CN100586065C - CPK credibility authorization system - Google Patents
CPK credibility authorization system Download PDFInfo
- Publication number
- CN100586065C CN100586065C CN 200610076019 CN200610076019A CN100586065C CN 100586065 C CN100586065 C CN 100586065C CN 200610076019 CN200610076019 CN 200610076019 CN 200610076019 A CN200610076019 A CN 200610076019A CN 100586065 C CN100586065 C CN 100586065C
- Authority
- CN
- China
- Prior art keywords
- cpk
- key
- module
- data
- public
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
This invention discloses a CPK trustable certification system with a chip including special COS, CPK algorithm, ID certificates, signature protocol, a cryptographic key exchange protocol, a ciphering algorithm and HASH function and divided into intelligent card, USB Key, Flash card and cell phone SIM card. One chip can bear the functions of a cipher machine, signature verification, cryptographic key storage and management.
Description
Technical field
The present invention relates to information security technology, especially design the CPK authentic authentication system under a kind of computer and network environment.
Background technology
Along with Internet development, also more and more higher to the requirement of computer and network security, corresponding cryptographic algorithm and technology are also flourish.Present encryption technology can be divided into two classes, i.e. symmetric key technique and unsymmetrical key technology.Wherein the unsymmetrical key technology is because can to avoid by the network delivery decruption key be that the needs of private key have obtained using widely.
Unsymmetrical key technology the most known in those skilled in the art at present is PKI (Public KeyInfrastructure).Two big parts are leaned in the operation of PKI: the CA mechanism (CertificationAuthority) of stratification and huge certificate repository LDAP.PKI solves the binding of sign and key by third party's notarization.Need to set up the ca authentication mechanism of huge stratification for this reason.PKI also will lean against the support of the certificate repository of line operation, and the on-line operation of certificate repository has caused a large amount of network information flows, and for example a side just need authenticate to CA layer by layer in order to obtain the certificate of communication counterpart.Just because of the Verification System that realizes based on the PKI technology relies on the database on-line operation, its operational efficiency is very low, and disposal ability is little.According to U.S. Department of Defense's reflection, PKI will cause information explosion, and U.S. army's communication in the future also is difficult to satisfy the PKI bandwidth demand, and cause mechanism blast, for supporting 2,000,000 CAC cards, the entire PLA has increased 2500 CA work stations newly, and personal management and funds are to the degree that can't bear the heavy load.So current various countries scholar comprises part PKI company, is seeking a kind of new outlet.
It is IBE (Identity Based Encryption) that another kind has the encryption technology with prospect very much.1984, Shamir proposed the signature imagination based on sign, and inferred the existence of the cryptographic system (being called for short IBE:Identity Based Encryption) based on sign, but never found concrete implementation method.
Calendar year 2001 Don Boneh and Matthew Franklin be according to the idea of Shamir, proposed to match from Weil to realize cryptographic system based on sign.Compare with the PKI technology,, need to keep user-dependent parameter though the IBE algorithm has been cancelled huge stratification CA mechanism.The Verification System that realizes based on the IBE algorithm relies on the database on-line operation, and its operational efficiency is very low, and disposal ability is also little.Because parameter is relevant with each user, the parameter amount is directly proportional with customer volume.As long as need to announce user related information, just need the support of catalogue storehouse databases such as (LDAP), and then also have no idea to reduce dynamic on-line maintenance amount.
The development of public network and application have proposed to construct the new requirement of trustable network system.Verification System is the core technology of trustable network system, then is cipher key technique in the core technology of Verification System.Two big difficult points are arranged in the cipher key technique: scale and based on the sign key distribution.The CPK cipher key technique has just in time solved this two difficult points, for realizing that the realization trusted system has been created condition on the scale public network.
The CPK algorithm is the same with the IBE algorithm, also is based on the public key algorithm of sign.CPK does not need the online support of database, and an available chip realizes having the incomparable advantage of aforementioned two kinds of systems (PKI and IBE) on scale, economy, feasibility, operational efficiency.
Though there is huge superiority in the CPK authentic authentication system, yet there is weakness to a certain degree in the CPK algorithm of its core.Itself can not resist user's collusion attack the CPK algorithm.Can support the user of the n*n order of magnitude for the CPK factor matrix of n*n, as long as but the assailant collects the private key for user of n* (n-1) quantity, just can solve whole private key factor matrix, can calculate any one user's private key with this, thus the whole system of cracking.For real system,, adopt the CPK system of less factor matrix may can only resist the following collusion attack of 1000 users according to the difference of factor matrix size.If can not guarantee the safety of private key effectively, whole system will be faced with huge risk so.
Therefore, how to solve private key protection problem, then become a problem demanding prompt solution of CPK authentication system.
Summary of the invention
In view of this; in order to solve the private key protection problem that exists in the CPK authentication; strengthen the fail safe of CPK authentication system; the present invention proposes CPK authenticated encryption system based on proprietary hardware device; not only can resist user's collusion attack effectively; guaranteed the safety of CPK authentication system, made this authentication system be easier to management simultaneously, also made the CPK authentication mode be applicable to widely and use.
According to CPK authentic authentication system of the present invention, realize the CPK algorithm by proprietary hardware device, and utilize secret, sensitive datas such as private key in this proprietary hardware device stores, management and protection CPK algorithm and the authentication system.Compare with the realization of pure software, private key only participates in computing in internal system, even the validated user of system can not be read private key data from system, has stopped the assailant and has obtained the possibility of private key, thereby fundamentally eliminated the possibility of collusion attack.
Main purpose of the present invention is to provide a kind of Conbined public or double key CPK authentic authentication system, described Conbined public or double key CPK authentic authentication system is realize to encrypt the Verification System that has the function of all-purpose card with the storage and management function of DecryptDecryption function, digital signature and authentication function, key, at different identification territory and security domain with chip, the wherein COS of special-purpose software system, CPK algorithm, ID certificate, signature agreement and IKE, cryptographic algorithm and HASH function, all realize, it is characterized in that described Conbined public or double key CPK authentic authentication system comprises in the modularized design mode:
Processor is used to handle various data, thereby whole system is controlled and managed;
Safe storage, have only the specific instruction of processor or special external equipment just can visit wherein data, the assailant can not walk around the data in processor or the special external device access memory, can not visit wherein data by logic or mode physically;
Normal memory is used to store other data;
The public key cryptography engine is provided for the instruction of public key calculation, supports the Elliptic Curve Cryptography computing;
The symmetric cryptography engine is provided for the operational order of symmetric cryptography, hashing algorithm;
Real random number generator is used to generate true random number;
System protection equipment comprises the secure package to chip, the anti-protective device that cuts open the sheet analytical attack;
Communication interface comprises the USB controller, and serial line interface or intelligent card interface are used for communicating with external equipment;
In addition, described Conbined public or double key CPK authentic authentication system also comprises:
Sign-private key administration module, be used for storage, management, handle, protect private key and identification data, all are all finished by this module the operation of private key, and this module invokes Elliptic Curve Cryptography module is carried out the decrypt operation of ellipse curve signature and elliptic curve public key cryptographic;
Shared key factor matrix management module is mapped as the index of shared key factor matrix by mapping algorithm with sign, and goes out the PKI of correspondence by CPK algorithm and shared key factor matrix computations;
Access control module by password and cryptographic functions protection system, guarantees that the user who only has password could visit described Conbined public or double key CPK authentic authentication system;
The Elliptic Curve Cryptography module is carried out ellipse curve signature, checking, public key encryption, decipher function;
The symmetric cryptography module provides symmetric cryptography, hashing algorithm, MAC algorithm;
The HASH algoritic module carries out computing according to the HASH function to data;
True random number generation module generates true random number;
CPK data format coding/decoding module carries out Code And Decode with the CPK form to data;
Communication protocol module, the communication protocol between realization and the CPK agency is acted on behalf of the service that provides in the mode of request-acknowledgement command to CPK;
Private key for user is stored in the safe storage.
According to a preferred embodiment of the invention, if this system does not comprise the public key cryptography engine, symmetric cryptography engine and real random number generator, then the corresponding elliptic curve cipher module of this system call, symmetric cryptography module and true random number generation module are finished its function.
According to a preferred embodiment of the invention, the data in the Conbined public or double key CPK authentic authentication system comprise the shared key factor matrix, active user's sign and corresponding private key, and these data are with the form storage of ID certificate.
According to a preferred embodiment of the invention, the function of Conbined public or double key CPK authentic authentication system comprises ID attribute management, encryption function, signature function, agreement execution function, key storage and management function, and can plug and play.
According to a preferred embodiment of the invention, described Conbined public or double key CPK authentic authentication system comprise be integrated with processor and memory intelligent card chip, stand-alone memory device and fail-safe computer at least one of them.
According to a preferred embodiment of the invention, wherein said chip is according to encapsulation and interface different, for smart card, USB Key, Flash storage card, SIM cards of mobile phones at least one of them.
Other advantages of the present invention, target, to set forth in the following description to a certain extent with feature, and to a certain extent,, perhaps can obtain instruction from the practice of the present invention based on being conspicuous to those skilled in the art to investigating hereinafter.Target of the present invention and other advantages can be passed through following specification, claims, and the specifically noted structure realizes and obtains in the accompanying drawing.
Description of drawings
In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing, wherein:
Fig. 1 shows the basic structure according to CPK of the present invention system;
Fig. 2 shows the detailed structure according to CPK of the present invention system;
Fig. 3 shows according to signature flow process of the present invention;
Fig. 4 shows according to checking flow process of the present invention;
Fig. 5 shows according to public key encryption flow process of the present invention;
Fig. 6 shows according to PKI deciphering flow process of the present invention.
Embodiment
Hereinafter with reference to accompanying drawing, the preferred embodiments of the present invention are described in detail.
CPK is writing a Chinese character in simplified form of Conbined public or double key (Combined Public Key).CPK key management system is that the key based on sign (identity) of discrete logarithm difficult problem type generates and the system of managing.It makes up public-key cryptography and private cipher key matrix according to the mathematical principle of a discrete logarithm difficult problem, adopt hash function and cryptographic transformation the sign of entity to be mapped as the row-coordinate and the row coordinate sequence of matrix, in order to matrix element is chosen and is made up, it is right to generate quantity huge public affairs, the private key be made up of public-key cryptography and private cipher key, thereby realizes ultra-large key production and distribution based on sign.
The CPK key algorithm utilizes discrete logarithm, elliptic curve cipher theory, and structure is public, private key is right, with mapping algorithm public affairs, private key variable and user ID is bound, thereby solves based on the key management that identifies.The key centralized production is adopted in the key management of CPK, plans as a whole the Centralized Mode of allocation, has may command, manageable advantage, is convenient to make up network trust system from top to bottom.The key management of CPK has adopted key to disperse the operational mode of storage, static call, thereby can realize that third party and non-formerly authenticate.
According to the present invention, CPK Conbined public or double key algorithm utilizes limited public affairs/private factor structure public affairs/private factor matrix, it is right to derive from the extremely huge public affairs/private key of quantity on these public affairs/private key matrix basis, and by the new technology of mapping algorithm with the sign of participant and its key (public affairs/private key) binding.
Verification System based on the CPK algorithm is a kind of ultra-large key management system based on sign, can be used on specific authentication and the public's authenticating network, provide credible proof for including, but is not limited to Email, electronic bill, electronic logistics sign, teleworking etc. in interior trusted application effectively.
According to the present invention, the CPK authentic authentication system is the Verification System that realizes with chip, comprise special-purpose COS, CPK algorithm, ID certificate, signature agreement and IKE, cryptographic algorithm and HASH function etc. in the chip, chip is different according to encapsulation and interface, is divided into different shapes such as smart card, USB Key, Flash storage card, SIM cards of mobile phones.As required the PKI matrix is write in the chip, can calculate the other side's PKI on the spot, bear cipher machine function, signature verification function, database key memory function by a chip, and have the function of all-purpose card, can make up authentic authentication system easily at different identification territory, security domain.
In the CPK authentic authentication system, most functions are all finished in chip, to guarantee the fail safe of verification process, realize the chipization of Verification System simultaneously, reach the purpose of the authentication service that provides the simplest and the most direct.Chip comprises:
Support the special-purpose COS of CPK authentic authentication system; Support the related algorithm of CPK computing; The ID certificate comprises parameter and key that many identification field, multiaction territory, authorization mechanism, role divide; CPK digital signature protocol, CPK IKE; Graded encryption agreement, password change agreement, operation format protocol; Private key resist technology measure etc.
Proprietary hardware device is different according to encapsulation and interface, may have different shapes such as smart card, USB Key, Flash storage card, SIM cards of mobile phones.
Fig. 1 shows the basic structure according to CPK of the present invention system.As shown in Figure 1, native system comprises an equipment at least as the proprietary hardware device of CPK on physical composition, and different according to specific implementation and environment may be made of the multiple hardwares equipment and the related software that comprise computer, network.
Native system logically has two chief components, CPK core system and CPK agency (Agent).The CPK core system as one independently logical block realize the CPK algorithm, the function that authentication is provided and encrypts by hardware interface or software interface.CPK Agent is embedded among application system or the applied environment usually, for it provides CPK authentication and cryptographic services.The interface of service can have various ways, as API, middleware, system service, network service or the like, but is not limited thereto.Itself does not realize the CPK basic function CPK Agent, but by and the special communication protocol of CPK core system, call its function, and provide these services to applied environment.CPK Agent also can carry out to a certain degree encapsulation or enhancing to the function of core system, thereby satisfies the demand of application system.
Fig. 2 shows the detailed structure according to CPK of the present invention system.As shown in Figure 2, the proprietary hardware architecture of CPKBuilt-in is combined by software and hardware and constitutes, and software systems run on respectively on proprietary hardware device and universal network and the computer platform.Comprise hardware system, software systems (being CPKCOS) and inner related data in this CPK Built-in chip.Wherein hardware system is made of the IP kernel of a plurality of difference in functionalitys, and the modules such as processor, memory, cryptography engine, randomizer on basis are provided.Software systems are stored in the Flash memory of chip internal or direct burning in the ROM memory.The basic function that corresponding hardware module provides is called, packed to software systems, realizes various algorithms of CPK and agreement.Part of module in the software systems is is also read and write some storage relevant with the CPK algorithm, comprises shared key factor matrix and sign-private key tabulation or the like.
The proprietary hardware device of native system has all or part of following system unit according to the difference of concrete form:
1) processor is used to handle various data, thereby whole system is controlled and managed.
2) safe storage.Have only the specific instruction of processor or special external equipment just can visit wherein data, the assailant can not walk around the data in these interface accessing memories, can not visit wherein data by cuing open logics such as sheet attack or mode physically.
3) normal memory is used to store other data.
4) public key cryptography engine.Be provided for the instruction of public key calculation, support the Elliptic Curve Cryptography computing.
5) symmetric cryptography engine.Be provided for operational orders such as symmetric cryptography, hashing algorithm.
6) real random number generator is used to generate true random number.
7) system protection equipment comprises the secure package to chip, the anti-protective device that cuts open attacks such as sheet analysis.
8) communication interface comprises the USB controller, and serial line interface or intelligent card interface are used for communicating with external equipment.
The software of native system comprises following part:
1) sign-private key administration module.This module is used for storage, management, handles, protects private key and identification data.All are all finished by this module the operation of private key, and this module invokes Elliptic Curve Cryptography module is carried out the decrypt operation of ellipse curve signature and elliptic curve public key cryptographic.
2) shared key factor matrix management module.This module is mapped as the index of shared key factor matrix by mapping algorithm with sign, and goes out the PKI of correspondence by CPK algorithm and shared key factor matrix computations.
3) access control module.By password and cryptographic functions protection system, guarantee only to have user's ability access system of password.
4) Elliptic Curve Cryptography module.Can carry out functions such as ellipse curve signature, checking, public key encryption, deciphering.
5) symmetric cryptography module provides symmetric cryptography, hashing algorithm, MAC algorithm etc.
6) HASH algoritic module carries out computing according to the HASH function to data.
7) real random number generator generates true random number.
8) CPK data format coding/decoding module carries out Code And Decode with the CPK form to data.
9) communication protocol module.Communication protocol between realization and the CPK agency is acted on behalf of the service that provides in the mode of request-acknowledgement command to CPK.
According to the present invention, the data in the native system comprise the shared key factor matrix, active user's sign and corresponding private key, and these data are with the form storage of ID certificate.
If hardware device provides corresponding realization, then elliptic curve cipher module, symmetric cryptography module and real random number generator directly call hardware capability, otherwise realize by software.
Below CPKCOS is carried out detailed explanation.
1. CPKCOS provide based on sign, need not third party, non-online authentication mode.CPKCOS realizes the CPK algorithm on chip, can provide one or more overall situations unique sign for each entity, can be by the authentication mutually of this sign between each entity.CPKCOS can support a plurality of signs (quantity is decided by the space of secure storage areas) at a chip internal, and by variable mapping algorithm, makes a chip can support multiple application, and can cancel neatly, new logo more.
2. CPKCOS supports the structure of multi-level Verification System.CPKCOS is that each CPK shared key factor matrix generates the unique security domain sign of the overall situation, in order to indicate a security domain.The Verification System of different levels, zones of different is divided into different security domains by having different shared key factor matrixes, and can identify the shared key factor matrix that discern and obtain the other side mutually by unique security domain between the security domain, thereby different security domains logically is communicated with unified authenticating network of formation.
3. CPKCOS represents word by a level of confidentiality is set for each sign, and the operation that only meets the level of confidentiality restriction just can be carried out by CPKCOS, thus the many levels of confidentiality demand for security in the systems such as support army.
4. CPKCOS provides ECDSA digital signature, ECDH cipher key change, ECIES public key encryption, AES and TripleDES symmetric encipherment algorithm, SHA series hashing algorithm, can authenticate, multiple Secure Application such as encryption, also can be used as auxiliary security algorithm module.
5. the software upgrading of CPKCOS back-up system increases other cryptographic algorithms, increases expanded function.
In order to ensure the fail safe of system, software systems have been carried out ad hoc design and have been realized safeguard protection to cooperate proprietary hardware.Below represent this software systems by CPKCOS.CPKCOS has logically guaranteed the fail safe of secret datas such as system and private key in several ways.
1. CPKCOS is divided into secure storage areas and non-secure storage areas with memory, and secure storage areas is made of the eeprom memory that safety strengthens, and non-secure storage areas is made of common Flash memory.CPKCOS with important procedure such as the block of confidential datas such as system program, private key, manipulator ciphertext data and storage in secure storage areas, shared key factor matrix etc. can disclosed storage at non-secure storage areas.CPKCOS system program section guarantees that by signature, the integrity code of verifying data in the non-secure storage areas or program these data are not distorted, by encrypting the confidentiality that guarantees the data in this memory block.The design of non-secure storage areas makes and guarantees its fail safe by the Flash memory that CPKCOS can the supporting chip outside.
2. the CPKCOS system does not externally provide the fetch interface of secret datas such as private key, can only sign normally by these interfaces, decipher function, and can't obtain secret data, even validated user can not be read private key data wherein.
3. CPKCOS is by password protective core sheet and inner sensitive data.The user only could use the CPK safety chip behind the input validation password.The CPKCOS system increases the assailant greatly by increase time-delay in the password authentication process and attempts the time that password consumes, keep the authentication failed counter at chip internal simultaneously, if the frequency of failure of password authentication surpasses ceiling, sensitive information will self-destruction in the chip.
4. CPKCOS protection private key factor matrix is not cracked.The CPK algorithm has the weakness that can't resist collusion attack, if the assailant can collect a large amount of private keys, can find the solution the whole private key factor matrix of reduction by calculating so.Even the CPK safety chip can not be read private key data by the external interface assurance validated user of hardware protection and CPKCOS on the one hand; simultaneously sensitive datas such as private key are encrypted with password and the true random number that only produces and store at chip internal; even the assailant cracks chip hardware by cuing open sheet analysis etc.; sense data therefrom is not if there is password can not obtain private key.CPKCOS also supports the shared key factor matrix stores externally in the memory, thereby increases matrix size, the required quantity that cracks chip of collusion attack can be improved 1 to 3 order of magnitude (external memory space of 128MB).
Hereinafter with reference to Fig. 3-Fig. 6, specific embodiments of the present invention is described in detail.Yet, it should be noted that the present invention can be presented as different forms, and be not appreciated that the embodiment that is limited in this explaination.On the contrary, provide these embodiment be for present disclosure fully and thoroughly, and can fully express scope of the present invention to those skilled in the art.
As Fig. 3-shown in Figure 6, native system comprises four kinds of basic CPK calculation functions: based on signature, checking, public key encryption and the deciphering of CPK algorithm.Here illustrate the basic procedure that these four kinds of computings are described with four width of cloth such as accompanying drawing 3, accompanying drawing 4, accompanying drawing 5, accompanying drawings 6 respectively, framework representative system module wherein, the line segment representative data, the flow direction of arrow representative data, the operation sequencing is expressed as from top to bottom in the drawings.
Fig. 3 shows the flow chart of CPK digital signature.As shown in Figure 3, the digital signature procedure based on CPK Built-in is as follows:
1) select a sign to be used for digital signature in the identification list of user in CPK Built-in.
2) user imports CPK Built-in chip with data to be signed.
3) the hash algorithm module in the CPK Built-in chip calculates the hashed value of data to be signed.
4) randomizer in the CPK Built-in chip generates the random number that is used to sign.
5) the private key administration module in the CPK Built-in chip reads corresponding private key by user's sign.
6) the Elliptic Curve Cryptography module generates the ECDSA digital signature by hashed value, random number and private key.
7) data coding module is the digital signature data bag of CPK form with the ECDSA digital signature value with the sign Unified coding that is used to sign, and spreads out of CPK Built-in chip, returns to the user.
Fig. 4 shows the signature verification flow chart of CPK digital signature.As shown in Figure 4, the signature-verification process based on the CPKBuilt-in digital signature is as follows:
1) CPK Built-in chip reads in the CPK digital signature and by the former data of being signed from the outside.
2) the hash algorithm module calculates by the hashed value of signed data.
3) CPK data format coding/decoding module is obtained signer sign and ECDSA digital signature data from the CPK digital signature.
4) sign-PKI is hinted obliquely at algoritic module signer sign is mapped as the PKI that signer is used to sign.
5) whether the Elliptic Curve Cryptography module is effective by hashed value, ECDSA digital signature and signer public key verifications signature, and the result is returned to the user.
Fig. 5 shows the encryption flow figure of CPK public key encryption algorithm.By the CPK public key encryption algorithm, a user can send the data of process public key encryption to any other users, and data are encrypted with the CPK public key encryption algorithm, and key is recipient's a sign, and the recipient can be decrypted these data by the private key of oneself.As shown in Figure 5, its detailed process is as follows:
1) CPK Built-in chip reads in recipient's sign and band ciphered data plaintext from the outside.
2) sign-PKI mapping algorithm module goes out recipient's PKI by sign and shared key factor matrix computations.
3) randomizer generates the symmetric key and the random number that is used for the public key encryption computing as enciphered data.
4) the Elliptic Curve Cryptography module will expressly be encrypted with symmetric key algorithm, and by recipient's PKI symmetric key be carried out elliptic curve public key cryptographic, generate ECIES and encrypt ciphertext.
5) CPK data format coding and decoding module is a CPK encrypt data bag with ciphertext and recipient's identification code, and returns to the user.
Fig. 6 shows the deciphering flow chart of CPK public key encryption algorithm.As shown in Figure 6, its detailed process is as follows:
1) CPK Built-in chip reads in CPK encryption encrypt data bag from the outside.
2) CPK data format coding and decoding module is decoded to this packet, read-out mark and ECIES enciphered data.
3) the private key administration module obtains corresponding private key by inner sign-private key tabulation.
4) the Elliptic Curve Cryptography module is decrypted the ECIES enciphered data by private key, decrypting process at first solves the symmetric key of enciphered data with curve public key encryption and decryption algorithm and private key, with this symmetric key ciphertext is separated then and be expressly, and plaintext is returned to the user.
Different according to fail safe, performance and applied environment, proprietary hardware device can adopt multiple different form.Because the storage of different proprietary hardware devices and the difference of disposal ability, and the difference of concrete applied environment, the difference in functionality module of system can be between CPK core system and CPK agency equiblibrium mass distribution.Proprietary hardware equipment function is strong more, and then the functional module of system is implemented on the proprietary hardware device more muchly; Otherwise if the hardware equipment function of task equipment is strong more, then the functional module of system is implemented on the CPK agency in the applied environment more muchly.
The storage card that three kinds of representative proprietary hardware devices are respectively intelligent card chip, fail-safe computer, do not have disposal ability proposes specific embodiment respectively at these three kinds of representational hardware here.
1, based on intelligent card chip
The performance of the intelligent card chip of present main flow and the repertoire that storage capacity can be supported the CPK core system, therefore whole programs and data can be based upon on this hardware platform, be often implemented in the expanded function among the CPK agency, as symmetric cryptography function to data, also can be implemented on the intelligent card chip, thereby constitute the stand-alone product of a soft or hard combination.The CPK agency only need directly call the function of intelligent card chip, and will be the software interface towards host environment with the communication protocol packing of hardware, gets final product as API or system service.
The disposal ability of intelligent card chip a little less than, can not support intensive service request.Because memory space is less on the sheet of smart card, expands its memory space by the external memorizer chip, thereby support bigger shared key factor matrix.
2, based on fail-safe computer
Fail-safe computer is protected by special hardware designs, additional means such as safety chip usually.Fail-safe computer has than stronger disposal ability of intelligent card chip and bigger memory space, can support the repertoire of CPK core system.CPK core system and CPK agency can coexist as on the fail-safe computer hardware platform, the function of all right supported application system of this platform.Based on the CPK authentic authentication system of fail-safe computer and application system in conjunction with can forming independently product form, as based on products such as the VPN of CPK, trustable routers.
3, based on storage card
Storage card itself does not have separate processor, just has certain memory space.The storage card low price, being suitable for bank card can large-scale application, but itself does not possess processor, therefore need be with the confidential data in the cryptographic mode protected storage, and must cooperate special safe fetch equipment to be used to read wherein private key.
Enforcement of the present invention can bring following benefit and advantage.
(1) authentication is in the past all adopted from prerequisite and is supposed, " belief logic " through formalization reasoning proof, object of proof is only limited to object: native system then adopts does not establish the prerequisite hypothesis, so that " the satisfying property of condition is " trusted logic " of proof directly; prove and bring up to " trusted logic " that does not have the prerequisite hypothesis, object of proof comprises main body (identity), object, content, behavior.
(2) Verification System in the past only solves the authentication (several thousand or several ten thousand scales) of small private network, and native system then adapts to the authentication of ultra-large private network and such as the authentication of public networks such as Email, personal call, individual number of the account.Its scale is in many trillion.
(3) Verification System in the past with CA mechanism and database as the indispensable means of authentication, its expense costliness, system maintenance complexity; And native system is realized Verification System with a chip, has cancelled CA mechanism and database, has simplified verification process greatly, has improved authentication efficient, greatly reduces cost, has saved running cost and maintenance expense.
Although by reference some preferred embodiment of the present invention, the present invention is illustrated and describes, but those of ordinary skill in the art is to be understood that, can make various changes to it in the form and details, and the spirit and scope of the present invention that do not depart from appended claims and limited.
Claims (6)
1. Conbined public or double key CPK authentic authentication system, described Conbined public or double key CPK authentic authentication system is realize to encrypt the Verification System that has the function of all-purpose card with the storage and management function of DecryptDecryption function, digital signature and authentication function, key, at different identification territory and security domain with chip, the wherein COS of special-purpose software system, CPK algorithm, ID certificate, signature agreement and IKE, cryptographic algorithm and HASH function, all realize, it is characterized in that described Conbined public or double key CPK authentic authentication system comprises in the modularized design mode:
Processor is used to handle various data, thereby whole system is controlled and managed;
Safe storage, have only the specific instruction of processor or special external equipment just can visit wherein data, the assailant can not walk around the data in processor or the special external device access memory, can not visit wherein data by logic or mode physically;
Normal memory is used to store other data;
The public key cryptography engine is provided for the instruction of public key calculation, supports the Elliptic Curve Cryptography computing;
The symmetric cryptography engine is provided for the operational order of symmetric cryptography, hashing algorithm;
Real random number generator is used to generate true random number;
System protection equipment comprises the secure package to chip, the anti-protective device that cuts open the sheet analytical attack;
Communication interface comprises the USB controller, and serial line interface or intelligent card interface are used for communicating with external equipment;
In addition, described Conbined public or double key CPK authentic authentication system also comprises:
Sign-private key administration module, be used for storage, management, handle, protect private key and identification data, all are all finished by this module the operation of private key, and this module invokes Elliptic Curve Cryptography module is carried out the decrypt operation of ellipse curve signature and elliptic curve public key cryptographic;
Shared key factor matrix management module is mapped as the index of shared key factor matrix by mapping algorithm with sign, and goes out the PKI of correspondence by CPK algorithm and shared key factor matrix computations;
Access control module by password and cryptographic functions protection system, guarantees that the user who only has password could visit described Conbined public or double key CPK authentic authentication system;
The Elliptic Curve Cryptography module is carried out ellipse curve signature, checking, public key encryption, decipher function;
The symmetric cryptography module provides symmetric cryptography, hashing algorithm, MAC algorithm;
The HASH algoritic module carries out computing according to the HASH function to data;
True random number generation module generates true random number;
CPK data format coding/decoding module carries out Code And Decode with the CPK form to data;
Communication protocol module, the communication protocol between realization and the CPK agency is acted on behalf of the service that provides in the mode of request-acknowledgement command to CPK;
Private key for user is stored in the safe storage.
2. according to the Conbined public or double key CPK authentic authentication system of claim 1, it is characterized in that: if this system does not comprise the public key cryptography engine, symmetric cryptography engine and real random number generator, then the corresponding elliptic curve cipher module of this system call, symmetric cryptography module and true random number generation module are finished its function.
3. according to the Conbined public or double key CPK authentic authentication system of claim 1, it is characterized in that: the data in the Conbined public or double key CPK authentic authentication system comprise the shared key factor matrix, active user's sign and corresponding private key, and these data are with the form storage of ID certificate.
4. according to the Conbined public or double key CPK authentic authentication system of claim 1, it is characterized in that: the function of Conbined public or double key CPK authentic authentication system comprises ID attribute management, encryption function, signature function, agreement execution function, key storage and management function, and can plug and play.
5. according to the Conbined public or double key CPK authentic authentication system of claim 1, it is characterized in that: described Conbined public or double key CPK authentic authentication system comprise be integrated with processor and memory intelligent card chip, stand-alone memory device and fail-safe computer at least one of them.
6. according to the Conbined public or double key CPK authentic authentication system of claim 1, it is characterized in that: wherein said chip is according to encapsulation and interface different, for smart card, USB Key, Flash storage card, SIM cards of mobile phones at least one of them.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610076019 CN100586065C (en) | 2006-04-24 | 2006-04-24 | CPK credibility authorization system |
| PCT/CN2007/000162 WO2007121641A1 (en) | 2006-04-24 | 2007-01-16 | A cpk credibility authentication system using chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610076019 CN100586065C (en) | 2006-04-24 | 2006-04-24 | CPK credibility authorization system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1832403A CN1832403A (en) | 2006-09-13 |
| CN100586065C true CN100586065C (en) | 2010-01-27 |
Family
ID=36994428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610076019 Expired - Fee Related CN100586065C (en) | 2006-04-24 | 2006-04-24 | CPK credibility authorization system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100586065C (en) |
| WO (1) | WO2007121641A1 (en) |
Families Citing this family (62)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018123B (en) * | 2007-02-14 | 2011-06-22 | 四川易恒科技发展有限公司 | A Linux operation system based voice communication method with CPK authentication |
| CN101038568B (en) * | 2007-04-16 | 2010-05-19 | 丁万年 | Method and device for encrypting date of external computer hard disk |
| CN101321060B (en) * | 2007-06-07 | 2011-06-08 | 管海明 | Method and system for encoding and decoding digital message |
| CN101321059B (en) * | 2007-06-07 | 2011-02-16 | 管海明 | Method and system for encoding and decoding digital message |
| CN101242271B (en) * | 2008-01-24 | 2010-12-29 | 陕西海基业高科技实业有限公司 | Trusted remote service method and system |
| CN101420300B (en) * | 2008-05-28 | 2013-05-29 | 北京易恒信认证科技有限公司 | Double factor combined public key generating and authenticating method |
| EP2151947A1 (en) * | 2008-08-05 | 2010-02-10 | Irdeto Access B.V. | Signcryption scheme based on elliptic curve cryptography |
| CN101729502B (en) * | 2008-10-23 | 2012-09-05 | 中兴通讯股份有限公司 | Method and system for distributing key |
| CN101727707B (en) * | 2008-10-30 | 2011-11-09 | 范磊 | Multifunction card system and method for applying multifunction cards through same |
| CN101442522B (en) * | 2008-12-25 | 2011-08-10 | 中国电子科技集团公司第五十四研究所 | Identification authentication method for communication entity based on combined public key |
| CN101540673B (en) * | 2009-04-24 | 2011-02-16 | 武汉大学 | Public key encryption and decryption method and digital signature method thereof |
| CN101576948B (en) * | 2009-06-09 | 2011-12-21 | 航天科工深圳(集团)有限公司 | Allowed method for guarding singlechip programmer |
| CN101763677B (en) * | 2009-10-23 | 2012-03-07 | 北京派瑞根科技开发有限公司 | System for authenticating endorsement signature on information medium |
| CN101873215A (en) * | 2010-05-27 | 2010-10-27 | 大唐微电子技术有限公司 | Safety chip, wireless control module and terminal |
| CN101944997A (en) * | 2010-08-25 | 2011-01-12 | 北京市劳动信息中心 | IC (Integrated Circuit) card attesting method and system based on double-key and digital certificate system |
| CN101931537B (en) * | 2010-09-15 | 2012-08-29 | 北京数字认证股份有限公司 | Digital certificate generation method for limiting signature contents |
| CN102195990A (en) * | 2011-06-27 | 2011-09-21 | 北京虎符科技有限公司 | Application of combined public key (CPK) authentication and encryption method to voice over Internet protocol (VOIP) |
| CN102664732B (en) * | 2012-03-07 | 2016-06-22 | 南相浩 | The anti-quantum computation attack of CPK public key system realize method and system |
| US9467283B2 (en) | 2013-06-24 | 2016-10-11 | Blackberry Limited | Securing method for lawful interception |
| CN104283860A (en) * | 2013-07-10 | 2015-01-14 | 全联斯泰克科技有限公司 | ELF file identification method and device based on code signature |
| CN103414564A (en) * | 2013-08-07 | 2013-11-27 | 成都卫士通信息产业股份有限公司 | Secrete key card, secrete key device and method for protecting private key |
| CN104469750A (en) * | 2013-09-13 | 2015-03-25 | 东方斯泰克信息技术研究院(北京)有限公司 | Autonomous controllable mobile internet business method and device |
| CN103457742A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Security suite library system based on USB KEY |
| CN104468111A (en) * | 2013-09-25 | 2015-03-25 | 同方股份有限公司 | Method for achieving secret key and data exchange through usbkey public key matrix |
| CN103473592B (en) * | 2013-09-25 | 2016-05-11 | 成都市易恒信科技有限公司 | A kind of label off-line authenticating method and device based on CPK system |
| CN104753671A (en) * | 2013-12-27 | 2015-07-01 | 东方斯泰克信息技术研究院(北京)有限公司 | Method of interconnection among network entities, device, CYBERnet construction method and device |
| CN103888259B (en) * | 2014-03-12 | 2017-11-10 | 天地融科技股份有限公司 | A kind of subscriber identification card |
| CN103888942B (en) * | 2014-03-14 | 2017-04-19 | 天地融科技股份有限公司 | Data processing method based on negotiation secret keys |
| CN103914642A (en) * | 2014-04-15 | 2014-07-09 | 浪潮电子信息产业股份有限公司 | USB (universal serial bus) KEY-based security suite structure system |
| CN103945375B (en) * | 2014-04-18 | 2018-04-13 | 天地融科技股份有限公司 | A kind of data processing method based on arranging key |
| CN103944724B (en) * | 2014-04-18 | 2017-10-03 | 天地融科技股份有限公司 | A kind of subscriber identification card |
| CN104902473A (en) * | 2014-04-21 | 2015-09-09 | 孟俊 | Wireless network access authentication method and device based on CPK (Combined Public Key Cryptosystem) identity authentication |
| CN104113543B (en) * | 2014-07-18 | 2017-03-15 | 中国科学院软件研究所 | A kind of message discrimination method based on block cipher |
| CN104363099A (en) * | 2014-11-27 | 2015-02-18 | 南京泽本信息技术有限公司 | Mobile phone security co-processing chip |
| CN104901940A (en) * | 2015-01-13 | 2015-09-09 | 易兴旺 | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication |
| CN105988713B (en) * | 2015-01-29 | 2019-01-08 | 深圳市硅格半导体有限公司 | storage device and storage method |
| CN104899480A (en) * | 2015-05-05 | 2015-09-09 | 易兴旺 | Software copyright protection and management method based on combined public key identity authentication technology |
| CN105426734B (en) * | 2015-11-12 | 2018-04-13 | 山东超越数控电子股份有限公司 | A kind of identity identifying method and device based on trust computing |
| CN105246172A (en) * | 2015-11-24 | 2016-01-13 | 成都微讯云通科技有限公司 | Network transmission method for mobile terminals |
| CN105577373B (en) * | 2015-12-15 | 2018-10-19 | 四川长虹电器股份有限公司 | Identify the generation method of secret key |
| CN109840431A (en) * | 2017-11-28 | 2019-06-04 | 中天安泰(北京)信息技术有限公司 | Secure network chip and Safety net card and network-termination device |
| CN108012268B (en) * | 2017-12-08 | 2021-07-09 | 北京虎符信息技术有限公司 | SIM card for ensuring safe use of application software on mobile phone terminal |
| CN108063667A (en) * | 2018-01-03 | 2018-05-22 | 广州杰赛科技股份有限公司 | Method for distributing key and device |
| CN111901117A (en) * | 2019-05-06 | 2020-11-06 | 深圳大普微电子科技有限公司 | Safety authentication method and system based on JTAG interface |
| CN110278086A (en) * | 2019-06-24 | 2019-09-24 | 晋商博创(北京)科技有限公司 | Compatibility method, device, terminal, system and storage medium based on CPK and PKI |
| CN110460448A (en) * | 2019-08-20 | 2019-11-15 | 丹东瑞银科技有限公司 | A kind of CPK file encrypting method, encryption equipment, cryptographic communication system and storage medium |
| CN111130761B (en) * | 2019-11-12 | 2022-07-29 | 丁爱民 | Digital right identity identification method and system |
| CN111901303A (en) * | 2020-06-28 | 2020-11-06 | 北京可信华泰信息技术有限公司 | Device authentication method and apparatus, storage medium, and electronic apparatus |
| CN112087301A (en) * | 2020-08-13 | 2020-12-15 | 北京市凌怡科技有限公司 | Gas meter safety certification system based on state cryptographic algorithm |
| CN112187447A (en) * | 2020-10-22 | 2021-01-05 | 南方电网科学研究院有限责任公司 | Encryption and decryption algorithm key generation method and device |
| CN112291230B (en) * | 2020-10-26 | 2023-04-07 | 公安部第一研究所 | Data security authentication transmission method and device for terminal of Internet of things |
| CN113422753B (en) * | 2021-02-09 | 2023-06-13 | 阿里巴巴集团控股有限公司 | Data processing method, device, electronic equipment and computer storage medium |
| CN113068164B (en) * | 2021-02-09 | 2022-10-28 | 国网上海能源互联网研究院有限公司 | Power distribution terminal local safety operation and maintenance method and system based on Bluetooth communication |
| CN112966254B (en) * | 2021-02-27 | 2022-04-05 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system for host and trusted cryptographic module |
| CN112948797B (en) * | 2021-03-09 | 2023-07-28 | 北方实验室(沈阳)股份有限公司 | Asymmetric key management system and method based on collaborative cryptographic algorithm |
| CN114157410B (en) * | 2021-11-25 | 2024-04-19 | 国网浙江省电力有限公司信息通信分公司 | Lightweight 5G hard encryption communication module for power terminal |
| CN114422261A (en) * | 2022-02-15 | 2022-04-29 | 北京无字天书科技有限公司 | Management method, management system, computer device, and computer-readable storage medium |
| CN114996724B (en) * | 2022-04-25 | 2024-05-03 | 麒麟软件有限公司 | Safe operating system based on cryptographic algorithm module |
| CN115174145B (en) * | 2022-05-30 | 2023-12-19 | 青岛海尔科技有限公司 | Equipment control method and edge gateway equipment |
| CN115001709B (en) * | 2022-05-31 | 2024-03-12 | 赵瑞 | Trusted acquisition and privacy protection method suitable for digital medical data |
| CN115834061B (en) * | 2023-02-15 | 2023-06-23 | 深圳市永达电子信息股份有限公司 | CPK-based identification key generation method |
| CN115967584B (en) * | 2023-03-16 | 2023-07-04 | 深圳市永达电子信息股份有限公司 | Method and system for realizing zero trust gateway based on PKI and CPK hybrid authentication |
-
2006
- 2006-04-24 CN CN 200610076019 patent/CN100586065C/en not_active Expired - Fee Related
-
2007
- 2007-01-16 WO PCT/CN2007/000162 patent/WO2007121641A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2007121641A1 (en) | 2007-11-01 |
| CN1832403A (en) | 2006-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100586065C (en) | CPK credibility authorization system | |
| Alketbi et al. | Blockchain for government services—Use cases, security benefits and challenges | |
| CN1708942B (en) | Secure implementation and utilization of device-specific security data | |
| US8806200B2 (en) | Method and system for securing electronic data | |
| US8229114B2 (en) | Identity-based key generating methods and devices | |
| CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
| US20110173452A1 (en) | Method of generating compound type combined public key | |
| RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
| CN109150517A (en) | Key security management system and method based on SGX | |
| CN102299793A (en) | Certificate authentication system based on trusted computing password support platform | |
| Selvamani et al. | A review on cloud data security and its mitigation techniques | |
| Xu et al. | An efficient blockchain‐based privacy‐preserving scheme with attribute and homomorphic encryption | |
| US9641333B2 (en) | Authentication methods, systems, devices, servers and computer program products, using a pairing-based cryptographic approach | |
| Rao et al. | A hybrid elliptic curve cryptography (HECC) technique for fast encryption of data for public cloud security | |
| CN100437422C (en) | System and method for enciphering and protecting software using right | |
| Wu et al. | The survey on the development of secure multi-party computing in the blockchain | |
| Patel et al. | Data storage security model for cloud computing | |
| CN1808457B (en) | Portable trusted device for remote dynamic management | |
| KR20140071775A (en) | Cryptography key management system and method thereof | |
| CN113328860A (en) | Block chain-based user privacy data security providing method | |
| Ramane et al. | A metadata verification scheme for data auditing in cloud environment | |
| Ren et al. | BIA: A blockchain-based identity authorization mechanism | |
| US11677552B2 (en) | Method for preventing misuse of a cryptographic key | |
| Xu et al. | APRNET: achieving privacy-preserving real-name authentication over blockchain for online services | |
| CN106612325A (en) | Method for data authenticity verification under authority management in cloud storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100127 Termination date: 20200424 |