对称会话密钥,消耗资源少,使用方便,在众多物联网系统中,特别是处理能力不强,使用电池类的设备应用广泛,但对应地也为攻击者提供了便利,只要获取到会话密钥,便永久性可监听设备通信,甚至发送恶意指令。因此,为了提高通信的安全性,设备端和服务端可以设置共享密钥更新机制。Among them, the first processing method is relatively more resource-intensive and can be used on IoT devices with strong processing capabilities. The security of the symmetric session key established each time will also be high and not easily subject to information theft. The second processing method is a static symmetric session key, which consumes less resources and is easy to use. It is widely used in many IoT systems, especially in devices with weak processing capabilities and battery-powered devices. However, it also provides convenience for attackers. As long as they obtain the session key, they can permanently monitor device communications and even send malicious commands. Therefore, in order to improve the security of communication, the device and server can set up a shared key update mechanism.

传统的共享密钥更新机制,由其中一端主导,通过一端触发共享密钥指令,另一端进行下发,然而,上述共享密钥更新机制存在一个问题,如果传输通道本身已经被泄露的情况下,新更新的密钥同样面临被窃听的危险,违背了敏感信息不允许非可信通道传输的安全原则,安全性较差。 The traditional shared key update mechanism is dominated by one end, and the shared key instruction is triggered by one end and issued by the other end. However, there is a problem with the above shared key update mechanism. If the transmission channel itself has been leaked, the newly updated key is also at risk of being eavesdropped, which violates the security principle that sensitive information is not allowed to be transmitted through untrusted channels, and has poor security.

基于此,本申请实施例提供的一种密钥更新方法、装置、电子设备和计算机可读存储介质,可以针对设备端和云服务端的共享密钥更新,提出了一种基于挑战应答的自同步、无需设备端触发、云服务端下发的安全密钥更新机制,具体涉及信息安全、密码学、物联网安全、共享密钥的领域。Based on this, the embodiments of the present application provide a key update method, device, electronic device and computer-readable storage medium, which can be used for updating shared keys between the device side and the cloud service side. A security key update mechanism based on challenge response, self-synchronization, no need for device-side triggering, and issued by the cloud service side is proposed, which specifically involves the fields of information security, cryptography, Internet of Things security, and shared keys.

本实施例提出的密钥更新机制,通过设备端与服务端进行挑战应答,同步了密钥更新动作的前提下,各自进行相同的密钥处理机制,并通过输入更新条件,来进行共享密钥的更新。上述密钥更新机制既可以解决敏感信息不传递的问题,又可以按照多种更新条件来触发设备端和服务端的共享密钥信息刷新,具备可同步、可受控、可安全更新的特征。The key update mechanism proposed in this embodiment performs challenge response between the device and the server, synchronizes the key update action, and performs the same key processing mechanism on each side, and updates the shared key by inputting the update conditions. The above key update mechanism can not only solve the problem of sensitive information not being transmitted, but also trigger the refresh of the shared key information of the device and the server according to a variety of update conditions, and has the characteristics of being synchronizable, controllable, and securely updateable.

为便于对本实施例进行理解,首先对本申请实施例所公开的一种密钥更新方法进行详细介绍。To facilitate understanding of this embodiment, a key updating method disclosed in an embodiment of the present application is first introduced in detail.

实施例一:Embodiment 1:

本申请实施例提供一种密钥更新方法,应用于物联网系统,参见图1所示的一种密钥更新方法的流程图,该密钥更新方法包括如下步骤:The present application provides a key update method, which is applied to an Internet of Things system. Referring to FIG. 1 , a flowchart of a key update method is shown. The key update method includes the following steps:

步骤S102,基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作。Step S102: Synchronizing the key update actions of the device and the server of the IoT system based on a preset challenge response mechanism.

本实施例中的物联网系统可以包括设备端、服务端和控制台。其中,设备端可以指具有联网通信功能的物联网设备,例如:智能家居设备、工业传感器、智能汽车、智能摄像头、智能机器人、医疗设备、健身设备等。服务端可以为物理服务器也可以为云服务器,本实施例对此不做限定。其中,服务端和设备端通信连接。The IoT system in this embodiment may include a device side, a server side, and a console. The device side may refer to an IoT device with networking communication functions, such as smart home devices, industrial sensors, smart cars, smart cameras, smart robots, medical equipment, fitness equipment, etc. The server side may be a physical server or a cloud server, which is not limited in this embodiment. The server side and the device side are connected in communication.

挑战应答机制是每次认证时认证服务端都给设备端发送一个不同的“挑战”字串,客户端程序收到这个“挑战”字串后,做出相应的“应答”,以此机制而研制的系统。举例来说,设备端可以向服务端发送一个挑战信息,服务端接收该挑战信息之后向设备端发送应答信息。The challenge response mechanism is that the authentication server sends a different "challenge" string to the device each time the authentication is performed. After the client program receives the "challenge" string, it makes a corresponding "response". For example, the device can send a challenge message to the server, and the server sends a response message to the device after receiving the challenge message.

本实施例中可以通过挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作。即,如果设备端发送挑战信息之后,可以接收到服务端返回的应答信息,就可以确定设备端同步了密钥更新动作。设备端可以再向服务端返回一个确认信息,服务端接收到该确认信息后可以确定服务 端也同步了密钥更新动作。In this embodiment, the key update actions of the device and the server of the IoT system can be synchronized through the challenge response mechanism. That is, if the device receives the response information returned by the server after sending the challenge information, it can be determined that the device has synchronized the key update action. The device can then return a confirmation message to the server, and the server can determine that the server has synchronized the key update action after receiving the confirmation message. The end also synchronizes the key update action.

步骤S104,基于预先设置的触发条件更新设备端和服务端的密钥。Step S104: updating the keys of the device and the server based on the preset triggering conditions.

本实施例中的触发条件可以预先设置,满足触发条件后,设备端和服务端可以更新密钥。其中,设备端和服务端可以均设置有参数相同的密钥更新组件,提高各种的密钥更新组件对各自的密钥进行更新,从而保证更新后的密钥可以相互匹配。The triggering conditions in this embodiment can be pre-set, and after the triggering conditions are met, the device and the server can update the key. Among them, the device and the server can both be provided with key update components with the same parameters, so that various key update components can update their respective keys, thereby ensuring that the updated keys can match each other.

步骤S106,通过更新后的密钥进行设备端和服务端的加密信息的通信。Step S106, communicating encrypted information between the device and the server using the updated key.

在完成密钥更新之后,对于需要加密的目标信息,设备端或服务端均可以使用更新后的密钥对该信息进行加密得到加密信息,将加密信息传输至服务端或设备端,又服务端或设备端对加密信息进行解密,得到上述目标信息。After completing the key update, for the target information that needs to be encrypted, the device or server can use the updated key to encrypt the information to obtain encrypted information, transmit the encrypted information to the server or device, and then the server or device decrypts the encrypted information to obtain the above-mentioned target information.

本申请实施例提供了一种密钥更新方法,基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;基于触发条件更新设备端和服务端的密钥;通过更新后的密钥进行设备端和服务端的加密信息的通信。基于挑战应答机制更新物联网系统的设备端和服务端的密钥,无需下发更新密钥指令,不存在因传输通道泄露导致被窃听的危险,可以提高密钥更新的安全性。The embodiment of the present application provides a key update method, which synchronizes the key update actions of the device and the server of the Internet of Things system based on a pre-set challenge response mechanism; updates the key of the device and the server based on the trigger condition; and communicates the encrypted information between the device and the server through the updated key. The key of the device and the server of the Internet of Things system is updated based on the challenge response mechanism, without issuing a key update instruction, and there is no risk of eavesdropping due to leakage of the transmission channel, which can improve the security of key update.

实施例二:Embodiment 2:

本实施例提供了另一种密钥更新方法,该方法在上述实施例的基础上实现,如图2所示的另一种密钥更新方法的流程图,本实施例中的密钥更新方法包括如下步骤:This embodiment provides another key update method, which is implemented on the basis of the above embodiment. As shown in FIG2 , there is a flow chart of another key update method. The key update method in this embodiment includes the following steps:

步骤S202,基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作。Step S202: Synchronize the key update actions of the device and the server of the IoT system based on a preset challenge response mechanism.

具体地,本实施例中的物联网系统的设备端向物联网系统的服务端发送挑战信息;服务端基于挑战信息向设备端返回应答信息;设备端基于应答信息同步密钥更新动作,向服务端发送确认信息;服务端基于确认信息同步密钥更新动作。Specifically, the device side of the Internet of Things system in this embodiment sends a challenge message to the server side of the Internet of Things system; the server side returns a response message to the device side based on the challenge message; the device side synchronizes the key update action based on the response message and sends a confirmation message to the server side; the server side synchronizes the key update action based on the confirmation message.

参见图3所示的一种的设备端和服务端共享密钥的示意图,可以设置挑战应答组件,如果服务端反馈正常的应答信息给设备端,则设备端将密 钥更新组件的同步满足置1,设备端同步了密钥更新动作。同时,设备端反馈服务端一个确认信息,服务端此时也将密钥更新组件的同步满足置1,也同步了密钥更新动作。Referring to FIG. 3, a schematic diagram of a device and a server sharing a key, a challenge response component can be set. If the server feeds back a normal response information to the device, the device will The synchronization satisfaction of the key update component is set to 1, and the device synchronizes the key update action. At the same time, the device feeds back a confirmation message to the server, and the server also sets the synchronization satisfaction of the key update component to 1, and also synchronizes the key update action.

参见图4所示的一种的挑战应答机制的示意图,设备端使用共享密钥加密“hello”作为挑战信息,服务端使用共享密钥解密挑战信息,如果获得“hello”,返回应答信息。设备端收到应答信息,将密钥更新组件的同步满足置1,设备端同步了密钥更新动作。同时,设备端加密“ok”作为确认信息反馈至服务端,服务端解密确认信息得到“ok”,将密钥更新组件的同步满足置1,服务端也同步了密钥更新动作。Referring to the schematic diagram of a challenge response mechanism shown in FIG4 , the device uses a shared key to encrypt "hello" as a challenge message, and the server uses a shared key to decrypt the challenge message. If "hello" is obtained, a response message is returned. The device receives the response message, sets the synchronization satisfaction of the key update component to 1, and the device synchronizes the key update action. At the same time, the device encrypts "ok" as confirmation information and feeds it back to the server. The server decrypts the confirmation information and obtains "ok", sets the synchronization satisfaction of the key update component to 1, and the server also synchronizes the key update action.

本实施例中可以1.通过挑战应答机制,来决定设备端和服务端触发相同的密钥更新动作,避免出现不同步的问题。In this embodiment, 1. a challenge response mechanism can be used to determine whether the device and the server trigger the same key update action, thereby avoiding the problem of asynchrony.

步骤S204,基于预先设置的触发条件更新设备端和服务端的密钥。Step S204: updating the keys of the device and the server based on the preset triggering conditions.

具体地,本实施例的触发条件包括:设备端和服务端进行通信的次数达到预设的次数阈值。其中,可以通过计数器记录设备端和服务端进行通信的次数。Specifically, the triggering condition of this embodiment includes: the number of times the device and the server communicate reaches a preset number threshold, wherein the number of times the device and the server communicate can be recorded by a counter.

参见图5所示的一种通过计数器确定是否满足触发条件的示意图,设备端使用密钥加密“Trigger 100”;服务端使用密钥解密,如果获得“Trigger 100”,则返回“Trigger begin”至设备端,并将计数器打入100,开始递减;设备端收到“Trigger begin”,也将100打入计数器,开始递减。Referring to FIG5 , a schematic diagram of determining whether a trigger condition is met through a counter is shown. The device side uses a key to encrypt “Trigger 100”; the server side uses a key to decrypt. If “Trigger 100” is obtained, “Trigger begin” is returned to the device side, and 100 is entered into the counter to start decrementing. When the device side receives “Trigger begin”, 100 is also entered into the counter to start decrementing.

执行正常数据通信,通信完成,服务端继续跳入计数器,执行递减操作,计数为0时,返回“Trigger end”至设备端。设备端收到“Trigger end”,判断计数器此时数值是否为1,为1则确定设备端满足触发条件,发送“Trigger ok”至服务端;服务端收到“Trigger ok”,将密钥更新组件的触发条件置位为1,确定服务端满足触发条件。Perform normal data communication. After the communication is completed, the server continues to jump into the counter and perform a decrement operation. When the count reaches 0, it returns "Trigger end" to the device. The device receives "Trigger end" and determines whether the counter value is 1 at this time. If it is 1, it determines that the device meets the trigger condition and sends "Trigger ok" to the server. The server receives "Trigger ok" and sets the trigger condition of the key update component to 1 to determine that the server meets the trigger condition.

此外,本实施例中还可以通过输入不同的触发条件,来满足不同场景下的密钥更新。本实施例的触发条件可以设置其他的触发模式,根据业务的实际需要,比如收到某些特殊指令,则直接执行触发条件满足。In addition, in this embodiment, different trigger conditions can be input to meet the key update in different scenarios. The trigger conditions of this embodiment can set other trigger modes according to the actual needs of the business, such as receiving certain special instructions, and directly executing the trigger conditions.

本实施例中的设备端设置有第一密钥更新组件,服务端设置有第二密钥更新组件,第一密钥更新组件和第二密钥更新组件的参数相同。本实施例中可以通过密钥更新组件中输入相同的参数,来决定设备端和服务端输 出相同的密钥,避免出现一端无法解密的情况。In this embodiment, the device side is provided with a first key update component, and the server side is provided with a second key update component. The parameters of the first key update component and the second key update component are the same. In this embodiment, the same parameters can be input into the key update component to determine the input parameters of the device side and the server side. Output the same key to avoid the situation where one end cannot decrypt.

具体地,本实施例可以基于第一密钥更新组件更新设备端的密钥;基于第二密钥更新组件更新设备端的密钥。参见图6所示的一种密钥更新组件的示意图,当设备端和服务端均同步了密钥更新动作,且设备端和服务端均满足触发条件时,可以进行密钥更新。此外,本实施例的密钥更新组件也可以设置不同的输入信息,组件内部可以使用不同的生成逻辑,可根据实际的应用场景决定不同的安全强度。Specifically, this embodiment can update the key of the device side based on the first key update component; and update the key of the device side based on the second key update component. Referring to the schematic diagram of a key update component shown in FIG6, when the device side and the server side have synchronized the key update action, and the device side and the server side both meet the triggering conditions, the key update can be performed. In addition, the key update component of this embodiment can also set different input information, and different generation logics can be used inside the component, and different security strengths can be determined according to the actual application scenario.

步骤S206,更新设备端和服务端的密钥标识;其中,密钥标识表征密钥的更新次数;缓存设备端的密钥和密钥标识至设备端的密钥同步表;缓存服务端的密钥和密钥标识至服务端的密钥同步表。Step S206, updating the key identifiers of the device and the server; wherein the key identifier represents the number of times the key is updated; caching the key and key identifier of the device to the key synchronization table of the device; caching the key and key identifier of the server to the key synchronization table of the server.

本实施例中除了更新密钥之外,还可以更新密钥对应的密钥标识。设备端和服务端分别建立自己的密钥同步表,设备端的密钥同步表可以为Request/Key;服务端的密钥同步表可以为Response/key,此时密钥同步表里面放置了初始密钥标识及对应的密钥,例如:设备端:Request 0 Key0;云服务端:Response0 key0。In this embodiment, in addition to updating the key, the key identifier corresponding to the key can also be updated. The device side and the server side respectively establish their own key synchronization tables. The key synchronization table of the device side can be Request/Key; the key synchronization table of the server side can be Response/key. At this time, the initial key identifier and the corresponding key are placed in the key synchronization table, for example: device side: Request 0 Key0; cloud service side: Response0 key0.

之后,设备端和服务端可以执行正常的业务通信流程。在执行正常的通信业务流程中,可以选择设备端请求,服务端应答的指令作为密钥同步机制的触发条件:设备端在进行申请时,记录为Request 1,此时设备端的密钥更新为key1,服务端在进行应答时,记录为Response 1,此时的密钥更新为key1。此时密钥同步表可以刷新为:设备端:Request 0 Key0 Request 1 Key1;云服务端:Response0 key0 Response1 key1。以此类推类推,可以产生Request x Keyx和Requestx Keyx。After that, the device and the server can execute the normal business communication process. In the normal communication business process, the device request and the server response can be selected as the triggering condition of the key synchronization mechanism: when the device makes an application, it is recorded as Request 1, and the key of the device is updated to key1. When the server responds, it is recorded as Response 1, and the key is updated to key1. At this time, the key synchronization table can be refreshed as: device: Request 0 Key0 Request 1 Key1; cloud server: Response0 key0 Response1 key1. And so on, Request x Keyx and Requestx Keyx can be generated.

此外,为保证两端同步且考虑设备的存储空间资源优先,两端的密钥同步表可以保证一定的缓存量,例如维持10组数据;此时共享密钥完成了刷新且两端同步。In addition, to ensure synchronization between the two ends and to give priority to storage space resources of the device, the key synchronization tables at both ends can ensure a certain cache volume, for example, maintaining 10 groups of data; at this time, the shared key is refreshed and the two ends are synchronized.

步骤S208,通过更新后的密钥进行设备端和服务端的加密信息的通信。Step S208: The device and the server communicate encrypted information using the updated key.

在下一次进行需要加密的目标信息的通信时,设备端可以发出挑战信息;服务端返回应答信息,并启用缓存的Request和Response的key作为新共享密钥;以此迭代,不断地更新共享密钥。The next time the target information that needs to be encrypted is communicated, the device can send a challenge message; the server returns a response message and enables the cached Request and Response keys as new shared keys; this iterative process continuously updates the shared key.

如果需要对目标信息进行加密传输,可以通过以下步骤执行:设备端 获取目标信息;设备端从设备端的密钥同步表中确定更新次数最大的密钥标识对应的第一密钥,通过第一密钥对目标信息进行加密,得到加密信息;设备端将加密信息发送至服务端;服务端从服务端的密钥同步表中确定更新次数最大的密钥标识对应的第二密钥,通过第二密钥对加密信息进行解密,得到目标信息。If you need to encrypt the target information for transmission, you can do it by following the steps below: Obtain target information; the device side determines the first key corresponding to the key identifier with the largest number of updates from the key synchronization table of the device side, encrypts the target information with the first key, and obtains encrypted information; the device side sends the encrypted information to the server side; the server side determines the second key corresponding to the key identifier with the largest number of updates from the key synchronization table of the server side, decrypts the encrypted information with the second key, and obtains the target information.

在进行目标信息的通信时,设备端可以先使用最近更新(即定更新次数最大)的第一密钥进行加密,服务端可以先使用最近更新(即定更新次数最大)的第二密钥进行解密。When communicating target information, the device side may first use the first key that was most recently updated (i.e., the one with the largest number of updates) for encryption, and the server side may first use the second key that was most recently updated (i.e., the one with the largest number of updates) for decryption.

除此以外,如果服务端通过第二密钥解密加密信息失败,按照更新次数由大到小的顺序,依次通过服务端的密钥同步表缓存的除了第二密钥之外的其他密钥对加密信息进行解密。In addition, if the server fails to decrypt the encrypted information using the second key, the encrypted information is decrypted using other keys other than the second key cached in the key synchronization table of the server in descending order of update times.

如果服务端通过第二密钥解密失败,则可以使用密钥同步表缓存的除了第一密钥之外的其他密钥进行解密,一般来说,可以按照更新次数由大到小的顺序依次使用其他密钥进行机密。If the server fails to decrypt using the second key, it can use other keys cached in the key synchronization table except the first key for decryption. Generally speaking, other keys can be used in descending order of the number of updates.

如果通过服务端的密钥同步表缓存的其他密钥解密加密信息均失败,服务端向设备端发送错误信息;设备端基于错误信息,按照更新次数由大到小的顺序,通过设备端的密钥同步表缓存的除了第一密钥之外的其他密钥对目标信息进行加密,得到加密信息。If decryption of the encrypted information by other keys cached in the key synchronization table of the server fails, the server sends an error message to the device; based on the error message, the device encrypts the target information by other keys except the first key cached in the key synchronization table of the device in order of the number of updates from large to small, to obtain encrypted information.

如果服务端通过密钥同步表缓存的全部密钥解密加密信息均失败,则服务端可以向设备端返回错误信息,设备端可以使用密钥同步表缓存的除了第一密钥之外的其他密钥对目标信息进行重新加密,并将重新加密后的加密信息发送至服务端,服务端可以对重新加密后的加密信息进行解密。If the server fails to decrypt the encrypted information using all the keys cached in the key synchronization table, the server may return an error message to the device. The device may re-encrypt the target information using other keys except the first key cached in the key synchronization table, and send the re-encrypted encrypted information to the server. The server may decrypt the re-encrypted encrypted information.

本申请实施例提供的上述方法没有复杂的密钥协商机制,通过简单的挑战应答,通过消耗资源少的对称算法来达到同样效果,对于处理能力弱的物联网设备可以保证安全性的情况下减轻设备资源负担。The above method provided in the embodiment of the present application does not have a complicated key negotiation mechanism, and achieves the same effect through a simple challenge response and a symmetric algorithm that consumes less resources. For IoT devices with weak processing capabilities, the burden of device resources can be reduced while ensuring security.

该方式中,设备端和服务端没有进行密钥更新的指令和密钥传输的动作,通过一些触发条件和共同组件进行了同步操作,达到共享密钥的同步更新,可以解决密钥信息直接传输的安全问题。该方式中,密钥更新组件中的输入信息有预知初始密钥信息,随机的本次数据包,具备可控性、随机性、来源可靠性。密钥更新机制在设备的整个生命周期中都在运行,具 备足够的韧性机制,提升设备整个使用周期的共享密钥不可猜测性。In this method, the device and the server do not have key update instructions or key transmission actions. They perform synchronization operations through some trigger conditions and common components to achieve synchronous update of shared keys, which can solve the security problem of direct transmission of key information. In this method, the input information in the key update component has the predicted initial key information and the random data packet, which is controllable, random, and reliable. The key update mechanism runs throughout the life cycle of the device. Provide sufficient resilience mechanisms to improve the unguessability of shared keys throughout the life cycle of the device.

本实施例提供的密钥更新机制存在与整个通信的生命周期,通过挑战应答机制来触发相同的更新动作,避免了共享秘钥可能因为更新不一致带来的共享秘钥不一致的问题,同时贯穿整个生命周期,共享秘钥是动态调整的,具有随机性和时效性,能够有效地提高秘钥的安全性。The key update mechanism provided in this embodiment exists throughout the life cycle of the entire communication, and triggers the same update action through a challenge response mechanism, thereby avoiding the problem of shared key inconsistency caused by inconsistent updates. At the same time, throughout the entire life cycle, the shared key is dynamically adjusted, has randomness and timeliness, and can effectively improve the security of the key.

实施例三:Embodiment three:

对应于上述方法实施例,本申请实施例提供了一种密钥更新装置,应用于物联网系统,参见图7所示的一种密钥更新装置的结构示意图,该密钥更新装置包括:Corresponding to the above method embodiment, the embodiment of the present application provides a key update device, which is applied to the Internet of Things system. Referring to the structural schematic diagram of a key update device shown in FIG. 7, the key update device includes:

密钥更新同步模块71,用于基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;A key update synchronization module 71, used to synchronize the key update actions of the device side and the server side of the Internet of Things system based on a preset challenge response mechanism;

密钥更新模块72,用于基于预先设置的触发条件更新设备端和服务端的密钥;A key update module 72, used to update the keys of the device and the server based on a preset trigger condition;

加密信息通信模块73,用于通过更新后的密钥进行设备端和服务端的加密信息的通信。The encrypted information communication module 73 is used to communicate encrypted information between the device and the server using the updated key.

本申请实施例提供了一种密钥更新装置,基于预先设置的挑战应答机制同步物联网系统的设备端和服务端的密钥更新动作;基于触发条件更新设备端和服务端的密钥;通过更新后的密钥进行设备端和服务端的加密信息的通信。基于挑战应答机制更新物联网系统的设备端和服务端的密钥,无需下发更新密钥指令,不存在因传输通道泄露导致被窃听的危险,可以提高密钥更新的安全性。The embodiment of the present application provides a key update device, which synchronizes the key update actions of the device and the server of the IoT system based on a pre-set challenge response mechanism; updates the key of the device and the server based on trigger conditions; and communicates encrypted information between the device and the server through the updated key. The key of the device and the server of the IoT system is updated based on the challenge response mechanism, without issuing a key update instruction, and there is no risk of eavesdropping due to leakage of the transmission channel, which can improve the security of key update.

上述密钥更新同步模块,用于物联网系统的设备端向物联网系统的服务端发送挑战信息;服务端基于挑战信息向设备端返回应答信息;设备端基于应答信息确定同步密钥更新动作,向服务端发送确认信息;服务端基于确认信息同步密钥更新动作。The above-mentioned key update synchronization module is used for the device side of the Internet of Things system to send challenge information to the server side of the Internet of Things system; the server side returns response information to the device side based on the challenge information; the device side determines the synchronization key update action based on the response information and sends confirmation information to the server side; the server side synchronizes the key update action based on the confirmation information.

上述触发条件包括:设备端和服务端进行通信的次数达到预设的次数阈值。The trigger condition includes: the number of times the device and the server communicate reaches a preset number threshold.

上述设备端设置有第一密钥更新组件,服务端设置有第二密钥更新组件,第一密钥更新组件和第二密钥更新组件的参数相同; The device is provided with a first key update component, and the server is provided with a second key update component, and the parameters of the first key update component and the second key update component are the same;

上述密钥更新模块,用于基于第一密钥更新组件更新设备端的密钥;基于第二密钥更新组件更新设备端的密钥。The key updating module is used to update the key of the device side based on the first key updating component; and to update the key of the device side based on the second key updating component.

上述装置包括:密钥同步表缓存模块,用于更新设备端和服务端的密钥标识;其中,密钥标识表征密钥的更新次数;缓存设备端的密钥和密钥标识至设备端的密钥同步表;缓存服务端的密钥和密钥标识至服务端的密钥同步表。The above-mentioned device includes: a key synchronization table cache module, which is used to update the key identifier of the device side and the server side; wherein the key identifier represents the number of times the key is updated; cache the key and key identifier of the device side to the key synchronization table of the device side; cache the key and key identifier of the server side to the key synchronization table of the server side.

上述加密信息通信模块,用于设备端获取目标信息;设备端从设备端的密钥同步表中确定更新次数最大的密钥标识对应的第一密钥,通过第一密钥对目标信息进行加密,得到加密信息;设备端将加密信息发送至服务端;服务端从服务端的密钥同步表中确定更新次数最大的密钥标识对应的第二密钥,通过第二密钥对加密信息进行解密,得到目标信息。The above-mentioned encrypted information communication module is used for the device side to obtain the target information; the device side determines the first key corresponding to the key identifier with the largest number of updates from the key synchronization table of the device side, encrypts the target information by the first key, and obtains the encrypted information; the device side sends the encrypted information to the server side; the server side determines the second key corresponding to the key identifier with the largest number of updates from the key synchronization table of the server side, decrypts the encrypted information by the second key, and obtains the target information.

上述加密信息通信模块,还用于如果服务端通过第二密钥解密加密信息失败,按照更新次数由大到小的顺序,依次通过服务端的密钥同步表缓存的除了第二密钥之外的其他密钥对加密信息进行解密。The encrypted information communication module is also used to decrypt the encrypted information by using other keys other than the second key cached in the key synchronization table of the server in descending order of update times if the server fails to decrypt the encrypted information by using the second key.

上述加密信息通信模块,还用于如果通过服务端的密钥同步表缓存的其他密钥解密加密信息均失败,服务端向设备端发送错误信息;设备端基于错误信息,按照更新次数由大到小的顺序,通过设备端的密钥同步表缓存的除了第一密钥之外的其他密钥对目标信息进行加密,得到加密信息。The above-mentioned encrypted information communication module is also used to send an error message to the device side if the decryption of the encrypted information by other keys cached in the key synchronization table of the server side fails; based on the error information, the device side encrypts the target information by other keys except the first key cached in the key synchronization table of the device side in order of the number of updates from large to small, so as to obtain encrypted information.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的密钥更新装置的具体工作过程,可以参考前述的密钥更新方法的实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the key updating device described above can refer to the corresponding process in the aforementioned embodiment of the key updating method, which will not be repeated here.

实施例四:Embodiment 4:

本申请实施例还提供了一种电子设备,用于运行上述密钥更新方法;参见图8所示的一种电子设备的结构示意图,该电子设备包括存储器100和处理器101,其中,存储器100用于存储一条或多条计算机指令,一条或多条计算机指令被处理器101执行,以实现上述密钥更新方法。An embodiment of the present application also provides an electronic device for running the above-mentioned key update method; referring to the structural diagram of an electronic device shown in FIG8 , the electronic device includes a memory 100 and a processor 101, wherein the memory 100 is used to store one or more computer instructions, and the one or more computer instructions are executed by the processor 101 to implement the above-mentioned key update method.

进一步地,图8所示的电子设备还包括总线102和通信接口103,处理器101、通信接口103和存储器100通过总线102连接。Furthermore, the electronic device shown in FIG. 8 further includes a bus 102 and a communication interface 103 , and the processor 101 , the communication interface 103 and the memory 100 are connected via the bus 102 .

其中,存储器100可能包含高速随机存取存储器(RAM,Random  Access Memory),也可能还包括非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器。通过至少一个通信接口103(可以是有线或者无线)实现该系统网元与至少一个其他网元之间的通信连接,可以使用互联网,广域网,本地网,城域网等。总线102可以是ISA总线、PCI总线或EISA总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图8中仅用一个双向箭头表示,但并不表示仅有一根总线或一种类型的总线。The memory 100 may include a high-speed random access memory (RAM). Access Memory), and may also include non-volatile memory, such as at least one disk storage. The communication connection between the system network element and at least one other network element is realized through at least one communication interface 103 (which can be wired or wireless), and the Internet, wide area network, local area network, metropolitan area network, etc. can be used. Bus 102 can be ISA bus, PCI bus or EISA bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one bidirectional arrow is used in Figure 8, but it does not mean that there is only one bus or one type of bus.

处理器101可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器101中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器101可以是通用处理器,包括中央处理器(Central Processing Unit,简称CPU)、网络处理器(Network Processor,简称NP)等;还可以是数字信号处理器(Digital Signal Processor,简称DSP)、专用集成电路(Application Specific Integrated Circuit,简称ASIC)、现场可编程门阵列(Field-Programmable Gate Array,简称FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器100,处理器101读取存储器100中的信息,结合其硬件完成前述实施例的方法的步骤。The processor 101 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit in the processor 101 or the instruction in the form of software. The above processor 101 can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components. The methods, steps and logic block diagrams disclosed in the embodiments of the present application can be implemented or executed. The general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc. The steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor for execution, or a combination of hardware and software modules in the decoding processor for execution. The software module may be located in a storage medium mature in the art, such as a random access memory, a flash memory, a read-only memory, a programmable read-only memory, or an electrically erasable programmable memory, a register, etc. The storage medium is located in the memory 100, and the processor 101 reads the information in the memory 100 and completes the steps of the method of the above embodiment in combination with its hardware.

本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现上述密钥更新方法,具体实现可参见方法实施例,在此不再赘述。An embodiment of the present application also provides a computer-readable storage medium, which stores computer-executable instructions. When the computer-executable instructions are called and executed by a processor, the computer-executable instructions prompt the processor to implement the above-mentioned key update method. The specific implementation can be found in the method embodiment, which will not be repeated here.

本申请实施例所提供的密钥更新方法、装置、电子设备和计算机可读存储介质的计算机程序产品,包括存储了程序代码的计算机可读存储介质,程序代码包括的指令可用于执行前面方法实施例中的方法,具体实现可参 见方法实施例,在此不再赘述。The key updating method, device, electronic device and computer program product of a computer-readable storage medium provided in the embodiments of the present application include a computer-readable storage medium storing a program code. The instructions included in the program code can be used to execute the method in the previous method embodiment. For specific implementation, please refer to See the method embodiment, which will not be described here in detail.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统和/或装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system and/or device described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.

另外,在本申请实施例的描述中,除非另有明确的规定和限定,术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接,或一体地连接;可以是机械连接,也可以是电连接;可以是直接相连,也可以通过中间媒介间接相连,可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本申请中的具体含义。In addition, in the description of the embodiments of the present application, unless otherwise clearly specified and limited, the terms "installed", "connected", and "connected" should be understood in a broad sense, for example, it can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection, or it can be indirectly connected through an intermediate medium, or it can be the internal communication of two components. For ordinary technicians in this field, the specific meanings of the above terms in this application can be understood according to specific circumstances.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application can be essentially or partly embodied in the form of a software product that contributes to the prior art. The computer software product is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk, and other media that can store program codes.

在本申请的描述中,需要说明的是,术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本申请和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本申请的限制。此外,术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。In the description of the present application, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicating the orientation or positional relationship, are based on the orientation or positional relationship shown in the drawings, and are only for the convenience of describing the present application and simplifying the description, rather than indicating or implying that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and therefore cannot be understood as limiting the present application. In addition, the terms "first", "second", and "third" are used for descriptive purposes only and cannot be understood as indicating or implying relative importance.

最后应说明的是:以上所述实施例,仅为本申请的具体实施方式,用以说明本申请的技术方案,而非对其限制,本申请的保护范围并不局限于此,尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本申请揭露的技术范围 内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本申请实施例技术方案的精神和范围,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。 Finally, it should be noted that the above-described embodiments are only specific implementation methods of the present application, which are used to illustrate the technical solution of the present application, rather than to limit it. The protection scope of the present application is not limited thereto. Although the present application is described in detail with reference to the above-mentioned embodiments, ordinary technicians in this field should understand that any technician familiar with the technical field is within the technical scope disclosed in this application. It is still possible to modify the technical solutions recorded in the aforementioned embodiments or to easily conceive of changes, or to make equivalent replacements for some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of this application, and should be included in the protection scope of this application. Therefore, the protection scope of this application shall be based on the protection scope of the claims.

Claims (12)

一种密钥更新方法,其中,应用于物联网系统,所述方法包括:A key updating method, wherein the method is applied to an Internet of Things system, the method comprising: 基于预先设置的挑战应答机制同步所述物联网系统的设备端和服务端的密钥更新动作;Synchronize the key update actions of the device and the server of the IoT system based on a preset challenge response mechanism; 基于预先设置的触发条件更新所述设备端和所述服务端的密钥;Updating the keys of the device and the server based on a preset trigger condition; 通过更新后的所述密钥进行所述设备端和所述服务端的加密信息的通信。The encrypted information between the device and the server is communicated via the updated key. 根据权利要求1所述的方法,其中,基于预先设置的挑战应答机制同步所述物联网系统的设备端和服务端的密钥更新动作的步骤,包括:The method according to claim 1, wherein the step of synchronizing the key update actions of the device side and the server side of the Internet of Things system based on a preset challenge response mechanism comprises: 所述物联网系统的设备端向所述物联网系统的服务端发送挑战信息;The device end of the Internet of Things system sends a challenge message to the server end of the Internet of Things system; 所述服务端基于所述挑战信息向所述设备端返回应答信息;The server returns response information to the device based on the challenge information; 所述设备端基于所述应答信息同步密钥更新动作,向所述服务端发送确认信息;The device synchronizes the key update action based on the response information and sends a confirmation message to the server; 所述服务端基于所述确认信息同步密钥更新动作。The server synchronizes a key update action based on the confirmation information. 根据权利要求1至2中的任意一项所述的方法,其中,所述触发条件包括:所述设备端和所述服务端进行通信的次数达到预设的次数阈值。The method according to any one of claims 1 to 2, wherein the trigger condition includes: the number of times the device end and the server end communicate reaches a preset number threshold. 根据权利要求1至3中的任意一项所述的方法,其中,所述设备端设置有第一密钥更新组件,所述服务端设置有第二密钥更新组件,所述第一密钥更新组件和所述第二密钥更新组件的参数相同;The method according to any one of claims 1 to 3, wherein the device end is provided with a first key update component, the server end is provided with a second key update component, and the parameters of the first key update component and the second key update component are the same; 更新所述设备端和所述服务端的密钥的步骤,包括:基于所述第一密钥更新组件更新所述设备端的密钥;基于所述第二密钥更新组件更新所述设备端的密钥。The step of updating the keys of the device side and the server side includes: updating the key of the device side based on the first key updating component; and updating the key of the device side based on the second key updating component. 根据权利要求1至4中的任意一项所述的方法,其中,基于预先设置的触发条件更新所述设备端和所述服务端的密钥的步骤之后,所述方法还包括:The method according to any one of claims 1 to 4, wherein after the step of updating the keys of the device and the server based on a preset trigger condition, the method further comprises: 更新所述设备端和所述服务端的密钥标识;其中,所述密钥标识表征所述密钥的更新次数;Updating the key identifiers of the device and the server; wherein the key identifier represents the number of times the key is updated; 缓存所述设备端的密钥和密钥标识至所述设备端的密钥同步表;caching the key and key identifier of the device end to the key synchronization table of the device end; 缓存所述服务端的密钥和密钥标识至所述服务端的密钥同步表。 The key and key identifier of the server are cached in a key synchronization table of the server. 根据权利要求5所述的方法,其中,通过更新后的所述密钥进行所述设备端和所述服务端的加密信息的通信的步骤,包括:The method according to claim 5, wherein the step of communicating the encrypted information between the device and the server using the updated key comprises: 所述设备端获取目标信息;The device side obtains target information; 所述设备端从所述设备端的密钥同步表中确定更新次数最大的所述密钥标识对应的第一密钥,通过所述第一密钥对所述目标信息进行加密,得到加密信息;The device determines, from the key synchronization table of the device, a first key corresponding to the key identifier with the largest number of updates, and encrypts the target information by using the first key to obtain encrypted information; 所述设备端将所述加密信息发送至所述服务端;The device sends the encrypted information to the server; 所述服务端从所述服务端的密钥同步表中确定更新次数最大的所述密钥标识对应的第二密钥,通过所述第二密钥对所述加密信息进行解密,得到所述目标信息。The server determines the second key corresponding to the key identifier with the largest number of updates from the key synchronization table of the server, and decrypts the encrypted information using the second key to obtain the target information. 根据权利要求6所述的方法,其中,通过所述第二密钥对所述加密信息进行解密的步骤之后,所述方法还包括:The method according to claim 6, wherein after the step of decrypting the encrypted information by using the second key, the method further comprises: 如果所述服务端通过所述第二密钥解密所述加密信息失败,按照更新次数由大到小的顺序,依次通过所述服务端的密钥同步表缓存的除了所述第二密钥之外的其他密钥对所述加密信息进行解密。If the server fails to decrypt the encrypted information using the second key, the encrypted information is decrypted using other keys other than the second key cached in the key synchronization table of the server in descending order of update times. 根据权利要求7所述的方法,其中,依次通过所述服务端的密钥同步表缓存的除了所述第二密钥之外的其他密钥对所述加密信息进行解密的步骤之后,所述方法还包括:The method according to claim 7, wherein after the step of sequentially decrypting the encrypted information using other keys other than the second key cached in the key synchronization table of the server, the method further comprises: 如果通过所述服务端的密钥同步表缓存的所述其他密钥解密所述加密信息均失败,所述服务端向所述设备端发送错误信息;If decryption of the encrypted information by the other keys cached in the key synchronization table of the server fails, the server sends an error message to the device; 所述设备端基于所述错误信息,按照更新次数由大到小的顺序,通过所述设备端的密钥同步表缓存的除了所述第一密钥之外的其他密钥对所述目标信息进行加密,得到加密信息。Based on the error information, the device side encrypts the target information using other keys except the first key cached in the key synchronization table of the device side in descending order of update times to obtain encrypted information. 一种密钥更新装置,其中,应用于物联网系统,所述装置包括:A key updating device, wherein the device is applied to an Internet of Things system, and the device comprises: 密钥更新同步模块,用于基于预先设置的挑战应答机制同步所述物联网系统的设备端和服务端的密钥更新动作;A key update synchronization module, used to synchronize key update actions of the device side and the server side of the Internet of Things system based on a preset challenge response mechanism; 密钥更新模块,用于基于预先设置的触发条件更新所述设备端和所述服务端的密钥;A key update module, used to update the keys of the device and the server based on a preset trigger condition; 加密信息通信模块,用于通过更新后的所述密钥进行所述设备端和所述服务端的加密信息的通信。 The encrypted information communication module is used to communicate the encrypted information between the device and the server through the updated key. 一种电子设备,其中,包括处理器和存储器,所述存储器存储有能够被所述处理器执行的计算机可执行指令,所述处理器执行所述计算机可执行指令以实现权利要求1至8任一项所述的密钥更新方法。An electronic device, comprising a processor and a memory, wherein the memory stores computer executable instructions that can be executed by the processor, and the processor executes the computer executable instructions to implement the key update method according to any one of claims 1 to 8. 一种计算机可读存储介质,其中,所述计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令在被处理器调用和执行时,计算机可执行指令促使处理器实现权利要求1至8任一项所述的密钥更新方法。A computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are called and executed by a processor, the computer-executable instructions prompt the processor to implement the key update method according to any one of claims 1 to 8. 一种计算机程序产品,包括计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1至8任一项所述的密钥更新方法。 A computer program product comprises a computer program, wherein when the computer program is executed by a processor, the key updating method according to any one of claims 1 to 8 is implemented.
PCT/CN2023/129923 2022-12-27 2023-11-06 Key updating method and apparatus, electronic device, and computer readable storage medium Ceased WO2024139734A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211686973.6A CN116015649A (en) 2022-12-27 2022-12-27 Key updating method, device, electronic equipment and computer readable storage medium
CN202211686973.6 2022-12-27

Publications (1)

Publication Number Publication Date
WO2024139734A1 true WO2024139734A1 (en) 2024-07-04

Family

ID=86026135

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/129923 Ceased WO2024139734A1 (en) 2022-12-27 2023-11-06 Key updating method and apparatus, electronic device, and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN116015649A (en)
WO (1) WO2024139734A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120018123A (en) * 2025-04-15 2025-05-16 创意信息技术股份有限公司 A low-latency and high-security data transmission method and system for video conferencing platform

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015649A (en) * 2022-12-27 2023-04-25 美的集团股份有限公司 Key updating method, device, electronic equipment and computer readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243811B1 (en) * 1998-07-31 2001-06-05 Lucent Technologies Inc. Method for updating secret shared data in a wireless communication system
JP2009284086A (en) * 2008-05-20 2009-12-03 Tokai Rika Co Ltd Encryption key update system and encryption key update method
CN102065421A (en) * 2009-11-11 2011-05-18 中国移动通信集团公司 Method, device and system for updating key
CN109728902A (en) * 2018-06-01 2019-05-07 平安科技(深圳)有限公司 Key management method, device, storage medium and device
CN111418181A (en) * 2018-03-28 2020-07-14 华为技术有限公司 Shared data processing method, communication device, and communication equipment
CN111901098A (en) * 2019-05-06 2020-11-06 杭州海康威视数字技术股份有限公司 Method, system and readable storage medium for managing key
CN116015649A (en) * 2022-12-27 2023-04-25 美的集团股份有限公司 Key updating method, device, electronic equipment and computer readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112102524A (en) * 2019-06-18 2020-12-18 杭州萤石软件有限公司 Unlocking method and unlocking system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6243811B1 (en) * 1998-07-31 2001-06-05 Lucent Technologies Inc. Method for updating secret shared data in a wireless communication system
JP2009284086A (en) * 2008-05-20 2009-12-03 Tokai Rika Co Ltd Encryption key update system and encryption key update method
CN102065421A (en) * 2009-11-11 2011-05-18 中国移动通信集团公司 Method, device and system for updating key
CN111418181A (en) * 2018-03-28 2020-07-14 华为技术有限公司 Shared data processing method, communication device, and communication equipment
CN109728902A (en) * 2018-06-01 2019-05-07 平安科技(深圳)有限公司 Key management method, device, storage medium and device
CN111901098A (en) * 2019-05-06 2020-11-06 杭州海康威视数字技术股份有限公司 Method, system and readable storage medium for managing key
CN116015649A (en) * 2022-12-27 2023-04-25 美的集团股份有限公司 Key updating method, device, electronic equipment and computer readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KIM SEUNGTAE; LEE YONGGU; CHOI JINHO; JEON MOONGU; HWANG EUISEOK: "Dynamic Key Update Strategy in Physical-Layer Challenge-Response Authentication", 2019 13TH INTERNATIONAL CONFERENCE ON SIGNAL PROCESSING AND COMMUNICATION SYSTEMS (ICSPCS), IEEE, 16 December 2019 (2019-12-16), pages 1 - 6, XP033725817, DOI: 10.1109/ICSPCS47537.2019.9008743 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120018123A (en) * 2025-04-15 2025-05-16 创意信息技术股份有限公司 A low-latency and high-security data transmission method and system for video conferencing platform

Also Published As

Publication number Publication date
CN116015649A (en) 2023-04-25

Similar Documents

Publication Publication Date Title
CN110636062B (en) Method and device for controlling secure interaction of equipment, electronic equipment and storage medium
Yang et al. Faster authenticated key agreement with perfect forward secrecy for industrial internet-of-things
US20230283475A1 (en) Identity authentication system, method, apparatus, and device, and computer-readable storage medium
JP5815294B2 (en) Secure field programmable gate array (FPGA) architecture
CN114363890B (en) Extended universal boot architecture authentication method, device and storage medium
JP7647958B2 (en) Key update method and related device
WO2018019069A1 (en) Resource operation method and apparatus
WO2024139734A1 (en) Key updating method and apparatus, electronic device, and computer readable storage medium
CN111835691B (en) Authentication information processing method, terminal and network device
JP7410930B2 (en) Securing non-access layer communications in wireless communication networks
CN110868294B (en) Key updating method, device and equipment
WO2018076740A1 (en) Data transmission method and related device
CN110401640B (en) Trusted connection method based on trusted computing dual-system architecture
CN116961973A (en) Data transmission methods, devices, electronic equipment and computer-readable storage media
CN119136191B (en) Lightweight encryption authentication method and related equipment for wireless sensor networks
CN110572800A (en) Device identity authentication method and device for machine-to-machine environment
GB2617508A (en) Method and device for identity authentication
Ortiz-Yepes Balsa: Bluetooth low energy application layer security add-on
WO2020140929A1 (en) Key generation method, ue, and network device
Sitenkov Access control in the internet of things
Kamkuemah Epistemic analysis of a key-management vulnerability in LoRaWAN
CN114448609A (en) Group key management method, device, related equipment and storage medium
Fischer et al. Security for building automation with hardware-based node authentication
CN116074091B (en) A fog-assisted smart home three-party authentication system, method, device and terminal
Meena et al. Advanced Security Mechanism for Real-Time 5G Healthcare Communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23909667

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE