TW201520821A - Expandable confidential key management system - Google Patents

Expandable confidential key management system Download PDF

Info

Publication number
TW201520821A
TW201520821A TW102142918A TW102142918A TW201520821A TW 201520821 A TW201520821 A TW 201520821A TW 102142918 A TW102142918 A TW 102142918A TW 102142918 A TW102142918 A TW 102142918A TW 201520821 A TW201520821 A TW 201520821A
Authority
TW
Taiwan
Prior art keywords
base code
module
code
base
primary
Prior art date
Application number
TW102142918A
Other languages
Chinese (zh)
Other versions
TWI560578B (en
Inventor
Hsiao-Shan Huang
Ming-Hsin Chang
Chia-Ling Chien
Chin-Song Wu
Gan-How Chang
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW102142918A priority Critical patent/TW201520821A/en
Publication of TW201520821A publication Critical patent/TW201520821A/en
Application granted granted Critical
Publication of TWI560578B publication Critical patent/TWI560578B/zh

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

This invention provides an expandable confidential key management system, which proposes an effective and safe key management system implementation architecture by using a master-slave architecture to save keys and confidential data in a hardware password module and distribute derivative keys as the basis for encrypted transmission. The system comprises a central control module and a secondary password module. The central control module manages the authority of the secondary password module, the process for accessing the key and the confidential data, and encryption of saved data. The secondary password module stores the key and the confidential data, so as to eliminate the steps of requiring encrypted storage for placing the data in the database. The secondary password module can be expanded if necessary, and the expandability allows setup of a proper amount of modules according to different system needs, allowing clear division of control and storage to effectively manage the key.

Description

可擴充之機密基碼管理系統 Expandable confidential base code management system

本發明係為一種基碼管理系統有關;具體而言,特別是關於一種可擴充之機密基碼管理系統,利用密碼模組建構主從式基碼儲存架構,控管儲存之基碼以及機密資料,運用密碼模組之高度安全機制儲存資料,並依權限存取資料以達到控管之目的。 The invention relates to a basic code management system; in particular, to an extensible confidential base code management system, which uses a cryptographic module to construct a master-slave base code storage architecture, and controls the stored base code and confidential data. Use the high security mechanism of the cryptographic module to store data and access the data according to the authority to achieve the purpose of control.

一般習知之儲存機密資料方式使用軟體加密機密資料,並使用軟體控管存取權限,此種軟體式加密機制與存取機制共用資源,除了影響本身儲存效能之外,軟體式的佈署也讓機密資料被破解之機率大增。進階式的機密資料儲存方式使用硬體密碼模組加密機密資料,改善加密與存取共用資源之問題,但因儲存方式因地制宜,權限控管有賴儲存方式之搭配規劃使用,不良的權限控管將導致機密資料之安全風險大增。 Generally, the storage of confidential information uses software to encrypt confidential information and use software control access rights. This software encryption mechanism shares resources with the access mechanism. In addition to affecting its storage performance, software deployment also allows software deployment. The chances of breaking confidential information are greatly increased. The advanced confidential data storage method uses the hardware password module to encrypt confidential information to improve the problem of encrypting and accessing shared resources. However, due to the storage method, the permission control depends on the storage mode, and the bad permission control. This will lead to a significant increase in the security risks of confidential information.

在下列先前的專利技術中有提及類似的概念:20090240956;另一方面針對儲存方式使用密碼模組之應用,因建構於上述概念之上,仍存在機密資料被竊取之安全風險, 在下列先前的專利技術中有提及類似的概念:491981、20080130880。 A similar concept is mentioned in the following prior patents: 20090240956; on the other hand, the application of the cryptographic module for storage mode, due to the above concept, still has the security risk of the theft of confidential information. Similar concepts are mentioned in the following prior patents: 491981, 20080130880.

由此可見,上述習用方式仍有諸多缺失,實非一良善之設計,而亟待加以改良。 It can be seen that there are still many shortcomings in the above-mentioned methods of use, which is not a good design, but needs to be improved.

本案發明人鑑於上述習用方式所衍生的各項缺點,乃亟思加以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成本件發明。 In view of the shortcomings derived from the above-mentioned conventional methods, the inventor of the present invention has improved and innovated, and after years of painstaking research, he finally succeeded in researching and developing this invention.

本發明系提供一種可擴充之機密基碼管理系統,可依需求擴充合適之模組數量使儲存資源有效運用,並透過主從式架構提供資源分散儲存但集中管理之功能,密碼模組經註冊後被分配一獨一無二之衍生基碼,以此衍生基碼為加密傳送橋梁,並以此為權限控管依據,防止非法權限登入竊取機密資料之風險。 The invention provides an expandable confidentiality code management system, which can expand the appropriate number of modules according to requirements to make effective use of storage resources, and provide functions of distributed storage but centralized management through a master-slave architecture, and the password module is registered. After being assigned a unique derivative base code, the derived base code is used as an encryption transmission bridge, and this is used as a basis for the authority control to prevent the illegal permission from entering the risk of stealing confidential information.

本發明為達成上述發明目的之一種可擴充之機密基碼管理系統,係在於將所有基碼與機密資料儲存於密碼模組內的安全儲存空間,解決資料放置於資料庫需加密儲存之步驟,基碼與機密資料之存取透過可靠之加密與認證進行,達到存取與儲存機密資料之安全性。 The invention provides an expandable secret code management system for achieving the above object, which is to store all base codes and confidential data in a secure storage space in the cryptographic module, and to solve the steps of storing data in the database and storing the data in an encrypted manner. The access to the base code and confidential data is carried out through reliable encryption and authentication to achieve the security of accessing and storing confidential information.

本發明係為採用密碼模組之主從式架構,藉由中央控管模組與次要密碼模組之分工,達到有效管理基碼之目的。中央控管模組之功能為控管次要密碼模組之權限,並藉由次要密碼模組註冊產生之衍生基碼解密存取基碼與機密資料;次要 密碼模組之目的為儲存基碼與機密資料,提供一安全儲存環境儲存資料,可改良資料庫儲存資料需加密之步驟,而可擴充性之特性可使儲存資源有效運用。 The invention is a master-slave architecture using a cryptographic module, and the division of the central control module and the secondary cryptographic module achieves the purpose of effectively managing the base code. The function of the central control module is to control the permissions of the secondary cryptographic module, and decrypt the access base code and confidential information by the derivative base code generated by the secondary cryptographic module registration; The purpose of the cryptographic module is to store the base code and confidential information, to provide a secure storage environment for storing data, to improve the steps required to encrypt the data stored in the database, and the scalability feature enables the storage resources to be effectively utilized.

本發明所提出之可擴充之機密基碼管理系統之組 成包括有(一)中央控管模組與(二)次要密碼模組,係中央控管模組透過主要密碼模組之主基碼與次要密碼模組的識別碼產生一獨一無二之衍生基碼,以此衍生基碼加密存取次要密碼模組的基碼與機密資料,僅有主要密碼模組可取得次要密碼模組的衍生基碼,以此解密由衍生基碼加密的基碼或機密資料,達到資料之安全性。 The group of expandable secret base code management system proposed by the present invention The system includes (1) a central control module and (2) a secondary cryptographic module. The central control module generates a unique derivative through the primary base code of the primary cryptographic module and the identification code of the secondary cryptographic module. The base code is used to derive the base code and confidential information of the secondary cryptographic module by using the derived base code encryption, and only the primary cryptographic module can obtain the derived base code of the secondary cryptographic module, thereby decrypting the encrypted base code. Base code or confidential information to achieve data security.

本發明所提供之專利技術特徵與其他習用技術相互比較時,更具備下列優點: When the patented technical features provided by the present invention are compared with other conventional technologies, the following advantages are obtained:

1.本發明可實現密碼模組之可擴充性,可有效擴充實體安全儲存資源,依不同系統需求建置合適之模組數量,解決不必要之儲存資源浪費或儲存空間用罄之問題,並達到資源分散儲存但集中管理之優點。 1. The present invention can realize the scalability of the cryptographic module, can effectively expand the physical security storage resource, and build a suitable number of modules according to different system requirements, and solve the problem of unnecessary storage resource waste or storage space, and Achieve the advantages of distributed storage of resources but centralized management.

2.本發明可提供權限控管之功能,由中央控管模組依客戶端權限分配對應的次要密碼模組處理需求,利用主要密碼模組分配一獨一無二之衍生基碼,以此衍生基碼為加密傳送橋梁,並以此為權限控管依據,防止客戶端使用非法權限竊取機密資料之可能性。 2. The invention can provide the function of the authority control, the central control module allocates the corresponding secondary password module processing requirements according to the client authority, and allocates a unique derivative base code by using the main password module, thereby deriving the base. The code is an encrypted transmission bridge, and this is used as a basis for permission control to prevent the client from using illegal rights to steal confidential information.

3.本發明之基碼產製、存取與使用都於基碼管理系統中完成,可解決資料放置於資料庫需加密儲存之步驟,而基碼之傳送透過可靠之加密與認證,達到機密資料之安全性。 3. The base code production, access and use of the present invention are completed in the base code management system, and the steps of storing the data in the database for encryption and storage are solved, and the transmission of the base code is achieved through reliable encryption and authentication to achieve confidentiality. The security of the information.

102‧‧‧中央控管模組 102‧‧‧Central Control Module

104‧‧‧次要密碼模組 104‧‧‧secondary password module

112‧‧‧主要密碼模組 112‧‧‧Primary password module

202‧‧‧中央控管模組功能 202‧‧‧Central Control Module Function

204‧‧‧次要密碼模組功能 204‧‧‧Secondary password module function

212‧‧‧主要密碼模組功能 212‧‧‧Main password module function

302‧‧‧次要密碼模組產生非對稱基碼 302‧‧‧Secondary cipher module generates asymmetric base code

304‧‧‧次要密碼模組傳送次公開基碼予中央控管模組 304‧‧‧ Secondary password module transmits the secondary public base code to the central control module

306‧‧‧中央控管模組傳送主要密碼模組之主公開基碼予次要密碼模組 306‧‧‧The central control module transmits the main public base code of the primary cryptographic module to the secondary cryptographic module

308‧‧‧主要密碼模組產生主基碼與識別碼並產生獨一無二之衍生基碼 308‧‧‧The primary cryptographic module generates the primary base code and the identification code and produces a unique derivative base code

310‧‧‧中央控管模組傳送經主要密碼模組內儲存之次公開基碼加密並簽章之識別碼與衍生基碼予次要密碼模組 310‧‧‧The central control module transmits the identification code and the derived base code of the secondary public base code encrypted and signed in the main password module to the secondary password module.

402‧‧‧中央控管模組產生並傳送索引值予次要密碼模組 402‧‧‧Central Control Module generates and transmits index values to secondary cipher modules

404‧‧‧次要密碼模組產製基碼 404‧‧‧Secondary password module production base code

406‧‧‧次要密碼模組傳送加密簽章之基碼識別碼與索引值予中央控管模組 406‧‧‧ Minor password module transmits the base code identification code and index value of the encrypted signature to the central control module

408‧‧‧中央控管模組接收並經主要密碼模組驗證次要密碼模組之簽章值並解密取得基碼識別碼與索引值 408‧‧‧The central control module receives and verifies the signature value of the secondary cryptographic module via the primary cryptographic module and decrypts the obtained basecode identification code and index value

410‧‧‧中央控管模組確認索引值後存取基碼識別碼 410‧‧‧The central control module accesses the base code identification code after confirming the index value

502‧‧‧中央控管模組產生索引值 502‧‧‧Central Control Module generates index values

504‧‧‧中央控管模組傳送經主要密碼模組之衍生基碼加密並簽章之基碼識別碼與索引值予次要密碼模組 504‧‧‧The central control module transmits the base code identification code and index value to the secondary cipher module encrypted and signed by the derived base code of the primary cryptographic module

506‧‧‧次要密碼模組驗證主要密碼模組之簽章值並解密取得基碼識別碼與索引值 506‧‧‧ Minor password module verifies the signature value of the main cryptographic module and decrypts the base code identification code and index value

508‧‧‧次要密碼模組取得基碼識別碼對應之基碼 508‧‧‧ Minor password module obtains the base code corresponding to the base code

510‧‧‧次要密碼模組回傳加密簽章之基碼與索引值予中央控管模組 510‧‧‧Secondary password module returns the base code and index value of the encrypted signature to the central control module

512‧‧‧中央控管模組透過主要密碼模組驗證次要密碼模組之簽章值並解密取得基碼與索引值 512‧‧‧The central control module verifies the signature value of the secondary cryptographic module through the primary cryptographic module and decrypts the obtained base code and index value

514‧‧‧中央控管模組確認索引值後存取基碼 514‧‧‧The central control module confirms the index value and accesses the base code

請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效;有關附圖為:第1圖為本發明之可擴充之機密基碼管理系統之架構圖。 The detailed description of the present invention and the accompanying drawings will be further understood, and the technical contents of the present invention and the functions thereof can be further understood. The related drawings are: FIG. 1 is a structural diagram of the scalable confidential code management system of the present invention. .

第2圖為本發明之可擴充之機密基碼管理系統之說明示意圖。 2 is a schematic diagram of an extensible confidential base code management system of the present invention.

第3圖為本發明之可擴充之機密基碼管理系統之註冊方法流程圖。 Figure 3 is a flow chart of the registration method of the extensible secret base code management system of the present invention.

第4圖為本發明之可擴充之機密基碼模組之基碼產製方法流程圖。 4 is a flow chart of a method for manufacturing a base code of an expandable secret base code module of the present invention.

第5圖為本發明之可擴充之機密基碼模組之主要密碼模組控管次要密碼模組存取基碼之方法流程圖。 FIG. 5 is a flow chart of a method for accessing a base code by a primary cryptographic module of a scalable cryptographic base module of the present invention.

為了使本發明的目的、技術方案及優點更加清楚明白,下面結合附圖及實施例,對本發明進行進一步詳細說明。應當理解,此處所描述的具體實施例僅用以解釋本發明,但並不用於限定本發明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

以下,結合附圖對本發明進一步說明:本發明係為一種提供基碼與機密資料一安全儲存空間並分配獨一無二之衍生基碼為權限控管依據之可擴充之機密基碼管理系統。現廣被使用之機密資料儲存方式為使用密 碼模組加密機密資料,但因儲存方式因地制宜,權限控管有賴儲存方式之搭配規劃使用,不善的權限控管將導致機密資料之安全風險大增。本發明提供一有效並且安全儲存空間,並可達到良好控管權限之基碼管理系統。 The present invention is further described with reference to the accompanying drawings. The present invention is a scalable confidential code management system that provides a secure storage space for a base code and confidential information and assigns a unique derivative base code to the rights control. The confidential information stored in the file is widely used. The code module encrypts the confidential information, but because the storage method is adapted to local conditions, the privilege control depends on the storage mode and the planning and use. Poor privilege control will lead to a significant increase in the security risk of confidential information. The invention provides an efficient and secure storage space and can achieve a good control authority for the base code management system.

請參閱第1圖,第1圖為本發明之可擴充之機密基 碼管理系統之架構圖。如第1圖所示,本發明本系統分為二個模組:中央控管模組102與次要密碼模組104,中央控管模組102包含一主要密碼模組112,用於控管次要密碼模組104之權限管理、存取基碼與機密資料之流程;次要密碼模組104用於儲存基碼與機密資料,可依需求擴充次要密碼模組104數量。 以下分別說明基碼之產生與使用、次要密碼模組104之掛載與註冊、整體架構身分認證與加密流程以及基碼之傳送方式。 Please refer to FIG. 1. FIG. 1 is an expandable confidential base of the present invention. Architecture diagram of the code management system. As shown in FIG. 1, the system of the present invention is divided into two modules: a central control module 102 and a secondary cryptographic module 104. The central control module 102 includes a primary cryptographic module 112 for controlling The secondary password module 104 manages the rights, accesses the base code and the confidential data; the secondary password module 104 is used to store the base code and the confidential information, and the number of the secondary password modules 104 can be expanded as needed. The following describes the generation and use of the base code, the mounting and registration of the secondary cryptographic module 104, the overall architecture identity authentication and encryption process, and the transmission method of the base code.

系統運行初期需先由主要密碼模組112產生一主 基碼與一組非對稱基碼(主公開基碼與主私密機碼),主基碼與主私密基碼儲存於主要密碼模組112中,主基碼用於產生次要密碼模組104之衍生基碼,主公開基碼則於次要密碼模組104註冊時傳送。 In the initial stage of system operation, a master is required to be generated by the primary cryptographic module 112. The base code and a set of asymmetric base codes (primary public base code and primary private secret code), the primary base code and the primary private base code are stored in the primary cryptographic module 112, and the primary base code is used to generate the secondary cryptographic module 104. The derived base code is transmitted when the secondary cryptographic module 104 is registered.

請參閱第2圖,第2圖為本發明之可擴充之機密基 碼管理系統之說明示意圖。如第2圖所示,中央控管模組功能202為處理客戶端之需求指令與次要密碼模組之權限管理,主要密碼模組功能212為產生主基碼、註冊次要密碼模組並產生衍生基碼、以及解密經次要密碼模組加密之儲存基碼;次要密碼模組功能204為產製與儲存基碼與機密資料,借由明確分工達到有效管理基碼之目的。 Please refer to FIG. 2, which is an expandable confidential base of the present invention. A schematic diagram of the code management system. As shown in FIG. 2, the central control module function 202 manages the rights management of the client's demand command and the secondary password module. The primary password module function 212 generates the primary base code and registers the secondary password module. The derivative base code is generated, and the storage base code encrypted by the secondary cryptographic module is decrypted; the secondary cryptographic module function 204 is for producing and storing the base code and the confidential information, and the purpose of effectively managing the base code is achieved by clear division of labor.

請參閱第3圖,第3圖為本發明之可擴充之機密基 碼管理系統之註冊方法流程圖。如第3圖所示,為若有一次要密碼模組要掛載於機密基碼管理系統中之方法流程,該次要密碼模組產生一組非對稱基碼(次公開基碼與次私密基碼)302,傳送次公開基碼給中央控管模組進行註冊304,由中央控管模組內之主要密碼模組接收後,傳送主公開基碼給次要密碼模組306,並產生一識別碼,將主要密碼模組的主基碼與此次要密碼模組之識別碼結合產生一組相對應的衍生基碼308,每個衍生基碼和各個次要密碼模組存在唯一識別關係,將識別碼與衍生基碼串接用次公開基碼加密後,利用主私密基碼簽章並傳送給次要密碼模組310。次要密碼模組接收後,運用主公開基碼驗證簽章確認主要密碼模組身分,再利用次私密基碼解密資料內容,將解密得到的識別碼與衍生基碼儲存於次要密碼模組中,此衍生基碼用來傳送加密機密資料的基碼,亦可作為中央控管模組用於控管次要密碼模組之權限管理依據,以上步驟完成次要密碼模組的註冊流程。 Please refer to FIG. 3, which is an expandable confidential base of the present invention. Flow chart of the registration method of the code management system. As shown in FIG. 3, if there is a method for the password module to be mounted in the confidential base code management system, the secondary cryptographic module generates a set of asymmetric base codes (secondary public base code and secondary privacy). Base code 302, transmitting the secondary public base code to the central control module for registration 304, after receiving the primary password module in the central control module, transmitting the primary public base code to the secondary password module 306, and generating An identification code is used to combine a primary base code of the primary cryptographic module with an identification code of the cryptographic module to generate a corresponding set of derived base codes 308, and each of the derived base codes and each secondary cryptographic module is uniquely identified. The relationship is that the identification code and the derived base code are concatenated with the secondary public base code, and then signed and transmitted to the secondary cipher module 310 by using the primary private base code. After receiving the secondary cryptographic module, the primary public base code verification signature is used to confirm the identity of the primary cryptographic module, and then the secondary private base code is used to decrypt the data content, and the decrypted identification code and the derived base code are stored in the secondary cryptographic module. The derived base code is used to transmit the base code of the encrypted confidential data, and can also be used as a central management module for controlling the authority management of the secondary password module. The above steps complete the registration process of the secondary password module.

當客戶端經由主機登入後,由中央控管模組依據客 戶端權限分配對應的次要密碼模組接收與回應客戶端需求指令,並發出一索引,此索引用衍生基碼加密後,再利用主私密基碼簽章傳送給次要密碼模組,次要密碼模組驗證簽章確認身分並由衍生基碼解密後,得到此索引,索引之目的為處理客戶端此次登入之需求指令,其生命週期直到客戶端完成需求指令並登出後終止,以上步驟完成中央控管模組與次要密碼模組之身分確認方式,以下產製基碼流程與存取基碼流程都將使用此身分確認方式。 When the client logs in via the host, the central control module is used by the client. The secondary cipher module corresponding to the client privilege allocation receives and responds to the client demand instruction, and issues an index. The index is encrypted by the derived base code, and then transmitted to the secondary cipher module by using the primary private base code signature. After the cryptographic module verifies the signature and confirms the identity and decrypts the derived base code, the index is obtained. The purpose of the index is to process the client's request for the login, and the life cycle is terminated until the client completes the demand instruction and logs out. The above steps complete the identity verification mode of the central control module and the secondary password module. The following production base code process and access base code process will use this identity confirmation mode.

請參閱第4圖,第4圖為本發明之可擴充之機密基 碼模組之基碼產製方法流程圖。如第4圖所示,管理系統之中 央控管模組控管次要密碼模組產製基碼之方法流程圖,基碼產製與儲存僅限於次要密碼模組中,當系統接收到客戶端發出產製基碼之需求後,由中央控管模組發出一索引給對應的次要密碼模組402,請求產製基碼,基碼產製完成後儲存於次要密碼模組中,並產生相對應的基碼識別碼404,基碼識別碼串接索引值,由衍生基碼加密並利用次私密基碼簽章回傳中央控管模組406,透過主要密碼模組驗證簽章確認身分後,用衍生基碼解密,得到基碼識別碼與索引值408,驗證索引值為相對應的客戶端回傳指令後,回傳客戶端基碼識別碼410。 Please refer to FIG. 4, which is an expandable confidential base of the present invention. Flow chart of the base code production method of the code module. As shown in Figure 4, in the management system The central control module controls the flow chart of the secondary cipher module production base code. The base code production and storage is limited to the secondary cipher module. When the system receives the request from the client to issue the production base code, The central control module sends an index to the corresponding secondary cipher module 402, requests the production base code, and the base code is stored in the secondary cipher module after the production is completed, and generates a corresponding base code identification code. 404. The base code identification code is concatenated with the index value, encrypted by the derived base code, and returned to the central control module 406 by using the secondary private base code signature. After the signature is confirmed by the primary password module, the identity is decrypted by using the derived base code. The base code identification code and the index value 408 are obtained, and after verifying the index value, the corresponding client backhaul instruction is returned, and the client base code identification code 410 is returned.

請參閱第5圖,第5圖為本發明之可擴充之機密基 碼模組之主要密碼模組控管次要密碼模組存取基碼之方法流程圖。如第5圖所示,當系統接收到客戶端發出的取得基碼或機密資料之需求後,主要密碼模組接收中央控管模組發出的索引值502,並串接基碼識別碼與索引值,由衍生基碼加密並用主私密基碼簽章傳送於次要密碼模組504,次要密碼模組驗證解密後取得基碼識別碼與索引值506,並取得基碼識別碼對應的基碼508,將此基碼串接索引值用衍生基碼加密並簽章回傳中央控管模組510,由主要密碼模組驗證解密取得基碼與索引值512,確認索引值後取得基碼514,提供基碼給客戶端完成加解密、數位簽章以及驗證等應用,完成取得基碼之流程。 Please refer to FIG. 5, which is an expandable confidential base of the present invention. The main cryptographic module of the code module controls the flow chart of the method for accessing the base code of the secondary cryptographic module. As shown in FIG. 5, after the system receives the request for obtaining the base code or the confidential data sent by the client, the primary password module receives the index value 502 sent by the central control module, and serially connects the base code identification code and the index. The value is encrypted by the derived base code and transmitted to the secondary cipher module 504 by using the primary private base code signature. After the secondary cryptographic module is verified and decrypted, the base code identification code and the index value 506 are obtained, and the base corresponding to the base code identification code is obtained. The code 508 encrypts the base code serialized index value with the derived base code and returns the signature to the central control module 510. The primary cryptographic module verifies and decrypts the obtained base code and the index value 512, and obtains the base code after confirming the index value. 514, providing a base code to the client to complete the encryption and decryption, digital signature and verification applications, and complete the process of obtaining the base code.

上列詳細說明乃針對本發明之一可行實施例進行 具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The above detailed description is directed to one possible embodiment of the present invention. The detailed description is not intended to limit the scope of the invention, and the equivalents and modifications may be included in the scope of the present invention.

綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性 及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。 In summary, this case is not only innovative in terms of technical thinking, but also has many of the above-mentioned effects that are not in the traditional methods of the past. And the progressive statutory invention patent requirements, 提出 apply in accordance with the law, and ask your office to approve the invention patent application, in order to invent invention, to the sense of virtue.

102‧‧‧中央控管模組 102‧‧‧Central Control Module

104‧‧‧次要密碼模組 104‧‧‧secondary password module

112‧‧‧主要密碼模組 112‧‧‧Primary password module

Claims (12)

一種可擴充之機密基碼管理系統,其至少包括:次要密碼模組,掛載於主要密碼模組,儲存基碼與機密資料;一中央控管模組,控管該次要密碼模組之存取權限與流程,並存取基碼與機密資料;以及一主要密碼模組,內建於該中央控管模組,建構一主從式基碼儲存架構,控管儲存之基碼以及機密資料。 An expandable secret base code management system, comprising at least: a secondary password module, mounted on a primary password module, storing a base code and confidential information; and a central control module for controlling the secondary password module Access rights and processes, and access to base code and confidential information; and a primary cryptographic module built into the central control module to construct a master-slave base code storage architecture, control the base code for storage and Confidential information. 如申請專利範圍第1項所述之可擴充之機密基碼管理系統,其中,該中央控管模組控管該次要密碼模組之權限,由其分配對應次要密碼模組存取基碼與機密資料。 The scalable confidential code management system according to claim 1, wherein the central control module controls the authority of the secondary cryptographic module, and the corresponding secondary cryptographic module access base is allocated by the central control module. Code and confidential information. 如申請專利範圍第1項所述之可擴充之機密基碼管理系統,其中,該主要密碼模組於系統運行初期需產生一主基碼與非對稱基碼,且該非對稱基碼係為主公開基碼與主私密基碼,主公開基碼用於傳送給註冊後之次要密碼模組作加密用途,主私密基碼則用於接收來自次要密碼模組之資料解密。 The scalable secret code management system according to claim 1, wherein the primary cryptographic module needs to generate a primary base code and an asymmetric base code in an initial operation of the system, and the asymmetric base code system is mainly The primary base code and the primary private base code are used for transmission to the registered secondary cryptographic module for encryption purposes, and the primary private base code is used for receiving data decryption from the secondary cryptographic module. 如申請專利範圍第1項所述之可擴充之機密基碼管理系統,其中,該次要密碼模組更包括衍生基碼。 The scalable secret code management system of claim 1, wherein the secondary cryptographic module further comprises a derivative base code. 如申請專利範圍第4項所述之可擴充之機密基碼管理系統,其中,該主要密碼模組針對基碼存取進行加解密與簽章,並儲存該次要密碼模組之衍生基碼。 The scalable secret code management system of claim 4, wherein the primary cryptographic module encrypts and decrypts the base code access, and stores the derivative base code of the secondary cryptographic module. . 如申請專利範圍第1項所述之可擴充之機密基碼管理系統, 其中,該次要密碼模組產製與儲存基碼與機密資料,確保資料儲存於密碼模組內的安全儲存空間。 For example, the scalable confidential code management system described in claim 1 of the patent scope, The secondary cryptographic module generates and stores the base code and the confidential information to ensure that the data is stored in a secure storage space within the cryptographic module. 一種可擴充之機密基碼管理方法,其至少包括:a.註冊方法,用於建立中央控管模組與次要密碼模組之識別關係;b.基碼產製方法;以及c.主要密碼模組控管次要密碼模組存取基碼方法,說明於可擴充之機密基碼館理系統安全存取基碼之方式; An expandable secret base code management method, which at least includes: a. a registration method for establishing an identification relationship between a central control module and a secondary cryptographic module; b. a base code production method; and c. a primary password The module controls the secondary cryptographic module access base code method, and describes the manner of securely accessing the base code in the expandable secret code base system; 一種可擴充之機密基碼模組之註冊方法,透過主要密碼模組分配一獨一無二之衍生基碼,以該衍生基碼為加密傳送橋梁,建構安全傳輸橋梁,且以此為權限控管依據,其步驟至少包括:a.次要密碼模組產生非對稱基碼,且該非對稱基碼係為次公開基碼與次私密基碼,次公開基碼用於傳送給主要密碼模組作加密用途,次私密基碼則用於接收來自主要密碼模組之資料解密。b.該次要密碼模組傳送次公開基碼至該主要密碼模組進行註冊;c.中央控管模組接收該次公開基碼後,儲存於該主要密碼模組內並傳送主公開基碼予該次要密碼模組;d.該主要密碼模組產生一組該次要密碼模組使用的識別碼;e.該主要密碼模組將該主公開基碼與該次要密碼模組之識 別碼結合,產生一組相對應之衍生基碼,並將該識別碼與該衍生基碼串接用該次公開基碼進行加密後,透過該主私密基碼進行簽章並傳送給該次要密碼模組;以及f.該次要密碼模組驗證簽章確認身分,透過該次私密基碼解密,將解密得到的識別碼與該衍生基碼儲存於該次要密碼模組。 A method for registering an extensible secret base code module, assigning a unique derivative base code through a primary cryptographic module, using the derived base code as an encrypted transmission bridge, constructing a secure transmission bridge, and using this as a basis for authority control, The steps include at least: a. the secondary cryptographic module generates an asymmetric base code, and the asymmetric base code is a secondary public base code and a secondary private base code, and the secondary public base code is used for transmission to the primary cryptographic module for encryption purposes. The secondary privacy code is used to receive data decryption from the primary cryptographic module. b. The secondary password module transmits the secondary public base code to the primary password module for registration; c. after receiving the public base code, the central control module is stored in the primary password module and transmits the primary disclosure base Code to the secondary password module; d. the primary password module generates a set of identifiers used by the secondary password module; e. the primary password module uses the primary public base code and the secondary password module Knowledge Combining the different codes, generating a corresponding set of derived base codes, and connecting the identification code and the derived base code to the publicized base code for encryption, and then signing and transmitting to the primary private base code And the secondary cryptographic module verifies the signature to confirm the identity, and decrypts the decrypted identification code and the derived base code in the secondary cryptographic module by decrypting the private base code. 如申請專利範圍第7項所述之可擴充之機密基碼模組之註冊方法,其中該衍生基碼係為該中央控管模組控管該次要密碼模組之權限管理依據。 For example, the method for registering the expandable secret base code module described in claim 7 is wherein the derivative base code is the authority management basis for the central control module to control the secondary cryptographic module. 一種可擴充之機密密碼模組之基碼產製方法,透過該密碼模組自行產生基碼,傳送對應的基碼識別碼至中央控管模組,其步驟至少包括:a.該中央控管模組發出一索引,該索引更包括複數個相對應之索引值,傳送至對應之次要密碼模組,請求產製基碼;b.該次要密碼模組產製基碼儲存於該次要密碼模組,並產生相對應的基碼識別碼;c.該基碼識別碼串接該些索引值,由該衍生基碼加密並透過該次私密基碼簽章回傳該主要密碼模組;d.該中央控管模組經該主要密碼模組驗證簽章確認身分,透過該衍生基碼解密,得到該基碼識別碼與該些索引值;以及e.該中央控管模組確認該些索引值後存取該基碼識別碼。 A base code production method for an expandable secret cryptographic module, the base code is generated by the cryptographic module, and the corresponding base code identification code is transmitted to the central control module, and the steps include at least: a. the central control The module sends an index, the index further includes a plurality of corresponding index values, and is transmitted to the corresponding secondary cryptographic module to request the production base code; b. the secondary cryptographic module production base code is stored at the time Requiring a cryptographic module and generating a corresponding base code identification code; c. the base code identification code is concatenated with the index values, encrypted by the derived base code, and the main cipher mode is returned by the private base code signature The central control module confirms the identity by the main cryptographic module verification signature, and decrypts the derived base code to obtain the base code identification code and the index values; and e. the central control module The base code identification code is accessed after confirming the index values. 如申請專利範圍第10項所述之可擴充之機密密碼模組之基 碼產製方法,使用該索引值係為當次需求之代號,該中央控管模組接收回傳資訊,確認回傳該索引值與需求索引值相同,確認接收資料之正確性。 The basis of the expandable confidential password module as described in claim 10 The code production method uses the index value as the code of the current demand, and the central control module receives the return information, confirms that the index value is the same as the demand index value, and confirms the correctness of the received data. 一種可擴充之機密基碼管理系統之主要密碼模組控管次要密碼模組存取基碼方法,透過基碼識別碼取得儲存於該次要密碼模組內之基碼,其存取透過衍生基碼加密,其步驟更包括:a.該中央控管模組產生索引值;b.該中央控管模組經由該主要密碼模組串接該基碼識別碼與該索引值,由該衍生基碼加密並用該主私密基碼簽章傳送於該次要密碼模組;c.該次要密碼模組驗證簽章確認身分後,用該衍生基碼解密取得該基碼識別碼與該索引值;d.由該基碼識別碼取得該次要密碼模組內對應的基碼;e.該基碼串接該索引值由該衍生基碼加密並用該次私密基碼簽章回傳該中央控管模組;f.該中央控管模組經該主要密碼模組驗證簽章確認身分後,用該衍生基碼解密,得到該基碼與該索引值;以及g.該中央控管模組確認該索引值後存取該基碼。 The main cryptographic module of the scalable secret code management system controls the secondary cipher module access base code method, and obtains the base code stored in the secondary cipher module through the base code identification code, and the access code is accessed through Deriving the base code encryption, the step further comprises: a. the central control module generates an index value; b. the central control module serially connects the base code identification code and the index value via the primary cryptographic module, The derived base code is encrypted and transmitted to the secondary cipher module by using the primary private base code signature; c. after the secondary cryptographic module verifies the signature to confirm the identity, the derived base code is used to decrypt and obtain the base code identification code and the Index value; d. obtaining the corresponding base code in the secondary cipher module by the base code identification code; e. the base code serially aligning the index value by the derived base code and signing back with the private base code signature The central control module; f. the central control module is verified by the main cryptographic module to verify the identity, and then decrypted by the derived base code to obtain the base code and the index value; and g. the central control The pipe module accesses the base code after confirming the index value.
TW102142918A 2013-11-26 2013-11-26 Expandable confidential key management system TW201520821A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102142918A TW201520821A (en) 2013-11-26 2013-11-26 Expandable confidential key management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102142918A TW201520821A (en) 2013-11-26 2013-11-26 Expandable confidential key management system

Publications (2)

Publication Number Publication Date
TW201520821A true TW201520821A (en) 2015-06-01
TWI560578B TWI560578B (en) 2016-12-01

Family

ID=53935030

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102142918A TW201520821A (en) 2013-11-26 2013-11-26 Expandable confidential key management system

Country Status (1)

Country Link
TW (1) TW201520821A (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020157011A1 (en) * 2001-04-20 2002-10-24 Thomas Iii Fred C. Method and apparatus for secure transmission of identifier for removable storage media
TWI273504B (en) * 2002-04-15 2007-02-11 Stark Technology Inc Processing system and method for financial data and financial transaction system using the same
FR2981239B1 (en) * 2011-10-05 2014-03-14 Ethertrust METHOD FOR SECURELY DOWNLOADING ACCESS KEYS USING A MOBILE DEVICE
US9256734B2 (en) * 2012-04-27 2016-02-09 Broadcom Corporation Security controlled multi-processor system

Also Published As

Publication number Publication date
TWI560578B (en) 2016-12-01

Similar Documents

Publication Publication Date Title
WO2021179449A1 (en) Mimic defense system based on certificate identity authentication, and certificate issuing method
WO2021073170A1 (en) Method and apparatus for data provision and fusion
WO2018112946A1 (en) Registration and authorization method, device and system
US9912485B2 (en) Method and apparatus for embedding secret information in digital certificates
CN102014133B (en) Method for implementing safe storage system in cloud storage environment
US20140112470A1 (en) Method and system for key generation, backup, and migration based on trusted computing
CN111324881B (en) Data security sharing system and method fusing Kerberos authentication server and block chain
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
US20190245857A1 (en) Method for securing access by software modules
CN106027503A (en) Cloud storage data encryption method based on TPM
CN103534976A (en) Data security protection method, server, host, and system
US9280687B2 (en) Pre-boot authentication using a cryptographic processor
CN111010430B (en) Cloud computing security data sharing method based on double-chain structure
US20130259227A1 (en) Information processing device and computer program product
CN103226670B (en) A kind of document access control system based on access control model
JP2007226470A (en) Authority management server, authority management method, and authority management program
WO2021057124A1 (en) Fpga-based privacy block chain implementing method and device
TWI476629B (en) Data security and security systems and methods
KR101639714B1 (en) A method for authenticating a device of smart grid
CN104125239A (en) Network authentication method and system based on data link encryption transmission
US10148433B1 (en) Private key/public key resource protection scheme
CN103944721A (en) Method and device for protecting terminal data security on basis of web
US20180137297A1 (en) Security system for industrial control system
Lahmer et al. Towards a virtual domain based authentication on MapReduce
TWI549468B (en) Information transmission protection system and its signature key security transmission method and confidential data encryption transmission method

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees