CN104579680A - Method for safe distribution of seed - Google Patents

Method for safe distribution of seed Download PDF

Info

Publication number
CN104579680A
CN104579680A CN201410802304.XA CN201410802304A CN104579680A CN 104579680 A CN104579680 A CN 104579680A CN 201410802304 A CN201410802304 A CN 201410802304A CN 104579680 A CN104579680 A CN 104579680A
Authority
CN
China
Prior art keywords
equipment
key
encryption
seed
transmission security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410802304.XA
Other languages
Chinese (zh)
Other versions
CN104579680B (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201410802304.XA priority Critical patent/CN104579680B/en
Publication of CN104579680A publication Critical patent/CN104579680A/en
Application granted granted Critical
Publication of CN104579680B publication Critical patent/CN104579680B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a method for safe distribution of a seed, relates to the field of information safety, and can solve the problems that in the seed generation and distribution process, potential safety hazards of seed exist due to the fact that the seed encrypted by adopting software is easily decoded. The method for safe distribution of the seed comprises the following steps: adopting a special encryptor to generate a first secret key, generating a second secret key according to the first secret key, generating a first seed encryption key according to the second secrete key, performing encryption on the seed data according to the first seed encryption key to obtain a first seed ciphertext, and storing the first seed ciphertext; when exporting the second encryption key, generating a first transmission encryption key through the encryptor, and using the first transmission encryption key to performing encryption on the second encryption key to obtain the encrypted second encryption key; adopting the same manner to obtain the second seed ciphertext and an encrypted third encryption key. By adopting the method, the safety of the generated seed data and the transmission safety can be ensured.

Description

A kind of method of secure distribution seed
Technical field
The present invention relates to information security field, particularly a kind of method of secure distribution seed.
Background technology
At present, dynamic password is as one of safest identity identifying technology, and be widely used in the fields such as enterprise, network game, finance at present, dynamic password is the seed that token stores according to therein, adopts the algorithm preset to generate; Invention technician finds, in prior art, generates in the process of seed and distribution seed, adopts software to be encrypted seed, because software is easily decrypted, cause seed to there is potential safety hazard.
Summary of the invention
For addressing the deficiencies of the prior art, the invention provides a kind of method of secure distribution seed, comprising:
When the first equipment receives the first key composition-factor of user's input, call the encryption equipment of described first equipment, the encryption equipment of described first equipment, according to described first key composition-factor, generates the first key;
When described first equipment receives the second device name of user's input, perform step T1;
Step T1: described first equipment generates the second key dispersion factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first key and described second key dispersion factor, generates the second key and the second cipher key index number and preserves; Described first equipment obtains described cipher key index No. second from the encryption equipment of described first equipment, and preserves described second device name, described second key dispersion factor and described cipher key index No. second;
Step T2: described first equipment generates the first transmission security key composition-factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first transmission security key composition-factor, generates the first transmission security key, with described first transmission security key to described second secret key encryption, obtains the second key after encrypting; Described first equipment obtains the second key after described encryption from the encryption equipment of described first equipment;
When described first equipment receives the 3rd device name of user's input, perform step U1;
Step U1: described first equipment generates the 3rd key dispersion factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first key and described 3rd key dispersion factor, generates the 3rd key and the 3rd cipher key index number and preserves; Described first equipment obtains described cipher key index No. 3rd from the encryption equipment of described first equipment, and preserves described 3rd device name, described 3rd key dispersion factor and described cipher key index No. 3rd;
Step U2: described first equipment generates the second transmission security key composition-factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment generates the second transmission security key according to described second transmission security key composition-factor, then, is encrypted described 3rd key according to described second transmission security key, obtains the 3rd key after encrypting; Described first equipment obtains the 3rd key after described encryption from the encryption equipment of described first equipment;
When described first equipment gets the second device name, the 3rd device name, the token serial number create-rule of user's selection, perform step V1;
Step V1: described first equipment arranges token serial number according to described token serial number create-rule, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment generates seed data, obtains generating seed response; Described first equipment obtains the response of described generation seed from the encryption equipment of described first equipment;
Step V2: described first equipment obtains cipher key index No. the second according to described second device name, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment obtains the second key according to described second cipher key index number, and disperses by token serial number described in described second double secret key, obtains the first seed encryption key; Described first equipment obtains cipher key index No. the 3rd according to described 3rd device name, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment obtains the 3rd key according to the 3rd cipher key index number, and disperses by token serial number described in described 3rd double secret key, obtains the second seed encryption key;
Step V3: the encryption equipment of the first equipment described in described first equipment calls; The encryption equipment of described first equipment is encrypted described seed data according to described first seed encryption key, obtains the first seed ciphertext, encrypts, obtain the second seed ciphertext according to described second seed encryption key to described seed data;
Step V4: described first equipment obtains the first seed ciphertext from the encryption equipment of described first equipment, and preserve described first seed ciphertext and described token serial number, described second seed ciphertext is obtained from the encryption equipment of described first equipment, and preserve described second seed ciphertext and described token serial number, terminate.
After described step T2, also comprise: described first transmission security key composition-factor in the second key storage card, is stored in the first transmission security key storage card by described first equipment by the second key storage after described encryption;
After described step U2, also comprise: described second transmission security key composition-factor in the 3rd key storage card, is stored in the second transmission security key storage card by described first equipment by the 3rd key storage after described encryption;
After described step V4, also comprise: described first seed ciphertext and described token serial number are saved in the first CD by the first equipment, described second seed ciphertext and described token serial number are saved in the second CD.
Second equipment obtains the first transmission security key composition-factor from described first transmission security key storage card, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment, according to described first transmission security key composition-factor and the first default transmission security key composition algorithm, generates the first transmission security key and the first transmission security key call number;
Described second equipment obtains described first transmission security key call number from the encryption equipment of described second equipment;
Described second equipment obtains the second key after encryption from described second key storage card, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment, according to the second secret key decryption algorithm preset and described first transmission security key, to the second secret key decryption after described encryption, obtains the second key;
Described second equipment obtains the first seed ciphertext and token serial number from described first CD, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment adopts the second key decentralized algorithm preset to disperse described token serial number with described second key, obtain the first subsolution decryption key, according to the first subsolution decryption key described and the first default sub-decipherment algorithm, to described first seed decrypt ciphertext, obtain seed expressly;
Described second equipment obtains described seed expressly from the encryption equipment of described second equipment, according to described seed plaintext and default generation password algorithm, generate otp password, tissue comprises the authentication request of described otp password and token serial number, authentication request is sent to the 3rd equipment, terminate.
Described 3rd equipment management center obtains described second transmission security key composition-factor from described second transmission security key storage card, calls the encryption equipment of described 3rd equipment;
The encryption equipment of described 3rd equipment, according to described second transmission security key composition-factor and the second default transmission security key composition algorithm, generates the second transmission security key and the second transmission security key call number;
Described 3rd equipment management center obtains described second transmission security key call number from the encryption equipment of described 3rd equipment, obtains the 3rd key after encryption, call the encryption equipment of described 3rd equipment from described 3rd key storage card;
The encryption equipment of described 3rd equipment, according to the 3rd secret key decryption algorithm preset and described second transmission security key, to the 3rd secret key decryption after described encryption, obtains the 3rd key;
Described 3rd equipment management center obtains the second seed ciphertext and token serial number from described second CD, preserves described second seed ciphertext and described token serial number;
When described 3rd equipment receives authentication request, from described authentication request, obtain token serial number, obtain the second seed ciphertext according to described token serial number, call the encryption equipment of described 3rd equipment;
The encryption equipment of described 3rd equipment adopts the 3rd key decentralized algorithm preset to disperse described token serial number with described 3rd key, obtain the second subsolution decryption key, according to described the second subsolution decryption key and the default sub-decipherment algorithm of the second, to described second seed decrypt ciphertext, obtain seed expressly;
Described 3rd equipment obtains seed expressly from the encryption equipment of described 3rd equipment, according to described seed plaintext and default generation password algorithm, generate password data to be certified, otp password is obtained from described authentication request, judge that whether described password data to be certified is identical with described otp password, be then send verification succeeds to described 3rd equipment management center, terminate; Otherwise sending to the 3rd equipment management center verifies unsuccessfully, terminates.
Described 3rd equipment management center also comprises after preserving described second seed ciphertext and described token serial number:
Described 3rd equipment management center judges whether successfully to preserve described second seed ciphertext and described token serial number, is terminate; Otherwise point out unsuccessful preservation second seed ciphertext, terminate.
Beneficial effect of the present invention, special encryption equipment is adopted to generate the first key, according to the first secret generating second key, according to the second secret generating first seed encryption key, first seed encryption key is encrypted seed data, obtain the first seed ciphertext, the first seed ciphertext is imported in the first CD; When derivation the second key, encryption equipment generates the first transmission security key, with the first transmission security key to the second secret key encryption, obtain the second key after encrypting, the second key after encryption is imported in the second key storage card, and each first transmission security key factor of synthesis first transmission security key is imported in the first different transmission security key storage cards respectively; Aforesaid way is adopted to ensure to generate seed data safety and transmission security.
Accompanying drawing explanation
Fig. 1 generates the method flow diagram of the first key for a kind of first equipment that the embodiment of the present invention provides;
Fig. 2 generates the method flow diagram of the second key for a kind of first equipment that the embodiment of the present invention provides;
The method flow diagram of a kind of first equipment generation the 3rd key that Fig. 3 provides for the embodiment of the present invention;
A kind of first equipment that Fig. 4 provides for the embodiment of the present invention generates seed data and the method flow diagram of deriving seed data;
A kind of method flow diagram seed data being imported to the second equipment that Fig. 5 provides for the embodiment of the present invention;
A kind of method flow diagram seed data being imported to the 3rd equipment that Fig. 6 provides for the embodiment of the present invention;
The method flow diagram of a kind of 3rd equipment management center deciphering the 3rd key that Fig. 7 provides for the embodiment of the present invention.
Embodiment
In the present embodiment, first equipment generates the first key, derive according to the first secret generating second key, derive according to the first secret generating the 3rd key, first equipment generates seed data, respectively seed data is encrypted according to the second key and the 3rd key, obtain the first seed ciphertext and the second seed ciphertext, distribute the first seed ciphertext to the second equipment, distribute the second seed ciphertext to the 3rd equipment, second equipment is according to the second double secret key first seed decrypt ciphertext, obtain seed expressly, 3rd equipment is according to the 3rd double secret key second seed decrypt ciphertext, obtain seed expressly, wherein,
First equipment generates the first key, and concrete grammar comprises:
When the first equipment receives several the first key composition-factors of user's input, the encryption equipment calling the first equipment generates the first key according to the first key composition-factor and preserves, generate the first cipher key index number and preserve, return cipher key index No. the first, each first key composition-factor imports in the first different key storage cards and backs up by the first equipment respectively, the first cipher key index number is saved in the first device databases;
After first equipment generates the first key, can generate the second key and derive, concrete grammar comprises:
When the first equipment receives the second device name of user's input, generate the second key dispersion factor, call the encryption equipment of the first equipment according to the first key and the second key dispersion factor, generate the second key and preserve, generate the second cipher key index number and preserve, return cipher key index No. the second, the second device name, the second key dispersion factor and the second cipher key index number are saved in the first device databases by the first equipment;
First equipment generates 3 the first transmission security key composition-factors, call the encryption equipment of the first equipment according to 3 the first transmission security key composition-factors, generate the first transmission security key, according to the first transmission security key to the second secret key encryption, obtain encrypt after the second key, return the second key after encryption, the first equipment by encryption after the second key storage in the second key storage card, 3 the first transmission security key composition-factors are stored in respectively in 3 the first transmission security key storage cards, terminate.
After first equipment generates the first key, can generate the 3rd key and derive, concrete grammar comprises:
When the first equipment receives the 3rd device name of user's input, first equipment generates the 3rd key dispersion factor, the encryption equipment calling the first equipment disperses according to the first double secret key the 3rd key dispersion factor, generate the 3rd key and preserve, generate the 3rd cipher key index number and preserve, return cipher key index No. the 3rd, first equipment is by the 3rd device name, 3rd key dispersion factor and cipher key index No. the 3rd are saved in the first device databases, first equipment generates 3 the second transmission security key composition-factors, call the encryption equipment of the first equipment according to the second transmission security key composition-factor, generate the second transmission security key, according to the second transmission security key, the 3rd key is encrypted, obtain the 3rd key after encrypting, return the 3rd key after encryption, first equipment by encryption after the 3rd key storage in the 3rd key storage card, 3 the second transmission security key composition-factors are stored in respectively in 3 the second transmission security key storage cards, terminate.
After first equipment generates the second key and the 3rd key, can generate seed data, and be encrypted seed data, concrete grammar comprises:
When the first equipment gets the second device name of user's selection, 3rd device name, during token serial number create-rule, seed amount is obtained according to token serial number create-rule, according to token serial number create-rule, current token sequence number is set, the encryption equipment calling the first equipment generates seed data, return and generate seed response, first equipment according to the second device name from the first device databases, obtain cipher key index No. the second, the encryption equipment calling the first equipment according to the 3rd device name from the first device databases, obtain cipher key index No. the 3rd, the encryption equipment calling the first equipment obtains the second key according to the second cipher key index number, disperse by the second double secret key token serial number, obtain the first seed encryption key, the 3rd key is obtained according to the 3rd cipher key index number, disperse by the 3rd double secret key token serial number, obtain the second seed encryption key, according to the first seed encryption key, seed data is encrypted, obtain the first seed ciphertext, according to the second seed encryption key, seed data is encrypted, obtain the second seed ciphertext, return the first encryption seed response, return the second encryption seed response, first equipment obtains the first seed ciphertext from the first encryption seed response, first seed ciphertext and token serial number are saved in the first device databases, the second seed ciphertext is obtained from the second encryption seed response, second seed ciphertext and token serial number are saved in the first device databases, first equipment organizes information to be displayed, display information to be displayed, first seed ciphertext and token serial number are saved in the first CD, second seed ciphertext and token serial number are saved in the second CD, terminate.
In the present embodiment, the seed after encryption is imported in the second equipment, obtains seed method expressly, specifically comprise:
When the second equipment obtains 3 the first transmission security key composition-factors respectively from 3 the first transmission security key storage cards, call the encryption equipment of the second equipment according to 3 the first transmission security key composition-factors, generate the first transmission security key, generate the first transmission security key call number, return the first transmission security key call number, second equipment obtains the second key after encryption from the second key storage card, call the encryption equipment of the second equipment according to the second secret key decryption algorithm preset and the first transmission security key, to the second secret key decryption after encryption, obtain the second key, second equipment obtains the first seed ciphertext and token serial number from the first CD, the encryption equipment calling the second equipment disperses by the second double secret key token serial number, obtain the first subsolution decryption key, according to the first subsolution decryption key, to the first seed decrypt ciphertext, obtain seed expressly, return seed expressly, second equipment receives seed expressly, according to seed plaintext and default generation password algorithm, generate otp password, tissue comprises the authentication request of otp password and token serial number, authentication request is sent to the 3rd equipment, terminate,
In the present embodiment, the seed after encryption is imported in the 3rd equipment, obtains seed method expressly, specifically comprise:
3rd equipment management center obtains 3 the second transmission security key composition-factors respectively from 3 the second transmission security key storage cards, call the encryption equipment of the 3rd equipment according to 3 the second transmission security key composition-factors, generate the second transmission security key, generate the second transmission security key call number, return the second transmission security key call number, 3rd equipment management center obtains the 3rd key after encryption from the 3rd key storage card, call the encryption equipment of the 3rd equipment according to the second transmission security key, to the 3rd secret key decryption after encryption, obtain the 3rd key, 3rd equipment management center obtains the second seed ciphertext and token serial number from the second CD, second seed ciphertext and token serial number are saved in the 3rd device databases,
When the 3rd equipment receives authentication request, token serial number is obtained from authentication request, from the 3rd device databases, the second seed ciphertext is obtained according to token serial number, the encryption equipment calling the 3rd equipment disperses by the 3rd double secret key token serial number, obtain the second subsolution decryption key, according to the second subsolution decryption key to the second seed decrypt ciphertext, obtain seed expressly, return seed expressly, 3rd equipment expressly generates password data to be certified according to seed, otp password is obtained from authentication request, 3rd equipment judges that whether password data to be certified is identical with otp password, then send verification succeeds to the 3rd equipment, terminate, otherwise sending to the 3rd equipment management center verifies unsuccessfully, terminates.
The present embodiment provides a kind of first equipment to generate the method for the first key, as shown in Figure 1, comprising:
Step 101: the first key composition-factor of the first equipment wait-receiving mode user input;
In the present embodiment, the first key composition-factor can be one or more, can be inputted by one or more user.
The present embodiment, receives with the first equipment the first key composition-factor that 3 users input respectively and is illustrated.
Step 102: when the first equipment receives the first key composition-factor of user's input, judging that whether the first key composition-factor is legal, is perform step 104; Otherwise perform step 103;
In the present embodiment, when the first equipment receive multiple user input the first key composition-factor time, the first key composition-factor that each user inputs is judged, if the length of the first key composition-factor of each user's input is the first preset length, then the first key composition-factor is legal, performs step 104; Otherwise the first key composition-factor is illegal, perform step 103; Wherein, the first preset length is 16 bytes.
When the first equipment receives the first key composition-factor of user's input, judge the first key composition-factor, if the length of the first key composition-factor is the first preset length, then the first key composition-factor is legal, performs step 104; Otherwise the first key composition-factor is illegal, perform step 103; Wherein, the first preset length is 16 bytes.
Such as: the first equipment receives the first key composition-factor of 3 user's inputs, is respectively the first key composition-factor 1, first key composition-factor 2, first key composition-factor 3; Wherein,
First key composition-factor 1 is: 4F12FE71E26C73B1062DF7570EC0E9B5;
First key composition-factor 2 is: 25229969BEF71E26C73B1DE43A203CEF;
First key composition-factor 3 is: 1EE1C054625D4FA25BA61AA0371E7AEC;
The length of each first key composition-factor is 16 bytes, and namely the first key composition-factor is legal.
Step 103: the first device prompts first key composition-factor is illegal, returns step 101;
Step 104: the first key composition-factor is preserved in the first key storage card by the first equipment;
In the present embodiment, the first key composition-factor that each user inputs by the first equipment is stored in the first different key storage cards.
Particularly, first key composition-factor 1 is stored in the first key storage card 1 by the first equipment, first key composition-factor 2 is stored in the first key storage card 2 by the first equipment, and the first key composition-factor 3 is stored in the first key storage card 3 by the first equipment.
When the encryption equipment damage of the first equipment, the first equipment can obtain the first key composition-factor often opened in the first key storage card, recovers the first key; When several even whole first key storage cards are obtained by lawless person, owing to lacking other the first key storage card or not knowing the order of these the first key storage cards, so the first correct key cannot be generated, thus ensure the first secret key safety.
Such as: the data stored in the first key storage card 1 are: 4F12FE71E26C73B1062DF7570EC0E9B5;
The data stored in first key storage card 2 are: 25229969BEF71E26C73B1DE43A203CEF;
The data stored in first key storage card 3 are: 1EE1C054625D4FA25BA61AA0371E7AEC.
Step 105: the first equipment sends the instruction of synthesis first key to the encryption equipment of the first equipment;
Step 106: the encryption equipment of the first equipment receives the instruction of synthesis first key, the root key preserved according to the first key composition-factor, inside and default algorithm generate the first key, generate cipher key index No. the first, preserve the first key and cipher key index No. the first, return cipher key index No. the first;
In the present embodiment, after the encryption equipment of the first equipment generates the first key, return cipher key index No. the first, set up the corresponding relation of the first key and the first cipher key index number, the first key does not leave encryption equipment, improves the fail safe of the first key.
Such as: it is 1 that the encryption equipment of the first equipment returns the first cipher key index number;
Step 107: the first equipment receives cipher key index No. the first, is saved to the first cipher key index number in the first device databases.
Also comprise after this step: the first equipment judges whether successfully the first cipher key index number to be saved in the first device databases, is terminate; Otherwise the first device prompts unsuccessful preservation first key, terminates.
Such as, the first equipment receives the first cipher key index number 1, the first cipher key index number 1 is saved in the first device databases.
In the present embodiment, also provide a kind of first equipment to generate the method for the second key, as shown in Figure 2, comprising:
Step 201: when the first equipment receives the second device name of user's input, judging whether there is cipher key index No. the first in the first device databases, is perform step 203; Otherwise perform step 202;
This step can also be: when the first equipment receives the second device name of user's input, first equipment sends the instruction of detection first key to the encryption equipment of the first equipment, according to the testing result that the encryption equipment of the first equipment returns, judging whether there is the first key in the encryption equipment of the first equipment, is perform step 203; Otherwise perform step 202;
Such as: when the first equipment receives the second device name of user's input, the first cipher key index number 1 is judged to exist in the first device databases.
Step 202: the first device prompts does not exist the first key, terminates;
Step 203: the first equipment generates random number, using the random number of generation as the second key dispersion factor, the encryption equipment to the first equipment sends the instruction of generation second key, performs step 204;
Particularly, the first equipment generates the length random number identical with the first preset length, as the second key dispersion factor.
Such as:
First equipment generates the random number that length is 16 bytes, and it can be used as the second key dispersion factor, the second key dispersion factor is: 366FD043A6EFD64954F7D062DF7570E3.
Step 204: the encryption equipment of the first equipment receives the instruction of generation second key, according to the first key and the second default key decentralized algorithm, the second key dispersion factor is disperseed, generate the second key, generate cipher key index No. the second, preserve the second key and cipher key index No. the second, return cipher key index No. the second;
In the present embodiment, generating the first key that the second key adopts is be kept in the encryption equipment of the first equipment, namely the first key generating the second key used is safe, and be kept in the encryption equipment of the first equipment after the second secret generating, do not leave the encryption equipment of the first equipment, ensure the safety of the second key further.
Such as: after the encryption equipment of the first equipment generates the second key, generate the second cipher key index numbers 11, preserve the second key and the second cipher key index numbers 11, return the second cipher key index numbers 11;
Step 205: the first equipment receives cipher key index No. the second, is saved in the first device databases by the second device name, the second key dispersion factor and the second cipher key index number;
In the present embodiment, the second device name, the second key dispersion factor and the second cipher key index number are saved in the first device databases by the first equipment, make the second cipher key index number and the second key dispersion factor and the second Key Establishing corresponding relation.
Such as: the first equipment is by the second cipher key index of receiving numbers 11, and the second device name, the second key dispersion factor 366FD043A6EFD64954F7D062DF7570E3 are saved in the first device databases;
Step 206: the first equipment judges whether successfully the second device name, the second key dispersion factor and the second cipher key index number to be saved in the first device databases, is perform step 207; Otherwise the first device prompts preserves the second key dispersion factor failure, terminates;
Step 207: the first equipment generates the first transmission security key composition-factor, the encryption equipment to the first equipment sends the instruction of generation first transmission security key;
In the present embodiment, the first transmission security key composition-factor can be one or more;
In the present embodiment, to generate 3 the first transmission security key composition-factors, be illustrated:
First equipment generates the random number that 3 length are the first preset length, respectively as the first transmission security key composition-factor 1, first transmission security key composition-factor 2, first transmission security key composition-factor 3;
Such as: the first transmission security key composition-factor 1 is: 09F05BA61AA0371EBEF71E26C73B1DE5;
First transmission security key composition-factor 2 is: 7DBA75D38FA99411C054625D4FA25BA6;
First transmission security key composition-factor 3 is: 0AF949F2172D79A6D0893B4031B5AECF;
Step 208: the encryption equipment of the first equipment receives the instruction of generation first transmission security key, according to the first transmission security key composition-factor and the first default transmission security key composition algorithm, generates the first transmission security key;
Such as: the encryption equipment of the first equipment receives the instruction of generation first transmission security key, according to the first transmission security key composition-factor 1, first transmission security key composition-factor 2, first transmission security key composition-factor 3 and the first default transmission security key composition algorithm, generate the first transmission security key;
Step 209: the encryption equipment of the first equipment, according to the first transmission security key and the second default secret key cryptographic algorithm, to the second secret key encryption, obtains the second key after encrypting, returns the second key after encryption;
In the present embodiment, the encryption equipment of the first equipment is according to random the first transmission security key composition-factor produced and the first transmission security key composition algorithm preset, generate the first transmission security key, with the first transmission security key to the second secret key encryption, obtain the second key after encrypting, adopt the mode of ciphertext transmission, derive the second key after encryption, ensure the fail safe in the second cipher key transmitting process.
Such as:
The second key after encryption is: 476FF1580DED8DC53F8A31FB1B855A88;
Step 210: the first equipment receives the second key after encryption, by the second key storage after encryption in the second key storage card, is stored in the first transmission security key composition-factor in the first transmission security key storage card.
In the present embodiment, when there is multiple first transmission security key composition-factor, each first transmission security key composition-factor is stored in respectively in the first different transmission security key storage cards;
Each first transmission security key composition-factor is stored in the first different transmission security key storage cards by the first equipment respectively, use when synthesis the first transmission security key for the second equipment, often open the first transmission security key storage card indispensable, and from often opening the data read the first transmission security key storage card, splicing order is unique, even if so wherein any even whole first transmission security key storage card is obtained by lawless person, the first correct transmission security key still can not be synthesized.
The present embodiment, there are 3 the first transmission security key composition-factors, is described:
First transmission security key composition-factor 1, first transmission security key composition-factor 2, first transmission security key composition-factor 3 is stored in the first transmission security key storage card 1, first transmission security key storage card 2, first transmission security key storage card 3 respectively.
Such as: the data in the second key storage card are: 476FF1580DED8DC53F8A31FB1B855A8899B15C1029A4C746676224DF 7E00E68B.
Data in first transmission security key storage card 1 are: 09F05BA61AA0371EBEF71E26C73B1DE5;
Data in first transmission security key storage card 2 are: 7DBA75D38FA99411C054625D4FA25BA6;
Data in first transmission security key storage card 3 are: 0AF949F2172D79A6D0893B4031B5AECF.
In the present embodiment, also provide a kind of first equipment to generate the method for the 3rd key, as shown in Figure 3, comprising:
Step 301: when the first equipment receives the 3rd device name of user's input, judging whether there is cipher key index No. the first in the first device databases, is perform step 303; Otherwise perform step 302;
This step can also be: when the first equipment receives the 3rd device name of user's input, first equipment sends the instruction of detection first key to the encryption equipment of the first equipment, according to the testing result that the encryption equipment of the first equipment returns, judging whether there is the first key in the encryption equipment of the first equipment, is perform step 303; Otherwise perform step 302;
Such as: when the first equipment receives the 3rd device name of user's input, the first cipher key index number 1 is judged to exist in the first device databases.
Step 302: the first device prompts does not exist the first key, terminates;
Step 303: the first equipment generates random number, using the random number of generation as the 3rd key dispersion factor, the encryption equipment to the first equipment sends generation the 3rd key instruction, performs step 304;
Particularly, the first equipment generates the length random number identical with the first preset length, as the 3rd key dispersion factor;
First equipment generates the random number that length is 16 bytes, and it can be used as the 3rd key dispersion factor, the 3rd key dispersion factor is: BE9427A4ADE31F5B893B4031B0BA9829.
Step 304: the encryption equipment of the first equipment receives generation the 3rd key instruction, according to the first key and the 3rd default key decentralized algorithm, the 3rd key dispersion factor is disperseed, generate the 3rd key, generate cipher key index No. the 3rd, preserve the 3rd key and cipher key index No. the 3rd, return cipher key index No. the 3rd;
In the present embodiment, generating the first key that the 3rd key adopts is be kept in the encryption equipment of the first equipment, namely the first key generating the 3rd key used is safe, and be kept at after the 3rd secret generating in the encryption equipment of the first equipment, do not leave the encryption equipment of the first equipment, ensure the safety of the 3rd key further.
Such as: after the encryption equipment of the first equipment generates the 3rd key, generate the 3rd cipher key index numbers 12, preserve the 3rd key and the 3rd cipher key index numbers 12, return the 3rd cipher key index numbers 12;
Step 305: the first equipment receives cipher key index No. the 3rd, is saved in the first device databases by the 3rd device name, the 3rd key dispersion factor and cipher key index No. the 3rd;
In the present embodiment, the 3rd device name, the 3rd key dispersion factor and cipher key index No. the 3rd are saved in the first device databases by the first equipment, make the 3rd cipher key index number and the 3rd key dispersion factor and the 3rd Key Establishing corresponding relation.
Such as: the first equipment is by the 3rd cipher key index that receives numbers 12, and the 3rd device name, the 3rd key dispersion factor BE9427A4ADE31F5B893B4031B0BA9829 are saved in the first device databases;
Step 306: the first equipment judges whether successfully the 3rd device name, the 3rd key dispersion factor and cipher key index No. the 3rd to be saved in the first device databases, is perform step 307; Otherwise the first device prompts preserves the 3rd key dispersion factor failure, terminates.
Step 307: the first equipment generates the second transmission security key composition-factor, the encryption equipment to the first equipment sends the instruction of generation second transmission security key;
In the present embodiment, the second transmission security key composition-factor can be one or more;
To generate 3 the second transmission security key composition-factors, be illustrated: the first equipment generates the random number that 3 length are the first preset length, respectively as the second transmission security key composition-factor 1, second transmission security key composition-factor 2, second transmission security key composition-factor 3;
Such as: the second transmission security key composition-factor 1 is: 09F05BA61AA0371EBEF71E26C73B1DE5;
Second transmission security key composition-factor 2 is: 7DBA75D38FA99411C054625D4FA25BA6;
Second transmission security key composition-factor 3 is: 0AF949F2172D79A6D0893B4031B5AECF;
Step 308: the encryption equipment of the first equipment receives the instruction of generation second transmission security key, according to the second transmission security key composition-factor and the second default transmission security key composition algorithm, generates the second transmission security key;
Such as: the encryption equipment of the first equipment receives the instruction of generation second transmission security key, according to the second transmission security key composition-factor 1, second transmission security key composition-factor 2, second transmission security key composition-factor 3 and the second default transmission security key composition algorithm, generate the second transmission security key;
Step 309: the encryption equipment of the first equipment, according to the second transmission security key and the 3rd default secret key cryptographic algorithm, is encrypted the 3rd key, obtains the 3rd key after encrypting, returns the 3rd key after encryption;
In the present embodiment, the encryption equipment of the first equipment is according to the second transmission security key composition-factor of stochastic generation and the second default transmission security key composition algorithm, generate the second transmission security key, with the second transmission security key to the 3rd secret key encryption, obtain the 3rd key after encrypting, adopt the mode of ciphertext transmission, derive the 3rd key after encryption, ensure the fail safe in the 3rd cipher key transmitting process.
Such as:
The 3rd key after encryption is: 01CADBF5F019C0D230B15B6A4B049BCF;
Step 310: the first equipment receives the 3rd key after encryption, by the 3rd key storage after encryption in the 3rd key storage card, is stored in the second transmission security key composition-factor in the second transmission security key storage card, terminates.
In the present embodiment, when there is multiple second transmission security key composition-factor, each second transmission security key composition-factor is stored in respectively in the second different transmission security key storage cards;
Each second transmission security key composition-factor is stored in the second different transmission security key storage cards by the first equipment respectively, use when synthesis the second transmission security key for the 3rd equipment, often open the second transmission security key storage card indispensable, and from often opening the data read the first transmission security key storage card, splicing order is unique, even if so wherein put on key storage card and obtained by lawless person for any one even whole second, people just can not synthesize the second correct transmission security key.
Such as: the data in the 3rd key storage card are: 01CADBF5F019C0D230B15B6A4B049BCF1B1859085B01F9679B774137 04EBCACF;
Data in second transmission security key storage card 1 are: 09F05BA61AA0371EBEF71E26C73B1DE5;
Data in second transmission security key storage card 2 are: 7DBA75D38FA99411C054625D4FA25BA6;
Data in second transmission security key storage card 3 are: 0AF949F2172D79A6D0893B4031B5AECF.
In the present embodiment, also provide a kind of first equipment to generate seed data and derive the method for seed data, as shown in Figure 4, comprising:
Step 401: the second device name, the 3rd device name, token serial number create-rule that the user to be obtained such as the first equipment selects;
In the present embodiment, the first equipment shows the second device name, the 3rd device name, the token serial number create-rule preserved in advance, waits for that user selects.
Step 402: the first equipment, according to token serial number create-rule, obtains seed amount, seed counting value is set to initial value, duplicate serial numbers count value is set to initial value;
Step 403: the first equipment arranges current token sequence number according to token serial number create-rule, judging whether there is current token sequence number in the first device databases, is perform step 404; Otherwise perform step 407;
Wherein, seed amount is comprised in token serial number create-rule.
Such as: token serial number is: 201014019727;
Step 404: the first renewal of the equipment duplicate serial numbers count value, performs step 405;
Step 405: the first renewal of the equipment seed counting value, judging that whether seed counting value is identical with seed amount, is perform step 406; Otherwise return step 403;
Preferably, seed counting value is added the result of 1 as the seed counting value after renewal by the first equipment.
Step 406: the first equipment judges whether existence first seed ciphertext and the second seed ciphertext, that the first equipment organizes information to be displayed according to duplicate serial numbers count value and seed amount, display information to be displayed, remove duplicate serial numbers count value and seed counting value, first seed ciphertext and token serial number are saved in the first CD, second seed ciphertext and token serial number are saved in the second CD, terminate.
In the present embodiment, the first seed ciphertext and token serial number are organized into the file of xml form by the first equipment, are saved in the first CD, the second seed ciphertext and token serial number are organized into the file of xml form, are saved in the second CD.
Such as: the first equipment judges existence first seed ciphertext and the second seed ciphertext, and duplicate serial numbers count value is 0, and seed amount is 1; Information to be displayed is organized to be: to generate seed amount: 1; Duplicate serial numbers is 0; Then remove duplicate serial numbers count value and seed counting value, the data of preserving in the first CD of the first seed ciphertext and token serial number are:
First seed ciphertext is:
5A4AC1B9281B40833A01D7A4560717E85585B1EC3BF74761569CA79CB034F616;
Token serial number is: 201014019727;
The data of preserving in the second CD of the second seed ciphertext and token serial number are:
Second seed ciphertext is:
CDE6281F6F60FC90C5EE878047F10295178AF17500AB82488E62E13F0C54921E;
Token serial number is: 201014019727.
Step 407: the first equipment sends the instruction of generation seed data to the encryption equipment of the first equipment;
Step 408: the encryption equipment of the first equipment receives and generates seed data instruction, generates seed data, returns and generates seed response;
In the present embodiment, the first equipment receives and generates seed data instruction, generates the random number that length is the second preset length, it can be used as seed data; Preferably, the second preset length is 32 bytes.
Such as: seed data is:
91B064B31AECC22F764C98F8E09298C192BA040EFEE5D08510EC8938CB4ACB4F;
Step 409: the first equipment receives and generates seed response, judging whether successfully to generate seed according to the response of generation seed, is perform step 410; Otherwise the first device prompts generates kind of a sub-error, returns step 403;
In the present embodiment, the first equipment judges whether successfully to generate seed according to the answer code generated in seed response, if answer code is 9000, then performs step 410; Otherwise the first device prompts generates kind of a sub-error, returns step 403;
Step 410: the first equipment according to the second device name from the first device databases, obtain cipher key index No. the second, encryption equipment to the first equipment sends the first encryption seed instruction, according to the 3rd device name from the first device databases, obtain cipher key index No. the 3rd, encryption equipment to the first equipment sends the second encryption seed instruction, performs step 411;
Such as: the second cipher key index number got is 11; The 3rd cipher key index number got is 12;
Step 411: the encryption equipment of the first equipment receives the first encryption seed instruction and the second encryption seed instruction, the second key is obtained according to the second cipher key index number, the the second key decentralized algorithm preset is adopted to disperse token serial number with the second key, obtain the first seed encryption key, the 3rd key is obtained according to the 3rd cipher key index number, adopt the 3rd key decentralized algorithm preset to disperse token serial number with the 3rd key, obtain the second seed encryption key;
Such as: the encryption equipment of the first equipment, according to the second cipher key index number 11 acquisition the second keys, adopts the second key decentralized algorithm preset to disperse token serial number 201014019727 with the second key, obtains the first seed encryption key; According to the 3rd cipher key index number 12 acquisition the 3rd keys, adopt the 3rd key decentralized algorithm preset to disperse token serial number 201014019727 with the 3rd key, obtain the second seed encryption key;
Step 412: the encryption equipment of the first equipment is according to the first seed cryptographic algorithm preset and the first seed encryption key, seed data is encrypted, obtain the first seed ciphertext, according to the second seed cryptographic algorithm preset and the second seed encryption key, to seed data encryption, obtain the second seed ciphertext, return the first encryption seed response, return the second encryption seed response, perform step 413;
Such as, the first seed ciphertext is:
5A4AC1B9281B40833A01D7A4560717E85585B1EC3BF74761569CA79CB034F616;
Second seed ciphertext is:
CDE6281F6F60FC90C5EE878047F10295178AF17500AB82488E62E13F0C54921E;
Step 413: the first equipment receives the first encryption seed response and the response of the second encryption seed, judges whether successfully encryption seed data, is, perform step 414; Otherwise the first device prompts encryption seed data failure, returns step 403;
Particularly,
Step b1: the first equipment receives the first encryption seed response and the response of the second encryption seed;
Step b2: the first equipment judges whether successfully encryption seed data according to the first encryption seed response, is perform step b3; Otherwise prompting encryption seed data failure, returns step 403;
Step b3: the first equipment judges whether successfully encryption seed data according to the second encryption seed response, is perform step 414; Otherwise prompting encryption seed data failure, returns step 403;
Step 414: the first equipment obtains the first seed ciphertext from the first encryption seed response, first seed ciphertext and token serial number are saved in the first device databases, from the second encryption seed response, obtain the second seed ciphertext, the second seed ciphertext and token serial number are saved in the first device databases;
Such as: by the first seed ciphertext
5A4AC1B9281B40833A01D7A4560717E85585B1EC3BF74761569CA79C B034F616 and token serial number 201014019727 are saved in the first device databases, by the second seed ciphertext
CDE6281F6F60FC90C5EE878047F10295178AF17500AB82488E62E13F 0C54921E and token serial number 201014019727 are saved in the first device databases;
Step 415: the first equipment judges whether successfully the first seed ciphertext and token serial number to be saved in the first device databases, and the second seed ciphertext and token serial number is saved in the first device databases, is return step 405; Otherwise the first device prompts preserves failure information, returns step 414.
In the present embodiment, after first seed ciphertext and token serial number are saved in the first device databases by the first equipment, can get the first answer code, the first equipment can get the second answer code after being saved in the first device databases by the first seed ciphertext and token serial number; Judge whether successfully the first seed ciphertext and token serial number to be saved in the first device databases according to the first answer code and the second answer code, and the second seed ciphertext and token serial number are saved in the first device databases, if the first answer code and the second answer code are 9000, then return step 405; Otherwise the first device prompts preserves failure information, returns step 414.
The present embodiment, also provides a kind of method seed data being imported to the second equipment, as shown in Figure 5, comprising:
Step 501: the second equipment obtains the first transmission security key composition-factor from the first transmission security key storage card, the encryption equipment to the second equipment sends the instruction of generation first transmission security key;
Be described there are 3 the first transmission security key storage cards: the second equipment obtains the first transmission security key composition-factor 1, first transmission security key composition-factor 2, first transmission security key composition-factor 3 respectively respectively from the first transmission security key storage card 1, first transmission security key storage card 2, first transmission security key storage card 3, the encryption equipment to the second equipment sends the instruction of generation first transmission security key;
Such as: from the first transmission security key storage card 1, get the first transmission security key composition-factor 1 is: 09F05BA61AA0371EBEF71E26C73B1DE5;
From the first transmission security key storage card 2, get the first transmission security key composition-factor 2 is: 7DBA75D38FA99411C054625D4FA25BA6;
From the first transmission security key storage card 3, get the first transmission security key composition-factor 3 is: 0AF949F2172D79A6D0893B4031B5AECF.
Step 502: the encryption equipment of the second equipment receives the instruction of generation first transmission security key, according to the first transmission security key composition-factor and the first default transmission security key composition algorithm, generate the first transmission security key, generate the first transmission security key call number, return the first transmission security key call number;
In the present embodiment, the encryption equipment of the second equipment receives the instruction of generation first transmission security key, according to the first transmission security key composition-factor 1, first transmission security key composition-factor 2, first transmission security key composition-factor 3 and the first default transmission security key composition algorithm, generate the first transmission security key, generate the first transmission security key call number, return the first transmission security key call number; First transmission security key call number is returned to the second equipment, so that the second equipment carries out next step operation.
Step 503: the second equipment obtains the second key after encryption from the second key storage card, the encryption equipment to the second equipment sends the instruction of deciphering second key;
Such as: the second equipment gets the second key after encryption and is from the second key storage card: 476FF1580DED8DC53F8A31FB1B855A88;
Step 504: the encryption equipment receiving and deciphering second key instruction of the second equipment, according to the second secret key decryption algorithm preset and the first transmission security key, to the second secret key decryption after encryption, obtains the second key;
Step 505: the second equipment obtains the first seed ciphertext and token serial number from the first CD, the encryption equipment to the second equipment sends the instruction of deciphering first seed ciphertext;
In the present embodiment, the first seed ciphertext got from the first CD is the file of xml form, comprises one or more first seed ciphertext in this xml file, the corresponding token serial number of each first seed ciphertext;
Such as: the first seed ciphertext that the second equipment gets from the first CD is: 5A4AC1B9281B40833A01D7A4560717E85585B1EC3BF74761569CA79C B034F616;
The token serial number that second equipment gets from the first CD is: 201014019727;
Step 506: the encryption equipment receiving and deciphering first seed ciphertext instruction of the second equipment, the the second key decentralized algorithm preset is adopted to disperse token serial number with the second key, obtain the first subsolution decryption key, according to the first subsolution decryption key and the first default sub-decipherment algorithm, to the first seed decrypt ciphertext, obtain seed expressly, return seed expressly;
Such as: the seed obtained is expressly:
91B064B31AECC22F764C98F8E09298C192BA040EFEE5D08510EC8938CB4ACB4F;
Step 507: the second equipment receives seed expressly, according to seed plaintext and default generation password algorithm, generate otp password, tissue comprises the authentication request of otp password and token serial number, authentication request is sent to the 3rd equipment, end;
In the present embodiment, a kind of method seed data being imported to the 3rd equipment is also provided, as shown in Figure 6, comprises:
Step 601: when the 3rd equipment receives authentication request, obtain token serial number from authentication request, obtain the second seed ciphertext according to token serial number from the 3rd device databases, the encryption equipment to the 3rd equipment sends the instruction of deciphering second seed ciphertext;
Such as: the 3rd equipment from authentication request to token serial number be: 201014019727, according to the second seed ciphertext that token serial number gets from the 3rd device databases be: CDE6281F6F60FC90C5EE878047F10295178AF17500AB82488E62E13F 0C54921E;
In the present embodiment, before seed data is imported to the 3rd equipment by the 3rd equipment, also comprise the 3rd equipment management center deciphering the 3rd key, as shown in Figure 7, comprising:
Step 601 ': the 3rd equipment management center obtains the second transmission security key composition-factor from the second transmission security key storage card, and the encryption equipment to the 3rd equipment sends the instruction of generation second transmission security key;
In the present embodiment, 3rd equipment obtains the second transmission security key composition-factor 1, second transmission security key composition-factor 2, second transmission security key composition-factor 3 respectively respectively from the second transmission security key storage card 1, second transmission security key storage card 2, second transmission security key storage card 3, and the encryption equipment to the 3rd equipment sends the instruction of generation second transmission security key;
Such as: from the second transmission security key storage card 1, get the second transmission security key composition-factor 1 is: 09F05BA61AA0371EBEF71E26C73B1DE5;
From the second transmission security key storage card 2, get the second transmission security key composition-factor 2 is: 7DBA75D38FA99411C054625D4FA25BA6;
From the second transmission security key storage card 3, get the second transmission security key composition-factor 3 is: 0AF949F2172D79A6D0893B4031B5AECF.
Step 602 ': the encryption equipment of the 3rd equipment receives the instruction of generation second transmission security key, according to the second transmission security key composition-factor and the second default transmission security key composition algorithm, generate the second transmission security key, generate the second transmission security key call number, return the second transmission security key call number;
In the present embodiment, the second transmission security key call number is returned to the 3rd equipment management center, so that the 3rd equipment management center carries out next step operation.
Step 603 ': the 3rd equipment management center receives the second transmission security key call number, obtains the 3rd key after encryption from the 3rd key storage card, and the encryption equipment to the 3rd equipment sends deciphering the 3rd key instruction;
Such as: the 3rd key after the encryption got from the 3rd key storage card is: 01CADBF5F019C0D230B15B6A4B049BCF;
Step 604 ': encryption equipment receiving and deciphering the 3rd key instruction of the 3rd equipment, according to the 3rd secret key decryption algorithm preset and the second transmission security key, to the 3rd secret key decryption after encryption, obtains the 3rd key;
Step 605 ': the 3rd equipment management center obtains the second seed ciphertext and token serial number from the second CD, the second seed ciphertext and token serial number is saved in the 3rd device databases;
Particularly, 3rd equipment management center obtains seed file from the second CD, and the second seed ciphertext and token serial number in traversal seed file, is saved in the second seed ciphertext and token serial number in the 3rd device databases, wherein, seed file can be that .zip form exists with suffix;
Such as: the second seed ciphertext that the 3rd equipment management center gets from the second CD is: CDE6281F6F60FC90C5EE878047F10295178AF17500AB82488E62E13F 0C54921E; The token serial number that 3rd equipment management center gets from the second CD is: 201014019727;
Step 606 ': the 3rd equipment management center judges whether successfully the second seed ciphertext and token serial number to be saved in the 3rd device databases, is terminate; Otherwise the 3rd equipment management center points out unsuccessful preservation second seed ciphertext, terminate.
In the present embodiment, the 3rd equipment management center can get answer code after being saved in the 3rd device databases by the second seed ciphertext and token serial number; Judge whether that successfully just the second seed ciphertext and token serial number are saved in the 3rd device databases, if answer code is 9000, then terminate according to answer code; Otherwise the 3rd equipment management center points out unsuccessful preservation second seed ciphertext, terminate.
Step 602: the encryption equipment receiving and deciphering second seed ciphertext instruction of the 3rd equipment, the 3rd key decentralized algorithm preset is adopted to disperse token serial number with the 3rd key, obtain the second subsolution decryption key, according to the second subsolution decryption key and the default sub-decipherment algorithm of the second, to the second seed decrypt ciphertext, obtain seed expressly, return seed expressly;
Such as: the seed obtained is expressly:
91B064B31AECC22F764C98F8E09298C192BA040EFEE5D08510EC8938CB4ACB4F;
Step 603: the 3rd equipment receives seed expressly, according to seed plaintext and default generation password algorithm, generates password data to be certified, obtains otp password from authentication request;
Step 604: the 3rd equipment judges that whether password data to be certified is identical with otp password, is perform step 605; Otherwise perform step 606;
Step 605: the 3rd equipment sends verification succeeds to the 3rd equipment management center, terminates;
In the present embodiment, when the 3rd equipment management center receives verification succeeds, prompting verification succeeds.
Step 606: the 3rd equipment sends to the 3rd equipment management center and verifies unsuccessfully, terminates.In the present embodiment, when the 3rd equipment management center receives and verifies unsuccessfully, prompting verifies unsuccessfully.
Above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (23)

1. a method for secure distribution seed, is characterized in that, comprising:
When the first equipment receives the first key composition-factor of user's input, call the encryption equipment of described first equipment, the encryption equipment of described first equipment, according to described first key composition-factor, generates the first key;
When described first equipment receives the second device name of user's input, perform step T1;
Step T1: described first equipment generates the second key dispersion factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first key and described second key dispersion factor, generates the second key and the second cipher key index number and preserves; Described first equipment obtains described cipher key index No. second from the encryption equipment of described first equipment, and preserves described second device name, described second key dispersion factor and described cipher key index No. second;
Step T2: described first equipment generates the first transmission security key composition-factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first transmission security key composition-factor, generates the first transmission security key, with described first transmission security key to described second secret key encryption, obtains the second key after encrypting; Described first equipment obtains the second key after described encryption from the encryption equipment of described first equipment;
When described first equipment receives the 3rd device name of user's input, perform step U1;
Step U1: described first equipment generates the 3rd key dispersion factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment, according to described first key and described 3rd key dispersion factor, generates the 3rd key and the 3rd cipher key index number and preserves; Described first equipment obtains described cipher key index No. 3rd from the encryption equipment of described first equipment, and preserves described 3rd device name, described 3rd key dispersion factor and described cipher key index No. 3rd;
Step U2: described first equipment generates the second transmission security key composition-factor, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment generates the second transmission security key according to described second transmission security key composition-factor, then, is encrypted described 3rd key according to described second transmission security key, obtains the 3rd key after encrypting; Described first equipment obtains the 3rd key after described encryption from the encryption equipment of described first equipment;
When described first equipment gets the second device name, the 3rd device name, the token serial number create-rule of user's selection, perform step V1;
Step V1: described first equipment arranges token serial number according to described token serial number create-rule, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment generates seed data, obtains generating seed response; Described first equipment obtains the response of described generation seed from the encryption equipment of described first equipment;
Step V2: described first equipment obtains cipher key index No. the second according to described second device name, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment obtains the second key according to described second cipher key index number, and disperses by token serial number described in described second double secret key, obtains the first seed encryption key; Described first equipment obtains cipher key index No. the 3rd according to described 3rd device name, calls the encryption equipment of described first equipment; The encryption equipment of described first equipment obtains the 3rd key according to the 3rd cipher key index number, and disperses by token serial number described in described 3rd double secret key, obtains the second seed encryption key;
Step V3: the encryption equipment of the first equipment described in described first equipment calls; The encryption equipment of described first equipment is encrypted described seed data according to described first seed encryption key, obtains the first seed ciphertext, encrypts, obtain the second seed ciphertext according to described second seed encryption key to described seed data;
Step V4: described first equipment obtains the first seed ciphertext from the encryption equipment of described first equipment, and preserve described first seed ciphertext and described token serial number, described second seed ciphertext is obtained from the encryption equipment of described first equipment, and preserve described second seed ciphertext and described token serial number, terminate.
2. the method for claim 1, is characterized in that, when described first equipment receives the first key composition-factor of user's input, also comprises:
Described first equipment judges that whether described first key composition-factor is legal, is the encryption equipment of then the first equipment described in described first equipment calls, and the encryption equipment of described first equipment, according to described first key composition-factor, generates the first key; Otherwise described first device prompts first key composition-factor is illegal.
3. method as claimed in claim 2, it is characterized in that, described first equipment judges that whether described first key composition-factor is legal, specifically comprise: when described first equipment receive one or more user input the first key composition-factor time, the first key composition-factor that each user inputs is judged, if the length of the first key composition-factor of each user's input is the first preset length, then described first key composition-factor is legal; Otherwise described first key composition-factor is illegal.
4. the method for claim 1, is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, and the encryption equipment of described first equipment, according to described first key composition-factor, generates the first key, specifically comprises:
Described first equipment sends the instruction of synthesis first key to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives the instruction of described synthesis first key, the root key preserved according to described first key composition-factor, inside and default algorithm generate the first key, generate cipher key index No. the first, preserve described first key and described cipher key index No. first, described first cipher key index number is returned to described first equipment;
Described first equipment receives described cipher key index No. first.
5. method as claimed in claim 4, is characterized in that, described first equipment also comprises after preserving described cipher key index No. first:
Described first equipment judges whether successfully to preserve described cipher key index No. first, is terminate current operation; Otherwise point out unsuccessful preservation first key, terminate.
6. the method for claim 1, it is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, the encryption equipment of described first equipment is according to described first key and the second key dispersion factor, generate the second key and the second cipher key index number and preserve, described first equipment obtains described cipher key index No. second from the encryption equipment of described first equipment, specifically comprises:
Described first equipment sends the instruction of generation second key to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives the instruction of described generation second key, according to described first key and the second default key decentralized algorithm, described second key dispersion factor is disperseed, generate the second key, generate cipher key index No. the second, preserve the second key and cipher key index No. the second, described second cipher key index number is returned to described first equipment;
Described first equipment receives described cipher key index No. second.
7. the method for claim 1, is characterized in that, described first equipment also comprises after preserving described second device name, described second key dispersion factor and described cipher key index No. second:
Described first equipment judges whether successfully to preserve described second device name, described second key dispersion factor and described cipher key index No. second, is perform step T2; Otherwise the failure of prompting preservation second key dispersion factor, terminates.
8. the method for claim 1, is characterized in that, described step T2, specifically comprises:
Described first equipment generates random number, it can be used as the first transmission security key composition-factor, and the encryption equipment to described first equipment sends the instruction of generation first transmission security key;
The encryption equipment of described first equipment receives the instruction of described generation first transmission security key, according to described first transmission security key composition-factor and the first default transmission security key composition algorithm, generates the first transmission security key;
The encryption equipment of described first equipment, according to described first transmission security key and the second default secret key cryptographic algorithm, to described second secret key encryption, obtains the second key after encrypting, the second key after described encryption is returned to described first equipment;
Described first equipment receives the second key after described encryption.
9. the method for claim 1, it is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, the encryption equipment of described first equipment is according to described first key and described 3rd key dispersion factor, generate the 3rd key and the 3rd cipher key index number and preserve, described first equipment obtains described cipher key index No. 3rd from the encryption equipment of described first equipment, specifically comprises:
Described first equipment sends generation the 3rd key instruction to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives described generation the 3rd key instruction, according to the first key and the 3rd default key decentralized algorithm, the 3rd key dispersion factor is disperseed, generate the 3rd key, generate cipher key index No. the 3rd, preserve described 3rd key and described cipher key index No. 3rd, described cipher key index No. 3rd is returned to described first equipment;
Described first equipment receives described cipher key index No. 3rd.
10. the method for claim 1, is characterized in that, described first equipment also comprises after preserving described 3rd device name, described 3rd key dispersion factor and described cipher key index No. 3rd:
Described first equipment judges whether successfully to preserve described 3rd device name, described 3rd key dispersion factor and described cipher key index No. 3rd, is perform step U2; Otherwise the failure of prompting preservation the 3rd key dispersion factor, terminates.
11. the method for claim 1, is characterized in that, described step U2, specifically comprises:
Described first equipment generates random number, it can be used as the second transmission security key composition-factor, and the encryption equipment to described first equipment sends the instruction of generation second transmission security key;
The encryption equipment of described first equipment receives the instruction of described generation second transmission security key, according to described second transmission security key composition-factor and the second default transmission security key composition algorithm, generates the second transmission security key;
The encryption equipment of described first equipment, according to described second transmission security key and the 3rd default secret key cryptographic algorithm, is encrypted described 3rd key, obtains the 3rd key after encrypting, the 3rd key after described encryption is returned to described first equipment;
Described first equipment receives the 3rd key after described encryption.
12. the method for claim 1, it is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, the encryption equipment of described first equipment generates seed data, obtain generating seed response, described first equipment obtains the response of described generation seed from the encryption equipment of described first equipment, specifically comprises:
Described first equipment sends the instruction of generation seed data to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives the instruction of described generation seed data, generates seed data, and described generation seed response is returned to described first equipment;
Described first equipment receives the response of described generation seed.
13. the method for claim 1, is characterized in that, after described step V1, also comprise:
Described first equipment judges whether successfully to generate seed according to described generation seed response, is perform step V2; Otherwise prompting generates kind of a sub-error, again arranges token serial number according to described token serial number create-rule.
14. the method for claim 1, it is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, the encryption equipment of described first equipment obtains the second key according to described second cipher key index number, and disperse by token serial number described in described second double secret key, obtain the first seed encryption key, specifically comprise:
Described first equipment sends the first encryption seed instruction to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives the first encryption seed instruction, the second key is obtained according to described second cipher key index number, adopt the second key decentralized algorithm preset to disperse described token serial number with described second key, obtain the first seed encryption key.
15. the method for claim 1, it is characterized in that, the encryption equipment of the first equipment described in described first equipment calls, the encryption equipment of described first equipment obtains the 3rd key according to the 3rd cipher key index number, and disperse by token serial number described in described 3rd double secret key, obtain the second seed encryption key, specifically comprise:
Described first equipment sends the second encryption seed instruction to the encryption equipment of described first equipment;
The encryption equipment of described first equipment receives described second encryption seed instruction, the 3rd key is obtained according to described 3rd cipher key index number, adopt the 3rd key decentralized algorithm preset to disperse described token serial number with described 3rd key, obtain the second seed encryption key.
16. the method for claim 1, is characterized in that, described step V3, specifically comprises:
The encryption equipment of described first equipment is according to the first seed cryptographic algorithm preset and described first seed encryption key, described seed data is encrypted, obtain the first seed ciphertext, according to the second seed cryptographic algorithm preset and described second seed encryption key, described seed data is encrypted, obtain the second seed ciphertext, return the first encryption seed response and the response of the second encryption seed to described first equipment.
17. method as claimed in claim 16, is characterized in that, after described step V3, also comprise:
Described first equipment receives described first encryption seed response and described second encryption seed response, judges whether successfully encryption seed data, is, perform step V4; Otherwise prompting encryption seed data failure, arranges token serial number according to described token serial number create-rule again.
18. the method for claim 1, is characterized in that, after described step V4, also comprise:
Described first equipment judges whether successfully to preserve described first seed ciphertext, described token serial number and described second seed ciphertext, is terminate; Otherwise prompting is preserved unsuccessfully, returns step V4.
19. the method for claim 1, is characterized in that, describedly arrange token serial number according to described token serial number create-rule, specifically comprise:
Described first equipment, according to described token serial number create-rule, obtains seed amount, seed counting value is set to initial value, duplicate serial numbers count value is set to initial value, arrange token serial number according to described token serial number create-rule;
Described first equipment also comprises after arranging token serial number according to described token serial number create-rule:
Step m1: described first equipment judges whether to there is token serial number is then duplicate serial numbers count value described in described first renewal of the equipment, performs step m2; Otherwise call the encryption equipment of described first equipment, the encryption equipment of described first equipment generates seed data, obtain generating seed response, described first equipment obtains the response of described generation seed from the encryption equipment of described first equipment, performs step V2; After described step V4, also comprise: return step m2;
Step m2: seed counting value described in described first renewal of the equipment, judging that whether described seed counting value is identical with described seed amount, is terminate; Otherwise again token serial number is set according to described token serial number create-rule, performs step m1.
20. the method for claim 1, is characterized in that,
After described step T2, also comprise: described first transmission security key composition-factor in the second key storage card, is stored in the first transmission security key storage card by described first equipment by the second key storage after described encryption;
After described step U2, also comprise: described second transmission security key composition-factor in the 3rd key storage card, is stored in the second transmission security key storage card by described first equipment by the 3rd key storage after described encryption;
After described step V4, also comprise: described first seed ciphertext and described token serial number are saved in the first CD by the first equipment, described second seed ciphertext and described token serial number are saved in the second CD.
21. methods as claimed in claim 20, is characterized in that, also comprise:
Second equipment obtains the first transmission security key composition-factor from described first transmission security key storage card, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment, according to described first transmission security key composition-factor and the first default transmission security key composition algorithm, generates the first transmission security key and the first transmission security key call number;
Described second equipment obtains described first transmission security key call number from the encryption equipment of described second equipment;
Described second equipment obtains the second key after encryption from described second key storage card, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment, according to the second secret key decryption algorithm preset and described first transmission security key, to the second secret key decryption after described encryption, obtains the second key;
Described second equipment obtains the first seed ciphertext and token serial number from described first CD, calls the encryption equipment of described second equipment;
The encryption equipment of described second equipment adopts the second key decentralized algorithm preset to disperse described token serial number with described second key, obtain the first subsolution decryption key, according to the first subsolution decryption key described and the first default sub-decipherment algorithm, to described first seed decrypt ciphertext, obtain seed expressly;
Described second equipment obtains described seed expressly from the encryption equipment of described second equipment, according to described seed plaintext and default generation password algorithm, generate otp password, tissue comprises the authentication request of described otp password and token serial number, authentication request is sent to the 3rd equipment, terminate.
22. methods as claimed in claim 21, is characterized in that, also comprise:
3rd equipment management center obtains described second transmission security key composition-factor from described second transmission security key storage card, calls the encryption equipment of described 3rd equipment;
The encryption equipment of described 3rd equipment, according to described second transmission security key composition-factor and the second default transmission security key composition algorithm, generates the second transmission security key and the second transmission security key call number;
Described 3rd equipment management center obtains described second transmission security key call number from the encryption equipment of described 3rd equipment, obtains the 3rd key after encryption, call the encryption equipment of described 3rd equipment from described 3rd key storage card;
The encryption equipment of described 3rd equipment, according to the 3rd secret key decryption algorithm preset and described second transmission security key, to the 3rd secret key decryption after described encryption, obtains the 3rd key;
Described 3rd equipment management center obtains the second seed ciphertext and token serial number from described second CD, preserves described second seed ciphertext and described token serial number;
When described 3rd equipment receives authentication request, from described authentication request, obtain token serial number, obtain the second seed ciphertext according to described token serial number, call the encryption equipment of described 3rd equipment;
The encryption equipment of described 3rd equipment adopts the 3rd key decentralized algorithm preset to disperse described token serial number with described 3rd key, obtain the second subsolution decryption key, according to described the second subsolution decryption key and the default sub-decipherment algorithm of the second, to described second seed decrypt ciphertext, obtain seed expressly;
Described 3rd equipment obtains seed expressly from the encryption equipment of described 3rd equipment, according to described seed plaintext and default generation password algorithm, generate password data to be certified, otp password is obtained from described authentication request, judge that whether described password data to be certified is identical with described otp password, be then send verification succeeds to described 3rd equipment management center, terminate; Otherwise sending to the 3rd equipment management center verifies unsuccessfully, terminates.
23. method as claimed in claim 22, is characterized in that, described 3rd equipment management center also comprises after preserving described second seed ciphertext and described token serial number:
Described 3rd equipment management center judges whether successfully to preserve described second seed ciphertext and described token serial number, is terminate; Otherwise point out unsuccessful preservation second seed ciphertext, terminate.
CN201410802304.XA 2014-12-19 2014-12-19 A kind of method of secure distribution seed Active CN104579680B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410802304.XA CN104579680B (en) 2014-12-19 2014-12-19 A kind of method of secure distribution seed

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410802304.XA CN104579680B (en) 2014-12-19 2014-12-19 A kind of method of secure distribution seed

Publications (2)

Publication Number Publication Date
CN104579680A true CN104579680A (en) 2015-04-29
CN104579680B CN104579680B (en) 2018-03-09

Family

ID=53094959

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410802304.XA Active CN104579680B (en) 2014-12-19 2014-12-19 A kind of method of secure distribution seed

Country Status (1)

Country Link
CN (1) CN104579680B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812127A (en) * 2016-05-24 2016-07-27 飞天诚信科技股份有限公司 NFC dynamic token and working method thereof
CN105897405A (en) * 2016-06-02 2016-08-24 北京赛思信安技术股份有限公司 128-bit symmetric secret key production and protection method
CN107026729A (en) * 2015-12-17 2017-08-08 罗伯特·博世有限公司 Method and apparatus for transmitting software
CN110084051A (en) * 2019-04-29 2019-08-02 京工博创(北京)科技有限公司 A kind of data ciphering method and system
CN110351292A (en) * 2019-03-05 2019-10-18 腾讯科技(深圳)有限公司 Private key management method, device, equipment and storage medium
CN111586023A (en) * 2020-04-30 2020-08-25 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN112272095A (en) * 2020-12-24 2021-01-26 飞天诚信科技股份有限公司 Distributed key distribution method and system for real-time communication

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020108041A1 (en) * 2001-01-10 2002-08-08 Hideaki Watanabe Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium
CN102404119A (en) * 2011-10-27 2012-04-04 深圳市文鼎创数据科技有限公司 Setting method of dynamic token secret key factors, dynamic token and server
CN102891753A (en) * 2012-09-25 2013-01-23 深圳市文鼎创数据科技有限公司 Dynamic token initializing method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020108041A1 (en) * 2001-01-10 2002-08-08 Hideaki Watanabe Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium
CN102404119A (en) * 2011-10-27 2012-04-04 深圳市文鼎创数据科技有限公司 Setting method of dynamic token secret key factors, dynamic token and server
CN102891753A (en) * 2012-09-25 2013-01-23 深圳市文鼎创数据科技有限公司 Dynamic token initializing method and device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107026729A (en) * 2015-12-17 2017-08-08 罗伯特·博世有限公司 Method and apparatus for transmitting software
CN107026729B (en) * 2015-12-17 2021-08-17 罗伯特·博世有限公司 Method and device for transmitting software
CN105812127A (en) * 2016-05-24 2016-07-27 飞天诚信科技股份有限公司 NFC dynamic token and working method thereof
CN105897405A (en) * 2016-06-02 2016-08-24 北京赛思信安技术股份有限公司 128-bit symmetric secret key production and protection method
CN105897405B (en) * 2016-06-02 2019-04-05 北京赛思信安技术股份有限公司 128 Symmetric key generations of one kind and protective device
CN110351292A (en) * 2019-03-05 2019-10-18 腾讯科技(深圳)有限公司 Private key management method, device, equipment and storage medium
CN110351292B (en) * 2019-03-05 2020-08-25 腾讯科技(深圳)有限公司 Private key management method, device, equipment and storage medium
CN110084051A (en) * 2019-04-29 2019-08-02 京工博创(北京)科技有限公司 A kind of data ciphering method and system
CN111586023A (en) * 2020-04-30 2020-08-25 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN111586023B (en) * 2020-04-30 2022-05-31 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN112272095A (en) * 2020-12-24 2021-01-26 飞天诚信科技股份有限公司 Distributed key distribution method and system for real-time communication
CN112272095B (en) * 2020-12-24 2021-03-16 飞天诚信科技股份有限公司 Distributed key distribution method and system for real-time communication

Also Published As

Publication number Publication date
CN104579680B (en) 2018-03-09

Similar Documents

Publication Publication Date Title
CN104579680A (en) Method for safe distribution of seed
CN109151053A (en) Anti- quantum calculation cloud storage method and system based on public asymmetric key pond
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN109150519A (en) Anti- quantum calculation cloud storage method of controlling security and system based on public keys pond
CN105553951A (en) Data transmission method and data transmission device
CN204360381U (en) mobile device
CN112804205A (en) Data encryption method and device and data decryption method and device
CN113067823B (en) Mail user identity authentication and key distribution method, system, device and medium
CN105406969A (en) Apparatus And Method For Data Encryption
CN107645378A (en) Key management platform, communication encrypting method and terminal
CN102833075A (en) Identity authentication and digital signature method based on three-layered overlapping type key management technology
CN103701596A (en) Document access method, system and equipment and document access request response method, system and equipment
CN103378971A (en) Data encryption system and method
CN108509787A (en) A kind of program authentication method
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN101325483B (en) Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method
CN105791258A (en) Data transmission method, terminal and open platform
CN115883052A (en) Data encryption method, data decryption method, device and storage medium
CN111404953A (en) Message encryption method, message decryption method, related devices and related systems
CN107528689A (en) A kind of password amending method based on Ukey
CN114186249A (en) Computer file security encryption method, computer file security decryption method and readable storage medium
CN108540486A (en) The generation of cloud key and application method
CN102916810A (en) Method, system and apparatus for authenticating sensor
CN113722741A (en) Data encryption method and device and data decryption method and device
CN104253692B (en) Key management method and device based on SE

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant