| 摘要 |
Disclosed is a key downloading management method, comprising: a device end authorizing the validity of an RKS server by checking a digital signature of a work certificate public key of the RKS server, and the RKS server generating an authentication token (AT); encrypting by using an identity authentication secondary key DK2 of the device end, and sending the ciphertext to the device end; the device end decrypting the ciphertext by using the identity authentication secondary key DK2 saved thereby, encrypting the ciphertext by using the work certificate public key and then returning same to the RKS server; the RKS server decrypting same by using a work certificate private key thereof and then comparing whether the authentication token (AT) is the same as the generated authentication token (AT) or not, and if so, it is indicated that the device end is valid, thereby achieving bidirectional identity authentication. |
| 主权项 |
1. A key downloading method, comprising:
sending a device sequence number DSN and a device identity authentication request to an RKS server via a device terminal; receiving the working certificate public key RKS_WCRT_PK sent by the RKS server, via the device terminal; verifying if the digital signature of RKS_WCRT_PK is valid by using a root public key certificate RKS_RCRT, and if so, encrypting a divergence factor by using RKS_WCRT_PK to obtain a divergence factor cipher text, and sending the divergence factor cipher text to the RKS server, via the device terminal; receiving the cipher text AT_TK1 sent by the RKS server via the device terminal, wherein the cipher text AT_TK1 is obtained through encrypting the authentication token AT and the first transmission key component TK1 by the secondary device identity authentication key DIK2; the DIK2 is generated by calling the secondary device identity authentication key generating function according to the device sequence number DSN and a primary device identity authentication key DIK1; decrypting the cipher text AT_TK1 by using DIK2 to obtain clear texts AT and TK1, via the device terminal; generating the third random number as the second transmission key component TK2, performing XOR on TK1 and TK2 to obtain a transmission key TK, calculating SHA256 verification value of TK to obtain TK_SHA2, via the device terminal; encrypting AT, TK2, and TK_SHA2 by using RKS_WCRT_PK to obtain the cipher text AT_TK2_TK_SHA2, and sending the cipher text AT_TK2_TK_SHA2 to the RKS server, via the device terminal; receiving a key cipher text sent by the RKS server via the device terminal, wherein the key cipher text is obtained through encrypting the key to be downloaded by TK; decrypting the key cipher text by using TK to obtain a key clear text, storing the key in a security module, via the device terminal; and judging if the key downloading is complete, and if complete, clearing AT, TK and RKS_WCRT_PK, via the device terminal. |
