CN102024105A - Security certification method and device - Google Patents
Security certification method and device Download PDFInfo
- Publication number
- CN102024105A CN102024105A CN2010105463815A CN201010546381A CN102024105A CN 102024105 A CN102024105 A CN 102024105A CN 2010105463815 A CN2010105463815 A CN 2010105463815A CN 201010546381 A CN201010546381 A CN 201010546381A CN 102024105 A CN102024105 A CN 102024105A
- Authority
- CN
- China
- Prior art keywords
- key
- authentication
- record
- safety
- authenticate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a security certification method and a device. The method comprises: receiving an operating instruction, and obtaining security conditions needed by the operation; analyzing the security conditions and obtaining a key set to be certificated by the security conditions; and querying a certification record list, when the to-be-certificated key set has been certificated successfully, allowing the operation. In the invention, the certification record list is preset in a security device, and one key only corresponds to one key certification record; one security condition consists of one or more key certification records; after receiving the operating instruction, the method judges whether the key set corresponding to the security condition is certificated successfully or not according to the security condition corresponding to the operating instruction, if so, allowing the operation, or else, refusing the operation. Therefore, the attackers cannot damage the security of the existing application files, keys and algorithms by modifying application parameters (for example, adding new key), so the rate of secret leakage is further reduced, and the security performance of the system is improved.
Description
Technical field
The present invention relates to the encryption technology field, specially refer to a kind of safety certifying method and device.
Background technology
In the existing intelligent and safe equipment, security authentication mechanism adopts the mode of state machine, only has a safe condition in safety equipment, and all relevant with safe condition to the operation of the file in the intelligent and safe equipment, key or algorithm.Its safety certifying method is: after receiving safety certification request, upgrade safe condition according to authentication result.In this safety certifying method, a plurality of keys can corresponding same safe condition, so can make after the key authentication success by the mode of a newly-increased key, safe condition is revised, thereby reached operating right to file, key or algorithm.Safe condition generally only has 16 kinds of states in addition, many corresponding safe conditions of key, and on the safe handling mechanism that design is used, its dirigibility also is greatly limited.
Therefore, in the safety certifying method of above-mentioned intelligent and safe equipment, the corresponding safe condition of a plurality of keys, the security permission of the corresponding a plurality of operations of safe condition.The assailant only needs to revise application parameter (for example, newly-increased key etc.) in application process, just can destroy the security of the file, key or the algorithm that have existed.
Summary of the invention
Fundamental purpose of the present invention provides safety certifying method and device, is intended to improve the security performance of smart machine.
The present invention proposes a kind of safety certifying method, may further comprise the steps:
Receive operational order, and obtain the required satisfied safety condition of operation;
Resolve described safety condition, obtain the keysets that safety condition will authenticate;
The authentication query record sheet when the keysets that will authenticate authentication success, then allows operation.
Preferably, comprise after the above-mentioned authentication query record sheet:
At least one key authentication failure in the keysets that will authenticate, then refusal operation.
Preferably, above-mentioned safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.
Preferably, when key authentication success, then the key authentication record is added in the authentication record table; When the key authentication failure, then the key authentication record is deleted from the authentication record table.
Preferably, above-mentioned safety equipment receive operational order, and comprise before obtaining the required satisfied safety condition of operation:
Set up the safety record file, described safety record file storage is operated required satisfied safety condition;
The administrative authentication record sheet, the key authentication record of described authentication record table storage success identity.
The present invention also proposes a kind of safety certification device, comprising:
Receiver module is used to receive operational order, and obtains the required satisfied safety condition of operation;
Parsing module is used to resolve described safety condition, obtains the keysets that safety condition will authenticate;
Processing module is used for the authentication query record sheet, when the keysets that will authenticate authentication success, then allows operation.
Preferably, above-mentioned processing module also is used for when at least one key authentication failure of the keysets that will authenticate, then refusal operation.
Preferably, above-mentioned safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.
Preferably, above-mentioned processing module also is used for:
When key authentication success, then the key authentication record is added in the authentication record table; When the key authentication failure, then the key authentication record is deleted from the authentication record table.
Preferably, above-mentioned safety certification device also comprises:
Module is set, is used to set up the safety record file, described safety record file storage is operated required satisfied safety condition;
Described processing module also is used for: administrative authentication record sheet, the key authentication record of described authentication record table storage success identity.
The present invention is by presetting the authentication record table in safety equipment, and only corresponding key authentication record of key, a safety condition formed in one or more key authentication record, after receiving operational order, safety condition according to the operational order correspondence, judge whether authentication success of the pairing keysets of this safety condition, successful then allow operation, otherwise the refusal operation.Therefore, the assailant can't further reduce the probability of divulging a secret by revising the security that application parameter (for example, newly-increased key) destroys the application file, key and the algorithm that have existed, has improved the security performance of smart machine.
Description of drawings
Fig. 1 is the process flow diagram of safety certifying method one embodiment of the present invention;
Fig. 2 is the process flow diagram of another embodiment of safety certifying method of the present invention;
Fig. 3 is the structural representation of safety certification device one embodiment of the present invention;
Fig. 4 is the structural representation of another embodiment of safety certification device of the present invention.
The realization of the object of the invention, functional characteristics and advantage will be in conjunction with the embodiments, are described further with reference to accompanying drawing.
Embodiment
Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Fig. 1 is the schematic flow sheet of safety certifying method one embodiment of the present invention.
Full authentication method provided by the invention needs to keep in advance an authentication record table in safety equipment, the authentication record information of the external authentication of successful execution can be write in this authentication record table.If corresponding authentication record information is then deleted in external authentication failure or cancellation external authentication.Safety equipment herein are specifically as follows the EsecuCOS intelligent operating system.
Concrete step is as follows:
Step S101, reception operational order, and obtain the required satisfied safety condition of operation;
After miscellaneous equipment was gone up in the safety equipment connection, miscellaneous equipment can be initiated operational order to safety equipment.This operational order can comprise operations such as the reading and writing of using file, deletion, state variation, to operations such as the use of key, renewals, to the operations such as use of algorithm.
Step S102, parsing safety condition obtain the keysets that safety condition will authenticate;
This safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.Resolve this safety condition, can obtain the keysets that it will authenticate, this keysets can be 1 key, also can be a plurality of keys, between a plurality of keys can be with relation (just all will satisfy simultaneously), also can be or relation (as long as between a plurality of keys satisfies).For example, the keysets that is key 1, key 2 and key 3 to the required satisfied authenticate key of read operation of using file as can be known by safety condition.
Step S103, authentication query record sheet, whether the keysets that judgement will authenticate authentication success, then execution in step S104; Otherwise execution in step S105;
The authentication query record sheet, whether the keysets that judgement will authenticate authentication success.For example, among the above-mentioned steps S102, by the safety condition keysets that is key 1, key 2 and key 3 to the required satisfied authenticate key of read operation of using file as can be known, and between key 1, key 2 and the key 3 be with relation.So, earlier judge whether key 1 authentication record in the authentication record table, key 2 authentication record, key 3 authentication record exist, if three the authentication record of key all exists, judge keysets that the read operation of respective file will authenticate authentication success again, if there is an authentication record not exist among three keys, then judge keysets that the read operation of respective file will authenticate authentification failure.
Step S104, permission operation, and administrative authentication record sheet are if the key authentication record is then added in the key authentication operation;
When the keysets that will authenticate authentication success, then allow operation, and the administrative authentication record sheet, if the key authentication operation, then the key authentication record with authentication success is added in the authentication record table.
Step S105, refusal operation, and administrative authentication record sheet are if the key authentication record is then deleted in the key authentication operation;
When the keysets authentification failure that will authenticate, then refusal operation, and administrative authentication record sheet are if the key authentication operation is then deleted the key authentication record of authentification failure from the authentication record table.
The present invention is by presetting the authentication record table in safety equipment, and only corresponding key authentication record of key, a safety condition formed in one or more key authentication record, after receiving operational order, safety condition according to the operational order correspondence, judge whether authentication success of the pairing keysets of this safety condition, successful then allow operation, otherwise the refusal operation.Therefore, the assailant can't further reduce the probability of divulging a secret by revising the security that application parameter (for example, newly-increased key) destroys the application file, key and the algorithm that have existed, has improved the security performance of smart machine.
Fig. 2 is the schematic flow sheet of another embodiment of safety certifying method of the present invention.
On the basis of the foregoing description, also comprise before the step S101:
Step S106, set up the safety record file, this safety record file storage is operated required satisfied safety condition.
Can set up the safety record file by the instruction that smart machine provides in smart machine, this safety record file is the set of all safety conditions, i.e. safety record file storage is operated required satisfied safety condition.And set in advance the authentication record table and it is managed, whether during authentication success, directly inquire about the key authentication record in this authentication record table so that judge key.
Fig. 3 is the structural representation of safety certification device one embodiment of the present invention.
The present embodiment safety certification device comprises:
After miscellaneous equipment was gone up in the safety equipment connection, miscellaneous equipment can be initiated operational order to safety equipment.This operational order can comprise operations such as the reading and writing of using file, deletion, state variation, to operations such as the use of key, renewals, to the operations such as use of algorithm.
This safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.Parsing module 102 is resolved this safety condition, can obtain the keysets that it will authenticate, this keysets can be 1 key, also can be a plurality of keys, between a plurality of keys can be with relation (just all will satisfy simultaneously), also can be or relation (as long as between a plurality of keys satisfies).For example, the keysets that is key 1, key 2 and key 3 to the required satisfied authenticate key of read operation of using file as can be known by safety condition.
103 authentication query record sheets of processing module, whether the keysets that judgement will authenticate authentication success, is then to allow operation and administrative authentication record sheet, if the key authentication operation, then the key authentication record with authentication success is added in the authentication record table; Otherwise refusal operation, and administrative authentication record sheet are if the key authentication operation is then deleted the key authentication record of authentification failure from the authentication record table.For example, among the above-mentioned steps S102, by the safety condition keysets that is key 1, key 2 and key 3 to the required satisfied authenticate key of read operation of using file as can be known, and between key 1, key 2 and the key 3 be with relation.All, earlier judge whether key 1 authentication record in the authentication record table, key 2 authentication record, key 3 authentication record exist, if exist, judge keysets that the read operation of respective file will authenticate authentication success again, if key 1 authentication record, key 2 authentication record and key 3 authentication record have one not exist, then judge keysets that the read operation of respective file will authenticate authentification failure.
The present invention is by presetting the authentication record table in safety equipment, and only corresponding key authentication record of key, a safety condition formed in one or more key authentication record, after receiving operational order, safety condition according to the operational order correspondence, judge whether authentication success of the pairing keysets of this safety condition, successful then allow operation, otherwise the refusal operation.Therefore, the assailant can't further reduce the probability of divulging a secret by revising the security that application parameter (for example, newly-increased key) destroys the application file, key and the algorithm that have existed, has improved the security performance of smart machine.
Fig. 4 is the structural representation of another embodiment of safety certification device of the present invention.
On the basis of the foregoing description, the safety certification device of present embodiment also comprises:
The above only is the preferred embodiments of the present invention; be not so limit claim of the present invention; every equivalent structure or equivalent flow process conversion that utilizes instructions of the present invention and accompanying drawing content to be done; or directly or indirectly be used in other relevant technical fields, all in like manner be included in the scope of patent protection of the present invention.
Claims (10)
1. a safety certifying method is characterized in that, may further comprise the steps:
Receive operational order, and obtain the required satisfied safety condition of operation;
Resolve described safety condition, obtain the keysets that safety condition will authenticate;
The authentication query record sheet when the keysets that will authenticate authentication success, then allows operation.
2. method according to claim 1 is characterized in that, comprises after the described authentication query record sheet:
At least one key authentication failure in the keysets that will authenticate, then refusal operation.
3. method according to claim 2 is characterized in that, described safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.
4. method according to claim 2 is characterized in that, when key authentication success, then the key authentication record is added in the authentication record table; When the key authentication failure, then the key authentication record is deleted from the authentication record table.
5. according to each described method in the claim 1 to 4, it is characterized in that, described reception operational order, and comprise before obtaining the required satisfied safety condition of operation:
Set up the safety record file, described safety record file storage is operated required satisfied safety condition;
The administrative authentication record sheet, the key authentication record of described authentication record table storage success identity.
6. a safety certification device is characterized in that, comprising:
Receiver module is used to receive operational order, and obtains the required satisfied safety condition of operation;
Parsing module is used to resolve described safety condition, obtains the keysets that safety condition will authenticate;
Processing module is used for the authentication query record sheet, when the keysets that will authenticate authentication success, then allows operation.
7. device according to claim 6 is characterized in that, described processing module also is used for when at least one key authentication failure of the keysets that will authenticate, then refusal operation.
8. device according to claim 7 is characterized in that, described safety condition comprises required satisfied authenticate key of operation and the relation between the authenticate key.
9. device according to claim 7 is characterized in that, described processing module also is used for:
When key authentication success, then the key authentication record is added in the authentication record table; When the key authentication failure, then the key authentication record is deleted from the authentication record table.
10. according to each described device in the claim 6 to 9, it is characterized in that, also comprise:
Module is set, is used to set up the safety record file, described safety record file storage is operated required satisfied safety condition;
Described processing module also is used for: administrative authentication record sheet, the key authentication record of described authentication record table storage success identity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105463815A CN102024105A (en) | 2010-11-16 | 2010-11-16 | Security certification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105463815A CN102024105A (en) | 2010-11-16 | 2010-11-16 | Security certification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102024105A true CN102024105A (en) | 2011-04-20 |
Family
ID=43865391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105463815A Pending CN102024105A (en) | 2010-11-16 | 2010-11-16 | Security certification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102024105A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685121A (en) * | 2012-05-03 | 2012-09-19 | 飞天诚信科技股份有限公司 | Digital signature method and digital signature device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1716199A (en) * | 2004-06-30 | 2006-01-04 | 微软公司 | System and method for protected operating system boot using state validation |
| US20080244257A1 (en) * | 2007-03-30 | 2008-10-02 | Kushagra Vaid | Server active management technology (AMT) assisted secure boot |
| CN101483513A (en) * | 2009-02-09 | 2009-07-15 | 上海爱数软件有限公司 | Network backup system, data backup and recovery method |
| CN101802834A (en) * | 2007-09-10 | 2010-08-11 | 日本电气株式会社 | Terminal device authentication method, terminal device, and program |
-
2010
- 2010-11-16 CN CN2010105463815A patent/CN102024105A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1716199A (en) * | 2004-06-30 | 2006-01-04 | 微软公司 | System and method for protected operating system boot using state validation |
| US20080244257A1 (en) * | 2007-03-30 | 2008-10-02 | Kushagra Vaid | Server active management technology (AMT) assisted secure boot |
| CN101802834A (en) * | 2007-09-10 | 2010-08-11 | 日本电气株式会社 | Terminal device authentication method, terminal device, and program |
| CN101483513A (en) * | 2009-02-09 | 2009-07-15 | 上海爱数软件有限公司 | Network backup system, data backup and recovery method |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102685121A (en) * | 2012-05-03 | 2012-09-19 | 飞天诚信科技股份有限公司 | Digital signature method and digital signature device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100498742C (en) | Reliable U disc, method for realizing reliable U disc safety and its data communication with computer | |
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| CN102521548A (en) | Method for managing using rights of function and mobile terminal | |
| CN101833621B (en) | Terminal safety audit method and system | |
| CN104252605B (en) | A kind of file transparent encrypting and deciphering system of Android platform and method | |
| CN102413221A (en) | Method for protecting privacy information and mobile terminal | |
| CN102413220B (en) | Method for controlling right of using connection function and mobile terminal | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| CN101511083B (en) | Authentication method and terminal for telecom smart card | |
| CN102420902A (en) | Method for classification management over right of using functions and mobile terminal | |
| CN103080946A (en) | Method, secure device, system and computer program product for securely managing files | |
| CN103530559A (en) | Integrity protection system of Android system | |
| CN101593252B (en) | Method and system for controlling access of computer to USB equipment | |
| CN101140605A (en) | Data safety reading method and safety storage apparatus thereof | |
| CN112712372B (en) | Alliance chain cross-chain system and information calling method | |
| CN103095704A (en) | Trusted medium online validation method and device | |
| CN104484628B (en) | It is a kind of that there is the multi-application smart card of encrypting and decrypting | |
| CN102214283A (en) | Virtual disk-based file protection system and method | |
| CN101561855B (en) | Method and system for controlling computer to access USB device | |
| CN105320891A (en) | Method and device for securely loading system image for computer | |
| CN105872848A (en) | Credible two-way authentication method applicable to asymmetric resource environment | |
| CN103873241A (en) | Safety shield, and digital-certificate management system and method | |
| CN102831335A (en) | Safety protecting method and safety protecting system of Windows operating system | |
| CN111970122B (en) | Official APP identification method, mobile terminal and application server | |
| CN108810084A (en) | Using encrypted code unloading based on mobile device service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110420 |