CN115941204A - Data anti-replay method and system based on HSE - Google Patents
Data anti-replay method and system based on HSE Download PDFInfo
- Publication number
- CN115941204A CN115941204A CN202211555325.7A CN202211555325A CN115941204A CN 115941204 A CN115941204 A CN 115941204A CN 202211555325 A CN202211555325 A CN 202211555325A CN 115941204 A CN115941204 A CN 115941204A
- Authority
- CN
- China
- Prior art keywords
- authentication
- client
- hse
- count value
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000004364 calculation method Methods 0.000 claims abstract description 53
- 238000012545 processing Methods 0.000 claims abstract description 47
- 230000006854 communication Effects 0.000 claims abstract description 32
- 238000004891 communication Methods 0.000 claims abstract description 31
- 230000004044 response Effects 0.000 claims abstract description 16
- 230000000977 initiatory effect Effects 0.000 claims abstract description 14
- 230000008569 process Effects 0.000 claims description 16
- 238000012795 verification Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 11
- 238000010586 diagram Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101100264195 Caenorhabditis elegans app-1 gene Proteins 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data anti-replay method and a data anti-replay system based on HSE.A client exchanges a key with an authentication end to generate and store a symmetric key; initiating an authentication request, receiving a random number returned by an authentication end responding to the authentication request and processing the random number based on a preset processing rule; HMAC calculation is carried out on the processed random number by using the symmetric key, and a calculation result and a current count value are sent to an authentication end; and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction, waiting for the response of the authentication end, and updating a count value. Compared with the existing HSE module, the anti-replay method and the anti-replay system of the invention increase a data anti-replay mechanism, effectively prevent sensitive data of a user from being replayed, ensure the communication safety of the user and avoid information leakage and property loss of the user.
Description
Technical Field
The invention relates to the technical field of software security protection, in particular to a data anti-replay method and system based on HSE.
Background
Currently, a client app in the market has a hardware security engine HSE (hardware security engine) module, which provides an interface for performing security operations such as encryption and signature on data of the client app, and the HSE module stores sensitive data of the client app, such as: personal information and keys, etc.
However, when the client app calls these security interfaces such as encryption and signature, the HSE does not have an authentication and replay prevention mechanism for the client app, so that the client app of an illegal user performs illegal computation by using the HSE module through a replay attack or man-in-the-middle attack means, and performs replay attack after intercepting the encrypted information of the sensitive data identity information and the transaction information, thereby causing economic loss of the user. For example: the client app1 sends a transaction data to the hardware security engine HSE for decryption and signature, and if the transaction data is intercepted by the illegal client app2, the transaction data can be repeatedly sent to the hardware security engine HSE for the same operation, so that the operation of deceiving the hardware security engine HSE for decryption and signature is achieved. Without protection against replay, the specific transaction data can be repeatedly deducted from the user account for a plurality of times, resulting in economic loss for the user. The existing HSE lacks a data anti-replay mechanism, so that sensitive data of a user faces the threat of replay attack, and information leakage and even property loss are caused.
Disclosure of Invention
Therefore, the invention provides a data anti-replay method and system based on HSE, which adds a data anti-replay mechanism relative to the existing HSE module, effectively prevents sensitive data of a user from being replayed, ensures the communication safety of the user, avoids user information leakage and property loss, and solves the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a data anti-replay method based on HSE, which is applied to a client, and includes:
exchanging a key with the authentication end to generate and store a symmetric key;
initiating an authentication request, receiving a random number returned by an authentication end responding to the authentication request, and processing the random number based on a preset processing rule;
HMAC calculation is carried out on the processed random number by using the symmetric key, and a calculation result and a current count value are sent to an authentication end;
and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction, waiting for the response of the authentication end, and updating a count value.
Optionally, the symmetric key is stored in a white box, and the white box stores the symmetric key by a process including: and encrypting the symmetric key based on a preset symmetric encryption algorithm, and storing an encryption result into a file system or a storage medium.
Optionally, the process of processing the random number based on the preset processing rule includes: the random number is processed by subtracting 1 from the first byte and adding 1 to the last byte.
In a second aspect, an embodiment of the present invention provides a data anti-replay method based on HSE, which is applied to an authentication end equipped with an HSE module, and is connected to a client through a communication interface, where the method includes:
exchanging a key with the client to generate a symmetric key and storing the symmetric key in the HSE module;
responding to an authentication request of a client, generating a random number and sending the random number to the client;
receiving a current count value and a calculation result sent by the client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting the subsequent communication data of the client and the authentication end;
and receiving and processing an application instruction of the client, updating the count value after the processing is finished, and updating the authentication result marking state.
Optionally, the process of receiving the current count value and the calculation result sent by the client and performing comparison authentication on the current count value and the calculation result includes: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the HSE module, HMAC calculation is carried out on the random number by using a symmetric key in the HSE module and the random number is compared with the calculation result sent by the client, when the calculation result is inconsistent, authentication is failed, the authentication request is released, the authentication failure result is sent to the client, and when the calculation result is consistent, the authentication is successful.
Optionally, the authentication result flags a status, including: the authentication failure result is recorded as INIT =0, and the authentication success result is recorded as verifedd =1, where the initial default state is INIT =0.
Optionally, the process of the count value updating manner includes: the counting value is stored in the nonvolatile memory and used for comparing the counting value of the request verification between the client and the HSE module, when the counting values of the client and the HSE module are the same, the counting value corresponding to the successful authentication is added with 1 for updating, otherwise, the counting value of the failed authentication is not changed.
In a third aspect, an embodiment of the present invention provides an HSE-based data anti-replay system, applied to a client, including:
the key exchange module is used for carrying out key exchange with the authentication end, generating a symmetric key and storing the symmetric key;
the request processing module is used for initiating an authentication request, receiving a random number returned by the authentication end responding to the authentication request and processing the random number based on a preset processing rule;
the authentication processing module is used for carrying out HMAC calculation on the processed random number by using the symmetric key and sending a calculation result and a current count value to the authentication end;
and the receiving processing module is used for receiving the authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and updating the count value after waiting for the response of the authentication end.
In a fourth aspect, an embodiment of the present invention provides an HSE-based data anti-replay system, which is applied to an authentication end equipped with an HSE module, and is connected to a client through a communication interface, and includes:
the key exchange module is used for carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module;
the request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client;
the authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result and recording a secret key for encrypting the subsequent communication data of the client and the authentication end;
and the receiving response module is used for receiving and processing the application instruction of the client, updating the count value after the processing is finished and updating the authentication result marking state.
In a fifth aspect, an embodiment of the present invention provides a computer device, including: the client and the authentication terminal both comprise at least one memory and a processor, the memory and the processor are connected in communication with each other, the memory stores computer instructions, and the processor executes the computer instructions to execute the method of any one of the first aspect or the second aspect.
The technical scheme of the invention has the following advantages:
the invention provides a data anti-replay method and system based on HSE.A client exchanges a key with an authentication end loaded with an HSE module to generate and store a symmetric key; the client side initiates an authentication request, receives a random number returned by the authentication end responding to the authentication request and processes the random number based on a preset processing rule; HMAC calculation is carried out on the processed random number by using the symmetric key, and a calculation result and a current count value are sent to an authentication end; receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and updating a count value after waiting for the response of the authentication end; the authentication end responds to an authentication request of the client and generates a random number to be sent to the client; receiving a current count value and a calculation result sent by a client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting subsequent communication data of the client and the authentication end; and receiving and processing an application instruction of the client, updating the count value after the processing is finished, and updating the authentication result marking state. Compared with the existing HSE module, the anti-replay method and the anti-replay system of the invention increase a data anti-replay mechanism, effectively prevent sensitive data of a user from being replayed, ensure the communication safety of the user and avoid information leakage and property loss of the user.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method for preventing data replay based on HSE provided in an embodiment of the present invention;
FIG. 2 is another flow chart of an HSE-based data anti-replay method provided in an embodiment of the present invention;
FIG. 3 is a schematic flow diagram of a normal transaction provided in an embodiment of the invention;
FIG. 4 is a schematic flow diagram of replay attack transactions provided in an embodiment of the present invention;
FIG. 5 is a schematic flow chart of HSE-based data anti-replay attack transaction provided in an embodiment of the present invention;
FIG. 6 is a schematic diagram of an HSE-based data anti-replay system provided in an embodiment of the present invention;
FIG. 7 is a schematic diagram of another embodiment of an HSE-based data anti-replay system provided in an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a computer device provided in an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments, and are not intended to limit the scope of the present disclosure. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Furthermore, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example 1
An embodiment of the present invention provides a data anti-replay method based on HSE, which is applied to a client, and as shown in fig. 1, the method includes the following steps:
step S11: and exchanging a key with the authentication end to generate and store a symmetric key.
In this embodiment, a preset method is used to perform key exchange, and a symmetric key is generated. Specifically, the preset method comprises the following steps: the RSA key exchange method and the cryptographic SM2 key exchange method are merely examples, and are adaptively modified according to specific application scenarios.
In this embodiment, the process of storing the symmetric key in the white box includes: and encrypting the symmetric key based on a preset symmetric encryption algorithm, and storing an encrypted result into a file system or a storage medium. In a specific embodiment, the preset symmetric encryption algorithm is an AES encryption algorithm, which is only used as an example and is not limited to this, and is determined according to a specific adaptive scenario.
Step S12: and initiating an authentication request, receiving a random number returned by the authentication end responding to the authentication request, and processing the random number based on a preset processing rule.
In this embodiment, the process of processing the random number based on the preset processing rule includes: the processing of subtracting 1 from the first byte and adding 1 to the last byte is performed on the random number, which is only for illustration and not limited thereto.
Step S13: and performing HMAC calculation on the processed random number by using the symmetric key, and sending a calculation result and the current count value to an authentication end.
Particularly, an HMAC calculation and counting mechanism is adopted, sensitive data are effectively prevented from being replayed, and data safety is guaranteed.
Step S14: and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction, waiting for the response of the authentication end, and updating a count value.
In one embodiment, the application command is a transaction command, which is only for illustration and not for limitation.
The data anti-replay method based on the HSE provided by the embodiment of the invention adds an anti-replay mechanism of the client and the HSE module, adopts an HMAC (high-speed computing and counting) mechanism, is favorable for preventing the replay of sensitive data and ensures the communication safety of the client and the HSE module.
Example 2
The embodiment of the invention provides a data anti-replay method based on HSE, which is applied to an authentication end loaded with an HSE module and is connected with a client through a communication interface, and as shown in figure 2, the method comprises the following steps:
step S21: and exchanging keys with the client to generate a symmetric key and storing the symmetric key in the HSE module.
In this embodiment, the process of generating and storing the symmetric key includes: and performing key exchange based on a preset method, generating a symmetric key and storing the symmetric key in the HSE module. Specifically, the preset method comprises the following steps: the RSA key exchange method and the cryptographic SM2 key exchange method are merely examples, and are adaptively modified according to specific application scenarios.
Step S22: and responding to the authentication request of the client, generating a random number and sending the random number to the client.
Step S23: and receiving a current count value and a calculation result sent by the client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting the subsequent communication data of the client and the authentication end.
In this embodiment, the process of receiving the current count value and the calculation result sent by the client and performing comparison authentication on the current count value and the calculation result includes: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the HSE module, HMAC calculation is carried out on the random number by using a symmetric key in the HSE module and the random number is compared with the calculation result sent by the client, when the calculation result is inconsistent, authentication is failed, the authentication request is released, the authentication failure result is sent to the client, and when the calculation result is consistent, the authentication is successful.
In this embodiment, the marking the state of the authentication result includes: the authentication failure result is denoted as INIT =0 and the authentication success result is denoted as verify =1, wherein the initial default state is INIT =0.
Step S24: and receiving and processing an application instruction of the client, updating the count value after the processing is finished, and updating the authentication result marking state.
In this embodiment, the process of the count value update mode includes: the counting value is stored in the nonvolatile memory and used for comparing the counting value of the request verification between the client and the HSE module, when the counting values of the client and the HSE module are the same, the counting value corresponding to the successful authentication is added with 1 for updating, otherwise, the counting value of the failed authentication is not changed.
In one embodiment, the communication interface between the authentication end and the client includes: the SPI, UART, and IIC are determined by the actual application scenario, by way of example only, and not by way of limitation.
Compared with the existing HSE module, the data anti-replay method based on the HSE provided by the embodiment of the invention increases the anti-replay mechanism of the client and the HSE module, and can effectively prevent the sensitive data of the user from being replayed; and secondly, the count increased in the anti-replay mechanism enables the HSE module to carry out operation on sensitive data only once and stores a secret key in the HSE module, so that the communication process is safer.
Example 3
As shown in fig. 3, the normal transaction flow includes the following steps:
step 1: the client user 1 purchases and generates 100-element transaction data;
step 2: the server issues the corresponding 100-element transaction data;
and step 3: the client calls an HSE module of the authentication end to perform signature operation on 100-element transaction data;
and 4, step 4: the HSE module returns a successful signature result to the client;
and 5: and the client sends the result of successful signature to the server, and the server deducts 100 yuan for the client user 1 after successful signature verification.
When there is no replay-proof mechanism between the client and the HSE module, it is vulnerable to replay attack, and the flow of replay attack transaction, as shown in fig. 4, includes the following steps:
step 1: the client user 2 illegally intercepts the 100-element transaction data of the user 1;
and 2, step: the server issues the corresponding 100-element transaction data;
and 3, step 3: the client calls an HSE module of the authentication end to perform signature operation on 100-element transaction data;
and 4, step 4: the HSE module returns the successful signature result to the client
And 5: the client sends the result of successful signature to the server, and the server deducts 100 yuan for the client user 1 after successful signature verification.
When the HSE-based data anti-replay method provided by the embodiment of the present invention is added in the normal transaction process, the transaction process is shown in fig. 5, and includes the following steps:
step 1: the client user 1 buys and generates 100 yuan of transaction data;
and 2, step: the server issues the corresponding 100-element transaction data;
step 3.1: the client exchanges keys with an authentication end carrying an HSE module, generates and stores a symmetric key, wherein the symmetric key of the authentication end is stored in the HSE module;
step 3.2: the symmetric key of the client is stored in a white box;
step 3.3: the client side initiates an authentication request;
step 3.4: the authentication end responds to an authentication request of the client and generates a random number to be sent to the client;
step 3.5: after the client processes the returned random number based on a preset processing rule, calling a symmetric key in a white box to perform HMAC calculation on the processed random number, and sending a calculation result and a current count value to an authentication end;
step 3.6: the authentication end receives the current count value and the calculation result sent by the client and compares and authenticates the count value and the calculation result, and when the authentication is successful, the authentication result is sent to the client, meanwhile, the marking state of the authentication result is updated, and a secret key is recorded for encrypting the subsequent communication data of the client and the authentication end;
step 3.7: the client receives an authentication result sent by the authentication end, and when the authentication is successful, a key of an HSE module of the authentication end is called to perform signature operation on 100-element transaction data;
and 4, step 4: the HSE module returns a successful signature result to the client and updates a count value and an authentication result marking state;
and 5: the client sends the result of successful signature to the server, and the server deducts 100 yuan for the client user 1 after successful signature verification.
The embodiment of the invention provides a data anti-replay method based on HSE, which can effectively prevent sensitive data of a user from being replayed and ensure the communication safety of the user.
Example 4
An embodiment of the present invention provides an HSE-based data anti-replay system, which is applied to a client, as shown in fig. 6, and includes:
the key exchange module is used for exchanging keys with the authentication end, generating and storing a symmetric key; this module executes the method described in step S11 in embodiment 1, which is not described herein again.
The request processing module is used for initiating an authentication request, receiving a random number returned by the authentication end responding to the authentication request and processing the random number based on a preset processing rule; this module executes the method described in step S12 in embodiment 1, and is not described herein again.
The authentication processing module is used for carrying out HMAC calculation on the processed random number by using the symmetric key and sending a calculation result and a current count value to the authentication end; this module executes the method described in step S13 in embodiment 1, and is not described herein again.
The receiving processing module is used for receiving the authentication result sent by the authentication end, and when the authentication is successful, an application instruction is initiated and the count value is updated after the authentication end responds; this module executes the method described in step S14 in embodiment 1, and details are not repeated here.
The data anti-replay system based on the HSE can effectively prevent sensitive data of a user from being replayed, ensure the communication safety of the user and avoid information leakage and property loss of the user.
Example 5
An embodiment of the present invention provides an HSE-based data anti-replay system, which is applied to an authentication end equipped with an HSE module, and is connected to a client through a communication interface, as shown in fig. 7, including:
the key exchange module is used for carrying out key exchange with the client, generating a symmetric key and storing the symmetric key in the HSE module; this module executes the method described in step S21 in embodiment 2, which is not described herein again.
The request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client; this module executes the method described in step S22 in embodiment 2, which is not described herein again.
The authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result and recording a secret key for encrypting the subsequent communication data of the client and the authentication end; this module executes the method described in step S23 in embodiment 2, and details are not repeated here.
The receiving response module is used for receiving and processing the application instruction of the client, updating the count value after the processing is finished and updating the authentication result marking state; this module executes the method described in step S24 in embodiment 2, and is not described herein again.
The data anti-replay system based on the HSE can effectively prevent sensitive data of a user from being replayed, ensure the communication safety of the user and effectively avoid information leakage and property loss of the user.
Example 6
An embodiment of the present invention provides a computer device, including: the client and the authentication end, both of which have the structure shown in fig. 8, include: at least one processor 801, at least one communication interface 803, memory 804, and at least one communication bus 802. The communication bus 802 is used for implementing connection communication among these components, the communication interface 803 may include a display screen and a keyboard, and the optional communication interface 803 may also include a standard wired interface and a wireless interface. The memory 804 may be a high speed volatile random access memory, a non-volatile memory, or at least one memory device located remotely from the processor 801. Wherein the processor 801 may perform the method of embodiment 1 or embodiment 2. A set of program codes is stored in the memory 804 and the processor 801 calls the program codes stored in the memory 804 for executing the method of embodiment 1 or embodiment 2.
The communication bus 802 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus 802 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one line is shown in FIG. 8, but this does not represent only one bus or one type of bus.
The Memory 804 may include a Volatile Memory (Volatile Memory), such as a Random Access Memory (RAM); the Memory may also include a Non-volatile Memory (Non-volatile Memory), such as a Flash Memory (Flash Memory), a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD) or a Solid-state Drive (SSD); the memory 804 may also comprise a combination of the above-described types of memory.
The Processor 801 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 801 may further include a hardware chip. The hardware chip may be an Application-Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a Field Programmable Gate Array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the memory 804 is also used for storing program instructions. The processor 801 may call program instructions to implement the method of embodiment 1 or embodiment 2 as the present invention.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the scope of the invention.
Claims (10)
1. An HSE-based data anti-replay method applied to a client is characterized by comprising the following steps:
exchanging a key with the authentication end to generate and store a symmetric key;
initiating an authentication request, receiving a random number returned by an authentication end responding to the authentication request, and processing the random number based on a preset processing rule;
using a symmetric key to perform HMAC calculation on the processed random number, and sending a calculation result and a current count value to an authentication end;
and receiving an authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction, waiting for the response of the authentication end, and updating a count value.
2. The HSE-based data anti-replay method of claim 1, wherein said symmetric key is stored in a white-box, the white-box storing the process of symmetric key comprising: and encrypting the symmetric key based on a preset symmetric encryption algorithm, and storing an encryption result into a file system or a storage medium.
3. The HSE-based data anti-replay method of claim 1, wherein said process of processing the random number based on the preset processing rule comprises: the random number is processed by subtracting 1 from the first byte and adding 1 to the last byte.
4. A data anti-replay method based on HSE is applied to an authentication end carrying an HSE module and is connected with a client through a communication interface, and is characterized by comprising the following steps:
exchanging a key with the client to generate a symmetric key and storing the symmetric key in the HSE module;
responding to an authentication request of a client, generating a random number and sending the random number to the client;
receiving a current count value and a calculation result sent by a client, comparing and authenticating the current count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result, and recording a secret key for encrypting subsequent communication data of the client and the authentication end;
and receiving and processing an application instruction of the client, updating the count value after the processing is finished, and updating the authentication result marking state.
5. The HSE-based data anti-replay method of claim 4, wherein the process of receiving and comparing the current count value and the calculation result sent by the client and authenticating the current count value and the calculation result comprises: when the current count value sent by the client is different from the current count value in the client, the authentication fails and an authentication failure result is sent to the client; when the current count value sent by the client is the same as the current count value in the HSE module, HMAC calculation is carried out on the random number by using a symmetric key in the HSE module and compared with the calculation result sent by the client, when the calculation result is inconsistent, authentication is failed, the authentication request is released, the authentication failure result is sent to the client, and when the calculation result is consistent, the authentication is successful.
6. The HSE-based data anti-replay method of claim 4, wherein said authentication result flags a state comprising: the authentication failure result is denoted as INIT =0 and the authentication success result is denoted as verify =1, wherein the initial default state is INIT =0.
7. The HSE-based data anti-replay method of claim 4, wherein said counter value updating means comprises: the counting value is stored in the nonvolatile memory and used for comparing the counting value for the request verification between the client and the HSE module, when the counting values of the client and the HSE module are the same, the counting value is updated by adding 1 to the corresponding counting value after the authentication is successful, otherwise, the counting value after the authentication is failed is unchanged.
8. An HSE-based data anti-replay system applied to a client, comprising:
the key exchange module is used for carrying out key exchange with the authentication end, generating a symmetric key and storing the symmetric key;
the request processing module is used for initiating an authentication request, receiving a random number returned by the authentication end responding to the authentication request and processing the random number based on a preset processing rule;
the authentication processing module is used for carrying out HMAC calculation on the processed random number by using a symmetric key and sending a calculation result and a current count value to an authentication end;
and the receiving processing module is used for receiving the authentication result sent by the authentication end, and when the authentication is successful, initiating an application instruction and updating the count value after waiting for the response of the authentication end.
9. A data anti-replay system based on HSE is applied to an authentication end carrying an HSE module and is connected with a client through a communication interface, and is characterized by comprising the following components:
the key exchange module is used for exchanging keys with the client to generate a symmetric key and storing the symmetric key in the HSE module;
the request response module is used for responding to the authentication request of the client and generating a random number to be sent to the client;
the authentication response module is used for receiving the current count value and the calculation result sent by the client and comparing and authenticating the count value and the calculation result, sending an authentication result to the client when the authentication is successful, updating the marking state of the authentication result and recording a secret key for encrypting the subsequent communication data of the client and the authentication end;
and the receiving response module is used for receiving and processing the application instruction of the client, updating the count value after the processing is finished and updating the authentication result marking state.
10. A computer device, comprising: a client and an authentication terminal, each of which comprises at least one memory and a processor, the memory and the processor being communicatively connected to each other, the memory storing computer instructions therein, and the processor executing the computer instructions to perform the method according to any one of claims 1 to 3 or claims 4 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211555325.7A CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211555325.7A CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115941204A true CN115941204A (en) | 2023-04-07 |
| CN115941204B CN115941204B (en) | 2024-04-12 |
Family
ID=86551667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211555325.7A Active CN115941204B (en) | 2022-12-06 | 2022-12-06 | Data anti-replay method and system based on HSE |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941204B (en) |
Citations (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005357A (en) * | 2006-12-28 | 2007-07-25 | 北京飞天诚信科技有限公司 | Method and system for updating certification key |
| EP2221742A1 (en) * | 2009-02-20 | 2010-08-25 | Comcast Cable Holdings, LLC | Authenticated communication between security devices |
| CN102694652A (en) * | 2012-01-13 | 2012-09-26 | 武传坤 | Method for realizing lightweight authenticated encryption by using symmetric cryptographic algorithm |
| CN105515762A (en) * | 2016-01-28 | 2016-04-20 | 中山市倍能照明科技有限公司 | Encryption system based on Rivet, Shamir and Adleman (RSA) and advanced encryption standard (AES) encryption algorithms and encryption method |
| CN106713327A (en) * | 2016-12-29 | 2017-05-24 | 上海众人网络安全技术有限公司 | Authentication method and system of verification code security reinforcement |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
| CN108965218A (en) * | 2017-05-25 | 2018-12-07 | 华为技术有限公司 | A kind of perturbed controller safety communicating method, apparatus and system |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
| CN109218251A (en) * | 2017-06-29 | 2019-01-15 | 国民技术股份有限公司 | A kind of authentication method and system of anti-replay |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN109756872A (en) * | 2018-12-06 | 2019-05-14 | 国网山东省电力公司电力科学研究院 | End-to-end data processing method for power grid NB-IoT based on physical unclonable function |
| EP3684088A1 (en) * | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| US20200328884A1 (en) * | 2019-04-15 | 2020-10-15 | Aclara Technologies Llc | System and method for improved security in advanced metering infrastructure networks |
| CN112231777A (en) * | 2020-12-14 | 2021-01-15 | 武汉新芯集成电路制造有限公司 | Monotonic counter and monotonic counting method thereof |
| CN112291774A (en) * | 2020-12-31 | 2021-01-29 | 飞天诚信科技股份有限公司 | Method and system for communicating with authenticator |
| CN112311544A (en) * | 2020-12-31 | 2021-02-02 | 飞天诚信科技股份有限公司 | Method and system for communication between server and authenticator |
| CN112398649A (en) * | 2020-11-13 | 2021-02-23 | 浪潮电子信息产业股份有限公司 | Method and system for encrypting server by using USBKey and CA |
| CN112491843A (en) * | 2020-11-17 | 2021-03-12 | 苏州浪潮智能科技有限公司 | Database multiple authentication method, system, terminal and storage medium |
| CN112784250A (en) * | 2021-01-27 | 2021-05-11 | 深圳融安网络科技有限公司 | Identity authentication method, client, server and storage medium |
| CN113194465A (en) * | 2021-04-20 | 2021-07-30 | 歌尔股份有限公司 | BLE connection verification method and device between terminals and readable storage medium |
| CN113556321A (en) * | 2021-06-22 | 2021-10-26 | 杭州安恒信息技术股份有限公司 | Password authentication method, system, electronic device and storage medium |
| CN114205083A (en) * | 2021-12-22 | 2022-03-18 | 中国电信股份有限公司 | SRv 6-based security authentication method, network node and authentication system |
| CN114692124A (en) * | 2022-04-18 | 2022-07-01 | 镁佳(北京)科技有限公司 | Data reading and writing method and device and electronic equipment |
| CN115412909A (en) * | 2021-05-10 | 2022-11-29 | 华为技术有限公司 | A communication method and device |
-
2022
- 2022-12-06 CN CN202211555325.7A patent/CN115941204B/en active Active
Patent Citations (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005357A (en) * | 2006-12-28 | 2007-07-25 | 北京飞天诚信科技有限公司 | Method and system for updating certification key |
| EP2221742A1 (en) * | 2009-02-20 | 2010-08-25 | Comcast Cable Holdings, LLC | Authenticated communication between security devices |
| CN102694652A (en) * | 2012-01-13 | 2012-09-26 | 武传坤 | Method for realizing lightweight authenticated encryption by using symmetric cryptographic algorithm |
| CN105515762A (en) * | 2016-01-28 | 2016-04-20 | 中山市倍能照明科技有限公司 | Encryption system based on Rivet, Shamir and Adleman (RSA) and advanced encryption standard (AES) encryption algorithms and encryption method |
| CN106713327A (en) * | 2016-12-29 | 2017-05-24 | 上海众人网络安全技术有限公司 | Authentication method and system of verification code security reinforcement |
| CN108965218A (en) * | 2017-05-25 | 2018-12-07 | 华为技术有限公司 | A kind of perturbed controller safety communicating method, apparatus and system |
| CN109218251A (en) * | 2017-06-29 | 2019-01-15 | 国民技术股份有限公司 | A kind of authentication method and system of anti-replay |
| CN108377190A (en) * | 2018-02-14 | 2018-08-07 | 飞天诚信科技股份有限公司 | A kind of authenticating device and its working method |
| CN109150541A (en) * | 2018-08-15 | 2019-01-04 | 飞天诚信科技股份有限公司 | A kind of Verification System and its working method |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN109756872A (en) * | 2018-12-06 | 2019-05-14 | 国网山东省电力公司电力科学研究院 | End-to-end data processing method for power grid NB-IoT based on physical unclonable function |
| EP3684088A1 (en) * | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| US20200328884A1 (en) * | 2019-04-15 | 2020-10-15 | Aclara Technologies Llc | System and method for improved security in advanced metering infrastructure networks |
| CN112398649A (en) * | 2020-11-13 | 2021-02-23 | 浪潮电子信息产业股份有限公司 | Method and system for encrypting server by using USBKey and CA |
| CN112491843A (en) * | 2020-11-17 | 2021-03-12 | 苏州浪潮智能科技有限公司 | Database multiple authentication method, system, terminal and storage medium |
| CN112231777A (en) * | 2020-12-14 | 2021-01-15 | 武汉新芯集成电路制造有限公司 | Monotonic counter and monotonic counting method thereof |
| CN112291774A (en) * | 2020-12-31 | 2021-01-29 | 飞天诚信科技股份有限公司 | Method and system for communicating with authenticator |
| CN112311544A (en) * | 2020-12-31 | 2021-02-02 | 飞天诚信科技股份有限公司 | Method and system for communication between server and authenticator |
| CN112784250A (en) * | 2021-01-27 | 2021-05-11 | 深圳融安网络科技有限公司 | Identity authentication method, client, server and storage medium |
| CN113194465A (en) * | 2021-04-20 | 2021-07-30 | 歌尔股份有限公司 | BLE connection verification method and device between terminals and readable storage medium |
| CN115412909A (en) * | 2021-05-10 | 2022-11-29 | 华为技术有限公司 | A communication method and device |
| CN113556321A (en) * | 2021-06-22 | 2021-10-26 | 杭州安恒信息技术股份有限公司 | Password authentication method, system, electronic device and storage medium |
| CN114205083A (en) * | 2021-12-22 | 2022-03-18 | 中国电信股份有限公司 | SRv 6-based security authentication method, network node and authentication system |
| CN114692124A (en) * | 2022-04-18 | 2022-07-01 | 镁佳(北京)科技有限公司 | Data reading and writing method and device and electronic equipment |
Non-Patent Citations (4)
| Title |
|---|
| MARC FISCHLIN; CHRISTIAN JANSON; SOGOL MAZAHERI: "Backdoored Hash Functions: Immunizing HMAC and HKDF", 《2018 IEEE 31ST COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF)》, 9 August 2018 (2018-08-09) * |
| 文勇军;黄浩;樊志良;唐立军;: "分布式日志系统REST安全接口设计", 网络安全技术与应用, no. 04 * |
| 詹静;杨静;: "基于远程证明的可信Modbus/TCP协议研究", 工程科学与技术, no. 01 * |
| 钟成;李兴华;宋园园;马建峰;: "无线网络中基于共享密钥的轻量级匿名认证协议", 计算机学报, no. 05, 29 November 2017 (2017-11-29) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115941204B (en) | 2024-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113240519B (en) | Intelligent contract management method and device based on block chain and electronic equipment | |
| CN111723383B (en) | Data storage and verification method and device | |
| JP4036838B2 (en) | Security device, information processing device, method executed by security device, method executed by information processing device, program executable for executing the method, and ticket system | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| TW201633207A (en) | Device keys protection | |
| JP6073320B2 (en) | Authority-dependent platform secret to digitally sign | |
| CN110190964B (en) | Identity authentication method and electronic equipment | |
| CN110691352B (en) | A SIM card access control method, device, medium and device | |
| US20200279258A1 (en) | Mobile payments using multiple cryptographic protocols | |
| CN111062059B (en) | Method and device for service processing | |
| CN117063174A (en) | Security module and method for inter-app trust through app-based identity | |
| CN111884814A (en) | Method and system for preventing counterfeiting of intelligent terminal | |
| WO2025124185A1 (en) | Method and system for managing mobile phone token on basis of ios platform, and electronic device and storage medium | |
| CN118862043A (en) | Application calling method, device, electronic device and storage medium | |
| CN115941204B (en) | Data anti-replay method and system based on HSE | |
| CN115696329B (en) | Zero trust authentication method and device, zero trust client device and storage medium | |
| CN107959670A (en) | A kind of generation method of dynamic password, device, terminal device and storage medium | |
| RU2633186C1 (en) | Personal device for authentication and data protection | |
| CN111246480A (en) | Application communication method, system, equipment and storage medium based on SIM card | |
| CN115134076B (en) | Data processing method and system | |
| CN114817936B (en) | Memory full encryption management method, device, equipment and medium based on heterogeneous memory | |
| CN113935736B (en) | A mobile blockchain secure transaction system | |
| CN118611876B (en) | Algorithm library authorization and encryption method, system and device based on encryption dog | |
| CN110750808B (en) | A bill processing method, device and storage medium device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |