CN100561916C - Method and system for updating certification key - Google Patents

Method and system for updating certification key Download PDF

Info

Publication number
CN100561916C
CN100561916C CN 200610169759 CN200610169759A CN100561916C CN 100561916 C CN100561916 C CN 100561916C CN 200610169759 CN200610169759 CN 200610169759 CN 200610169759 A CN200610169759 A CN 200610169759A CN 100561916 C CN100561916 C CN 100561916C
Authority
CN
China
Prior art keywords
authentication key
authentication
server
key
client
Prior art date
Application number
CN 200610169759
Other languages
Chinese (zh)
Other versions
CN101005357A (en
Inventor
于华章
舟 陆
Original Assignee
北京飞天诚信科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京飞天诚信科技有限公司 filed Critical 北京飞天诚信科技有限公司
Priority to CN 200610169759 priority Critical patent/CN100561916C/en
Publication of CN101005357A publication Critical patent/CN101005357A/en
Application granted granted Critical
Publication of CN100561916C publication Critical patent/CN100561916C/en

Links

Abstract

本发明公开了一种更新认证密钥的方法和系统,属于信息安全领域。 The present invention discloses a method and an authentication key update system, belonging to the field of information security. 为了解决以明文形式通过网络传输认证密钥的不安全性,以及以密文形式传输认证密钥带来的管理麻烦和成本高的问题,本发明提出了远程更新认证密钥的方法,方法包括:服务器端对随机种子和随机数进行运算,产生验证数据;服务器端对原始认证密钥和验证数据进行加密运算,并将随机种子和加密运算结果传送给客户端;信息安全设备验证随机种子的正确性;分别在信息安全设备内和服务器端对随机种子和原始认证密钥进行相同的加密运算,生成新认证密钥,更新信息安全设备内和服务器端数据库中的认证密钥。 In order to solve the management problems of high cost and problems caused in plain text transmission over an insecure network authentication key, and to transmit the authentication key cipher text, the present invention proposes a method for remotely updating the authentication key, the method comprising : the random seed and the server random number calculation, generating authentication data; original authentication server side authentication key data and cryptographic operations, and the encrypted random seed and the calculation result to the client; random seed authentication information security device correctness; respectively, in the information security device and server side of the original random seed and the same authentication key encryption algorithm to generate a new authentication key, the authentication key updating of the information security device and server-side database. 本发明还提供了更新认证密钥的系统。 The present invention also provides a system for updating an authentication key.

Description

一种更新认证密钥的方法和系统 A newer method and system authentication key

技术领域 FIELD

本发明涉及信息安全领域,特别涉及一种更新认证密钥的方法和系统。 The present invention relates to information security, and in particular, to a method and an authentication key updating system. 背景技术 Background technique

近几年,随着互联网技术与电子商务的快速发展,越来越多的商务活动转移到网络上开展,例如网上政府办公、网上银行、网上购物等等,与此同时,越来越多涉及个人隐私和商业秘密的信息需要通过网络传递。 In recent years, with the rapid development of Internet technology and e-commerce, more and more business activities to carry out the transfer to the network, such as online government offices, online banking, online shopping, etc., at the same time, more and more involved personal privacy and trade secrets need to be passed through the network. 然而病毒、黑客以及网页仿冒诈骗等恶意威胁,给在线交易的安全性带来了极大的挑战,致使网络安全问题变得举足轻重。 However viruses, hackers and phishing scams and other malicious threats to the security of online transactions has brought great challenges, resulting in network security issues become important.

随着人们安全意识的不断提高,各种加密算法也应运而生,常用的加密算法主要有散列算法、对称加密算法和非对称加密算法。 With the continuous improvement of safety awareness, various encryption algorithms have emerged, commonly used encryption algorithms are mainly hashing algorithms, symmetric encryption algorithms and asymmetric encryption algorithms. 散列算法是一种无需密钥参与的单向算法,可以将任意长度的数据进行变换,输出成固定长度的数据摘要,其具有较长的散列码以及能抗击特 A one-way hash algorithm key algorithm is involved without the data of any length can be transformed, the output data into fixed-length digest, a hash code having a longer and can fight Laid

殊密码分析攻击的特性。 Special characteristics cryptanalysis attacks. 目前比较常用的散列算法有HMAC算法、MD5算法、MD2算法、SHA1 算法、SHA256算法等。 Now commonly used hash algorithm HMAC algorithm, MD5 algorithm, MD2 algorithm, SHA1 algorithm, SHA256 algorithms. 对称加密算法域叫单密钥加密算法)中,只有一个密钥用来加密和解密信息,尽管单密钥加密是一个简单的过程,但是双方都必须完全的相信对方,并都持有这个密钥的备份,通过对称加密算法对数据加密后,可以利用该密钥对加密结果进行解密。 Symmetric encryption algorithm called single domain key encryption algorithm), there is only one key to encrypt and decrypt the information, although the single-key encryption is a simple process, but both sides must fully trust each other, and are in possession of this secret backup key, decrypts the encrypted symmetric encryption algorithm results of the data encryption, the key may be utilized. 目前比较常用的对称加密算法有DES算法、3DES算法、RC4算法、RC5算法等。 Current commonly used symmetric encryption algorithms are DES algorithm, 3DES algorithm, RC4 algorithm, RC5 algorithm. 非对称加密算法(公钥加密算法)在加密的过程中使用一对密钥,而不像对称加密只使用一个单独的密.钥, 一对密钥中一个用于加密,另一个用来解密,即如用A加密,则用B解密;如果用B加密, 则要用A解密。 An asymmetric encryption algorithm (public key encryption algorithm) used in the encryption process of a pair of keys, rather than using only a single symmetric encryption secret. Key, a pair of keys for encryption and another for decryption , i.e., as encrypted by A, then by B decrypts; if B is encrypted, decrypted use A. 目前比较常用的非对称加密算法有昭A算法、DSA算法、椭圆曲线算法等。 Current commonly used asymmetric encryption algorithms are algorithms A Sho, DSA algorithms, elliptic curve algorithm.

在加密算法中通常参与运算的运算数有两个: 一个可以是随机数,另一个是事先预设的算法因子。 In the encryption algorithm operands normally involved in computing two: one may be a random number, another algorithm with the default beforehand. 两个运算数哪怕只发生一位数字的变化,运算结果也会变得完全不一样。 Two-digit number of operational changes even if it occurs only result of the operation will become completely different. 如果参与运算的其中一个运算数是随机数的话,那么每次的运算结果也是随机变化的,由此保证运算结果在传输中不怕被截获。 If one of the operators involved in computing the number is a random number, then the result of each operation is random variation, thereby ensuring operation result afraid of being intercepted in transit. 另外,我们在实际应用中还会采用随机种子生成新的运算数来参与运算,以达到更高的安全性,其中随机种子也是一个随机数, 一般用于产生新的运算数。 In addition, we will adopt in practical applications to generate a new random number seed operations to participate in operations in order to achieve greater security, in which the random seed is a random number, generally used to generate new operand.

信息安全设备是一种带有处理器和存储器的小型硬件装置,它通过计算机的数据通讯接口与计算机连接。 Information security device is a small hardware device with a processor and a memory, which is connected via a data communication interface to a computer. 它具有密钥生成、安全存储密钥和预置加密算法等功能。 It has a key generation, storage key and preset security functions such as encryption algorithms. 信息安全设备与密钥相关的运算完全在装置内部运行,且信息安全设备具有抗攻击的特性,安全性极高。 The information security device associated with the key operation run completely inside the apparatus, and the information security device having an anti-attack characteristics, high security. 信息安全设备一般通过USB接口与计算机相连,通常被称为USB KEY或USB Token。 Usually the information security device connected to a computer via a USB interface, or commonly referred to as USB KEY USB Token. 信息安全设备生产商、软件系统开发商或者最终用户可以将一些重要信息存储到信息安全设备中,用以保证安全性或者防止遗忘。 Information security equipment manufacturers, software developers or end users can store important information to the information security device to ensure safety or to prevent forgetting. 目前,较高端的信息安全设备是可编程的,即可以实现在信息安全设备中运行预先存入其中的代码。 At present, the higher end of the information security device is programmable, i.e., the information may be implemented to run on the security device wherein the previously stored code.

硬件标识,包括硬件序列号,是存储于信息安全设备内部的由设备生产商自己定义的一种全球唯一的标识号码,可以被读取。 Hardware identification, including hardware serial number, is stored in a globally unique identification number of internal information security device by the device manufacturer's own definition, it can be read. 唯一硬件标识通常用于区分不同的信息安全设备。 A unique hardware identification commonly used to distinguish between different information security equipment.

信息安全已经越来越被人们关注,其中身份认证技术是信息安全的一个重要组成部分。 Information security has been growing concern among authentication technology is an important component of information security. 身份认证是指计算机及网络系统确认操作者身份的过程。 Authentication is the process of computer and network systems to confirm the identity of the operator. 计算机系统和计算机网络是一个虚拟的数字世界,在这个数字世界中, 一切信息包括用户的身份信息都是用一组特定的数据来表示的,计算机只能识别用户的数字身份,所有对用户的授权也是针对用户数字身份的授权。 Computer systems and computer networks is a virtual digital world, in this digital world, all the information including the user's identity information is a set of specific data to represent the computer only recognizes digital identity of the user, for all users authorization is also authorized for the user's digital identity.

用于身份认证的密钥被称为认证密钥,在利用信息安全设备进行身份认证时,我们通常的做法是将认证密钥存储在信息安全设备中。 Key for authentication is called an authentication key, at the time of authentication using information security equipment, our usual practice is to authentication key is stored in the information security device. 身份认证的过程具体为:客户端将信息安全设备中的认证密钥传送给服务器端,服务器端将其与数据库中的认证密钥进行比对, 一致则认证成功。 Authentication process in particular: the client will transmit the information security device authentication key to the server, the server-side to compare it with the authentication key database, consistent authentication is successful. 可见,认证密钥在整个身份认证的过程中起着至关重要的作用,同时用户也需要经常对其进行更新,以保证安全性。 Visible authentication key plays in the entire authentication process a crucial role, and you also need to be updated frequently to ensure safety. 目前认证密钥更新的方法通常主要有以下两种方式: Current methods of authentication key update is usually mainly in the following two ways:

1. 在线更新方式:用户联网,向服务器请求更新认证密钥,此时服务器生成新的认证密钥,并通过网络传送给用户客户端,用户客户端将其更新到信息安全设备中;用户联网,向服务器请求更新认证密钥,同时自己将修改后的认证密钥通过网络传送给服务器端,服务器端将其更新到数据库中。 1. online update mode: the user network to request to update the authentication key to the server, and the server generates a new authentication key, and the user through the network to the client, the client user information update to the security device; user networking , authentication key update request to the server, while the authentication key sent over the network to modify themselves to the server, the server will be updated to the database.

2. 离线更新方式:用户请运营商进行修改或者用户通过挂失的方式重新申请一个新的认证密钥。 2. Offline Update: Users please operators to amend or re-apply for a new user authentication key by way of reporting the loss.

离线更新方式给用户带来很多不便,也不能做到及时;而在线更新方式中由于认证密钥需要通过网络进行传输,如果认证密钥以明文的方式通过网络传输,由于认证密钥是非常敏感的信息,以明文的方式在网络上进行传输很容易被截获,如果被冒认使用,就会给合法用户会造成损失,所以是很不安全的;如果认证密钥以密文的方式通过网络传输,在现有技术中是利用非对称密钥加密算法实现的,具体是对客户端产生的新认证密钥用私钥进行加密处理后,通过网络将其传输到服务器端,服务器端再利用对应的公钥进行解密从而得到新的认证密钥进行更新,此种实现方法虽然比较安全,但是却要花费较高的成本,同时管理起来也比较麻烦。 Offline update mode gives users a lot of inconvenience, it can not be done in a timely manner; and because of the way the online update require an authentication key transmitted over the network, if the authentication keys in clear text through the network transmission, because the authentication keys are very sensitive the information in clear text in the transport network can easily be intercepted, if impersonating use, will cause losses to legitimate users, it is very safe; if authentication key to the cipher text through the network transmitting, in the prior art is the use of an asymmetric key encryption algorithm, in particular after the new authentication key is generated by the client is encrypted with the private key, transmits it through the network to the server, the server re-use the corresponding public key to decrypt the resulting new authentication key update, this implementation is a relatively safe, but have to spend a higher cost, but also more cumbersome to manage. 发明内容 SUMMARY

本发明提出的远程更新认证密钥的方法和系统,解决了以明文形式通过网络传输认证密钥的不安全性,以及以密文形式传输认证密钥带来的管理麻烦和成本高的问题。 Remote authentication key update method and system proposed by the invention solves the clear text transmitted over insecure network authentication key, as well as high costs and management problems in the authentication key transport ciphertext caused problems. 本发明提出了一种远程更新认证密钥的方法,所述方法包括以下步骤: 歩骤A:服务器端从客户端获取随机数和信息安全设备的硬件标识,并产生随机种子; 其中,所述服务器端从与所述客户端相连的所述信息安全设备中获取所述随机数; 步骤B:所述服务器端对所述随机种子和所述随机数进行运算,产生验证数据; 步骤C:所述服务器端根据所述信息安全设备的硬件标识,从其数据库中读取出原始认证密钥,对所述原始认证密钥和所述验证数据进行加密运算,并将所述随机种子和加密运算结果通过网络传送给所述客户端; The present invention provides a method for remotely updating the authentication key, the method comprising the steps of: ho step A: obtaining hardware identification server random number and the information security device from the client, and generating a random seed; wherein said obtaining information from the server with the client security device coupled to said random number; step B: the server the random seed and the random number calculation, verification data is generated; step C: the the server said information identifying the hardware security device, the reading from the original database and the authentication key, the original key and the authentication data is encrypted authentication operation, and the encryption algorithms and random seed result is transmitted to the client over a network;

歩骤D:所述信息安全设备从所述客户端获取所述随机种子和所述加密运算结果,并验证所述随机种子的正确性,其中,所述验证所述随机种子的正确性包括:所述信息安全设备对所述随机种子和所述随机数进行与所述服务器端相同的运算,产生验证数据,对所述验证数据和所述信息安全设备内预存的原始认证密钥进行与所述服务器端相同的加密运算,并将加密运算结果与从所述客户端获取到的加密运算结果进行比对,如果结果一致,则所述随机种子是正确的,如果比对结果不一致,则提示更新失败; Ho step D: the security information from the client apparatus acquires the random seed and the encryption operation result, and verify the correctness of the random seed, wherein the verification of the correctness of the random seed comprising: the information security device performs the same operation on the server side of the random seed and the random number, generates the authentication data, stored within the security device of the authentication data and the original authentication information with the key said same server cryptographic operations, and sends the encrypted result of the operation acquired from the client to the encryption computation result of comparison, if the results are consistent, then the random seed is correct, if the compared results do not match, suggesting update failed;

歩骤E:分别在所述信息安全设备内和服务器端,对所述随机种子和原始认证密钥进行相同的加密运算,生成新认证密钥,并用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥。 Ho step E: respectively in the information security device and the server, the original random seed and the same authentication key encryption algorithm to generate a new authentication key, and use the new security authentication key updating the information authentication key within the device and server-side database.

所述随机数预先在所述信息安全设备内产生,并存储在所述信息安全设备内。 The random number generated in advance in the information security apparatus, and the information stored in the security device. 所述运算包括组合、与、或、非、异或、加法、减法和/或乘法运算。 Or the arithmetic, addition, subtraction and / or multiplication comprises a combination, AND, OR, NOT, XOR.

所述步骤E具体包括:所述信息安全设备对获取到的所述随机种子和其内预存的原始认证密钥进行加密运算,得到新认证密钥,并用所述新认证密钥更新其内预存的认证密钥;所述服务器端对所述随机种子和其数据库中预先存储的原始认证密钥进行与所述信息安全设备内相同的加密运算,得到新认证密钥,并将其数据库中预先存储的原始认证密钥替换到服务器端数据库中旧值的位置,将所述新认证密钥替换到服务器端数据库中当前值的位置。 Said step E comprises: obtaining the information security device and the random seed to the original pre-stored within the authentication key cryptographic operations to obtain a new authentication key, and use the new authentication key updating prestored therein authentication key; the original server authentication key and the random seed pre-stored in its database with the same encryption operation within the information security device, to obtain a new authentication key, and the database in advance original authentication key stored in the location server to replace the old values ​​in the database, replacing the authentication key to the new location in the current server-side database value.

所述方法还包括认证密钥更新同步的步骤:所述服务器端接收到所述客户端发送来的身份认证请求后,产生随机数,并将所述随机数发送给所述客户端,所述信息安全设备从所述客户端获取所述随机数,在其内部对其存储的认证密钥与所述随机数进行加密运算,并将加密运算结果发送到所述服务器端;所述服务器端对其数据库当前值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果进行比对,如果比对结果一致,则身份认证成功;如果比对结果不一致,则将其数据库旧值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果比刘—,如果比对结果不一致,则身份认证失败;如果比对结果一致,则将其数据库旧值位置的认证密钥 The method further comprises the step of synchronizing the updating an authentication key: after said server receives the authentication request sent by the client, generating a random number, and transmits the random number to the client, the the information security device from the client acquires the random number, encrypts its authentication key operation and the random number stored in its interior, and the calculation result is transmitted to the encryption server; the server-side its database the current location of the authentication key value and said random number encrypted with the same operation within the information security apparatus, the encryption operation to compare the result with the result obtained by the encryption operation, if the comparison result is consistent, then the authentication success; if the comparison result is inconsistent, it is the old authentication key database value of the position and the same random number within the encrypted operation information security device, the encrypted encryption operation result and operation result acquired than Liu - if the comparison results are inconsistent, then the authentication fails; if the comparison result is consistent, then the old value of its database authentication key positions 换到其数据库当前值位置。 Change to the current value of the position of its database.

所述加密运算包括散列运算、对称加密运算和非对称加密运算。 The encryption operation comprises hashing, symmetric encryption and asymmetric encryption arithmetic operation. 本发明还提出了一种更新认证密钥的方法,所述方法包括以下步骤: 步骤A:服务器端从客户端获取信息安全设备的硬件标识,并产生随机种子; 步骤B:所述服务器端将所述随机种了通过网络传送给所述客户端; 歩骤C:所述信息安全设备从所述客户端获取所述随机种子; The present invention also provides a method of updating the authentication key, the method comprising the following steps: Step A: obtaining hardware identification information of the server from the client the security device, and to generate a random seed; Step B: The server side the random seed transmitted by the network to the client; ho step C: the end of the information security device acquires the random seed from the client;

步骤D:分别在所述信息安全设备内和服务器端,对所述随机种子和原始认证密钥进行相同的加密运算,生成新认证密钥,并用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥,其中,在用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥时包括:所述服务器端接收到所述客户端发送来的身份认证请求后,产生随机数,并将所述随机数发送给所述客户端,所述信息安全设备从所述客户端获取所述随机数,在其内部对其存储的认证密钥与所述随机数进行加密运算,并将加密运算结果发送到所述服务器端;所述服务器端对其数据库当前值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的运算,将运算结果与获取的加密运算结果进行比对,如果比对结果一致, 则身份认证成功;如果比对结果不一 Step D: respectively in the information security device and the server, the original random seed and the same authentication key encryption algorithm to generate a new authentication key, and use the new authentication key updating the information security device and the authentication key in the database server, wherein, when said new authentication key updating said authentication key in the information security device and server-side database comprises: the server receives the client to the authentication request generates a random number, and transmits the random number to the client, the information security device acquires the random number from the client, authentication password stored in the interior thereof key encrypted with the random number calculation, and the calculation result is transmitted to the encryption server; the server side authentication key value of their current position and the same random number database within the information security device the operation, the operation results to compare the results obtained with the encryption algorithm, if compared to the same result, the identity authentication is successful; if the ratio of the mixed results ,则对其数据库旧值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果比对,如果比对结果不一致,则身份认证失败;如果比对结果一致,则将其数据库旧值位置的认证密钥替换到其数据库当前值位置。 , The same encryption is performed within the operation information security device, the encrypted encryption operation result obtained by the calculation result of its authentication key database than the old value of the position and the random number, if the comparison result is inconsistent, then the authentication has failed; if the comparison results are consistent, then the authentication key value of the position of its old database to replace the current value of its location database.

所述步骤13具体包括:所述信息安全设备对获取到的所述随机种子和其内预存的原始认证密钥进行加密运算,得到新认证密钥,并用所述新认证密钥更新其内预存的认证密钥;所述服务器端对所述随机种子和其数据库中预先存储的原始认证密钥进行与所述信息安全设备内相同的加密运算,得到新认证密钥,并将其数据库中预先存储的原始认证密钥替换到服务器端数据库中旧值的位置,将所述新认证密钥替换到服务器端数据库中当前值的位置。 Said step 13 comprises: the information security device of the acquired random seed and the original pre-stored within the authentication key cryptographic operations to obtain a new authentication key, and use the new authentication key updating prestored therein authentication key; the original server authentication key and the random seed pre-stored in its database with the same encryption operation within the information security device, to obtain a new authentication key, and the database in advance original authentication key stored in the location server to replace the old values ​​in the database, replacing the authentication key to the new location in the current server-side database value.

所述加密运算包括散列运算、对称加密运算和非对称加密运算。 The encryption operation comprises hashing, symmetric encryption and asymmetric encryption arithmetic operation.

本发明提供了一种更新认证密钥的系统,所述系统包括服务器计算机和与客户端计算机相连的信息安全设备,所述服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,所述信息安全设备包括验证模块、客户端认证密钥生成模块和客户端认证密钥存储模块;所述预处理模块用于利用服务器端产生的随机种子和从客户端相连的信息安全设备中获取的随机数进行运算,产生验证数据,其中,所述随机数为预先在所述信息安全设备内部产生并存储在所述信息安全设备中的;根据服务器端获取的所述信息安全设备的硬件标识,从服务器数据库的服务器认证密钥存储模块中读取原始认证密钥,对所述验证数据和所述原始认证密钥进行加密运算,得到加密运算结果,并通过网络将所述随机种子和所述加密运算结果传送给客户端; The present invention provides a method of updating the authentication key, the system includes a server computer and the information security device connected to the client computer, the server computer comprises a preprocessing module, the server authentication key generation module and a server authentication key a storage module, the information security device includes a verification module, the client authentication key generation module and the client authentication key storage module; said pretreatment means for using the random seed to generate server and security information from the client is connected apparatus acquired random number calculation, verification data is generated, wherein the random number is generated in advance and stored in the information security device in the interior of the information security device; information security device according to the acquired server hardware identification, authentication key from the server reads the server database storage module original authentication key, the verification of the original data and the authentication key encryption operation, an encryption operation result obtained, and by the random network seed and the encryption operation result is transmitted to the client; 述服务器认证密钥生成模块用于对随机种子和原始认证密钥进行加密运算,生成新认证密钥;所述服务器认证密钥存储模块用于存储认证密钥,并根据所述服务器认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥;所述验证模块用于对所述随机种子和所述随机数进行与所述服务器端相同的运算,产生验证数据,对所述验证数据和所述信息安全设备内预存的原始认证密钥进行与所述服务器端相同的加密算法,并将加密运算结果与从所述客户端获取到的加密运算结果进行比对,如果比对结果一致, 则从客户端获取的随机种子是正确的,当从客户端获取的随机种子正确后,对获取的随机种子和信息安全设备的客户端认证密钥存储模块内预存的原始认证密钥进行与所述服务器端相同的加密运算,生成新认证密钥;所述客户端认证密钥存储模 Said means for generating the server authentication key and the random seed to the original authentication key encryption operation to generate a new authentication key; the server authentication key storage means for storing an authentication key, and the key according to the authentication server generation module generates a new authentication key, the authentication key updating the stored; authentication module for performing the same operation on the server side of the random seed and the random number, generating authentication data, the and said verification data stored within the secure device authentication information of the original key of the server with the same encryption algorithm, and the encryption operation result acquired from the client to the encryption computation result of comparison, if the ratio consistent results, acquired random seed from the client is correct, when the acquired random seed from the client correctly, pre-stored in the client authentication key and the random seed storage module information acquired by the original security device authentication password the same key with the server encryption algorithm to generate a new authentication key; the client authentication key storage modulus 用于存储认证密钥,并根据所述客户端认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥。 For storing an authentication key, the authentication key and the new client certification key generation module generates update the stored authentication key.

所述系统还包括认证密钥更新同步模块,所述认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥进行认证密钥更新同步。 The system further comprises a synchronization module authentication key updating, the authentication key updating for the last two synchronization module an authentication key when authentication by the server while retaining the authentication key update synchronization. 本发明还提供了一种更新认证密钥的系统,所述系统包括服务器计算机和与客户端计算机相连的信息安全设备,所述服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,所述信息安全设备包括客户端认证密钥生成模块和客户端认证密钥存储模块; The present invention further provides a method of updating the authentication key, the system includes a server computer and the information security device connected to the client computer, the server computer comprises a preprocessing module, the server module and the authentication server authentication key generation secret key storage module, the information security device includes a client authentication key generation module and the client authentication key storage module;

所述预处理模块用于在服务器端产生随机种子和从客户端获取信息安全设备的硬件标识,并通过网络将随机种子传送到客户端;所述服务器认证密钥生成模块用于对随机种子和所述服务器认证密钥存储模块中的原始认证密钥进行加密运算,生成新认证密钥;所述服务器认证密钥存储模块用于存储认证密钥,并根据所述服务器认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥;所述客户端认证密钥生成模块用于对获取的随机种子和信息安全设备内客户端认证密钥存储模块中预存的原始认证密钥进行与所述服务器端相同的加密运算,生成新认证密钥;所述客户端认证密钥存储模块用于存储认证密钥,并根据所述客户端认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥。 The pre-processing module for generating a random seed at the server side security and access to information from a client device hardware identification, and transmits the random seed through the network to the client; the server authentication key generating module and the random seed an original key of the authentication server the authentication key storage module cryptographic operations generate a new authentication key; the server authentication key storage means for storing an authentication key, and the authentication server is generated according to the key generation module new authentication key, the authentication key updating the stored; the client authentication key generation module used for the original authentication key and the random seed to the security device information acquired by the client authentication key pre-stored in the storage module performs the same encryption algorithm of the server, generating a new authentication key; the client authentication key storage means for storing an authentication key, and the new key generation module generates the authentication key according to the authentication client updating the stored authentication key. 所述系统还包括认证密钥更新同歩模块,所述认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥进行认证密钥更新同步。 The system further comprises an authentication key updating module with ho, the authentication key updating for the last two synchronization module an authentication key when authentication by the server while retaining the authentication key update synchronization.

有益效果:本发明避免了以往以明文形式通过网络传输认证密钥的不安全性,和以密文形式传输认证密钥带来的管理麻烦和成本高的问题,同时也避免了离线更新认证密钥时存在的不便利性。 Advantageous Effects: The present invention avoids conventional insecurity in clear text authentication key transmitted over the network, and the high costs and management problems in the authentication key transport ciphertext caused problems while avoiding the off-line authentication password update without the presence of the convenience keys. 附图说明 BRIEF DESCRIPTION

图1是本发明实施例第一种更新认证密钥的方法流程图; 图2是本发明实施例第二种更新认证密钥的方法流程图; 图3是本发明实施例认证密钥更新同歩的流程图; 图4是本发明实施例第一种更新认证密钥的系统结构图; 图5是本发明实施例第二种更新认证密钥的系统结构图。 1 is a flowchart of a first method of updating the authentication key embodiments of the present invention; FIG. 2 is a flowchart illustrating the method of updating the authentication key a second embodiment of the present invention; FIG. 3 is a certification key update the same embodiment of the present invention ho flowchart; Figure 4 is a first authentication key updating a system configuration diagram of embodiments of the invention; FIG. 5 is a second authentication key update system configuration diagram of embodiments of the invention.

具体实施方式 Detailed ways

下面结合附图和具体实施例对本发明作进一步说明,但不作为对本发明的限定。 DRAWINGS Examples and embodiments of the present invention is further illustrated, but not limit the present invention. 包括硬件序列号在内的硬件标识,是存储于信息安全设备内部的由设备生产商自己定义的一种全球唯一的标识号码,可以被读取,每个信息安全设备的唯一硬件标识可以用以区分不同的信息安全设备。 Including hardware, including the hardware identification serial number, is stored in the internal information security equipment by the equipment manufacturers a global unique identification number of their own definition, it can be read, a unique hardware identification information for each security device can be used distinguish between different information security equipment. 在以下实施例中采用硬件序列号做进一步说明。 Further illustrated in the following examples using the hardware serial numbers do. 实施例1 Example 1

如图1所示,本发明实施例提出的一种更新认证密钥的方法,具体包括以下步骤: 1, the method for updating an authentication key provided by the embodiments of the present invention, includes the following steps:

步骤101:服务器端从客户端获取一随机数ChallengeRand和信息安全设备的硬件序列号HSN,'并产生一随机种子SEED。 Step 101: Get the server a hardware random number sequence number HSN ChallengeRand and information security device from the client, 'and generating a random seed SEED.

随机数ChallengeRand是预先在与客户端计算机相连的信息安全设备内部产生的,并存储在信息安全设备中。 The random number is generated in advance ChallengeRand inside the information security device connected to the client computer, and the information stored in the security device.

步骤102:服务器端对随机种子SEED和随机数ChallengeRand进行运算,产生验证数据。 Step 102: The server side of the SEED the random seed and the random number ChallengeRand calculates generate verification data. 运算包括组合、与、或、非、异或、加法、减法和乘法运算等。 Operation including combination with, or, NOT, XOR, addition, subtraction, multiplication, and the like.

步骤103:服务器端根据获取到的信息安全设备的硬件序列号从服务器数据库中读取原始认证密钥AKEY,并对验证数据与原始认证密钥AKEY做加密运算,得到加密运算结果Response。 Step 103: The server reads the hardware serial number acquired from the server information security device authentication key AKEY original database, and verify the authentication data and the original key AKEY do encryption operation, an encryption operation result obtained Response.

加密运算主要包括散列运算、对称加密运算和非对称加密运算等。 Hashing the encryption operation include symmetric encryption and asymmetric encryption arithmetic operation or the like.

步骤104:服务器端将随机种子SEED和加密运算结果Response通过网络传送给客户端。 Step 104: SEED the random seed and the encryption calculation result Response server through the network to the client.

步骤105:信息安全设备从客户端获取随机种子SEED和加密运算结果Response,验证随机种子SEED的正确性。 Step 105: obtaining the information security device and the SEED the random seed Response encrypted result of the operation from the client to verify the correctness of the SEED the random seed.

验证随机种子SEED正确性的方法:在信息安全设备内对获取的随机种子SEED和信息安全设备内存储的随机数ChallengeRand以与步骤102同样的运算产生验证数据,对验证数据与信息安全设备内预存的原始认证密钥做与步骤103同样的加密运算,将加密运算结果与从客户端获取的加密运算结果Response进行比对,如果两个加密运算结果一致,说明获取的随机种子SEED是正确的。 SEED the random seed to verify the correctness of the method: in the information security device random number and the random seed information SEED security device to obtain stored ChallengeRand same operation step 102 and generates verification data to the verification data with pre-stored information security device the original key is used for authentication and encryption in step 103 the same operation, the encryption operation result obtained from the calculation result Response encrypted client for comparison, if the same two encryption operation result, instructions for obtaining the sEED the random seed is correct.

步骤106:分别在信息安全设备内和服务器端,对随机种子SEED和原始认证密钥做相同的加密运算,产生新认证密钥NEW—AKEY,并用新认证密钥NEW—AKEY更新信息安全设备内和服务器端数据库中的认证密钥。 Step 106: the information security device respectively the inner side and the server, and the SEED the random seed original authentication keys do the same encryption algorithm, generate a new authentication key NEW-AKEY, with the new authentication key and the NEW-AKEY update information security device and server-side database authentication key.

在信息安全设备内生成和更新认证密钥NEW一AKEY的方法:在信息安全设备内对从客户端获取的随机种子SEED和信息安全设备内预存的原始认证密钥做加密运算,得到新认证密钥,并将新认证密钥替换到信息安全设备内认证密钥存储位置。 The method of generating and updating an authentication key AKEY NEW in the information security device: the information security device made in the original authentication key encryption algorithm stored in the SEED the random seed and the information security device is acquired from the client, obtain a new authentication password key, and replaced by a new authentication key to the information security device authentication key storage location. 加密运算包括散列运算、 对称加密运箅或者非对称加密运算等。 Encryption operation comprises hashing, symmetric encryption or asymmetric encryption grate transport operation or the like.

在服务器端生成和更新认证密钥的方法:服务器端对其产生的随机种子SEED和服务器端数据库中预先存储的原始认证密钥做与信息安全设备内同样的加密运算,得到新认证密钥, 将原始认证密钥替换到服务器数据库中旧值的位置,将新认证密钥替换到服务器数据库当前值的位置。 On the server side authentication key generating and updating process: the same encryption algorithm and information security device to make authentication key original SEED the random seed and its server-side database server generated stored in advance, to give a new authentication key, the original authentication key position to replace the old value of the database server, will be replaced with the new authentication key to the position of the current value of the database server. 加密运算包括散列运算、对称加密运算或者非对称加密运算等。 Encryption operation comprises hashing, symmetric encryption algorithms or asymmetric encryption algorithms and so on.

为了更加清楚地描述本实施例的技术方案,下面以具体的例子来进一步说明: In order to more clearly describe the technical solutions of the present embodiment, the following specific examples further illustrate:

服务器端产生一随机种子SEED,从客户端获取信息安全设备的硬件序列号HSN,和从客户端获取一个随机数ChallengeRand;服务器端将随机种子SEED和随机数ChallengeRand 进行组合运算,即进行组合拼接,得到验证数据ChallengeRand|SEED,以获得更长的散列码来抗击特殊密码分析的攻击;服务器端对验证数据ChallengeRandlSEED与根据获取的信息安全设备的硬件标识HSN从服务器数据库中读取的原始认证密钥AKEY做散列运算,得到运算结果Response,即Response = HMAC(AKEY, ChallengeRand|SEED);服务器端将随机种子SEED和运算结果Response通过网络传送给客户端;信息安全设备从客户端获取到随机种子SEED和运算结果Response后,在其内部做同样的散列运算,得到运算结果Response',即Response' = HMAC(AKEY, ChallengeRand|SEED),如果Response'与从客户端获取到的Response不一致,则说明信息安全设备接收到的随机 The server generating a random seed SEED, acquires the hardware serial number HSN information security device from the client, and access from the client a random number ChallengeRand; server random seed SEED and the random number ChallengeRand combined operation, i.e., combined splicing, verified data ChallengeRand | SEED, to obtain a longer special hash code to combat the attack cryptanalysis; server side authentication data ChallengeRandlSEED HSN original authentication password read from the database server hardware security device information acquired in accordance with identification hashing key AKEY do give Response calculation result, i.e. Response = HMAC (AKEY, ChallengeRand | sEED); the server and the sEED the random seed Response operation result via the network to the client; obtaining the information security device from the client to randomly after the operation result sEED seed Response, to do the same in its internal hash operation to obtain an operation result Response ', i.e. Response' = HMAC (AKEY, ChallengeRand | sEED), if Response 'inconsistent with acquired from the client to the Response, it indicates that the information received random security device 子SEED是不正确的,提示更新失败; 如果Response'与从客户端获取到的Response —致,则说明信息安全设备接收到的随机种子 Sub-SEED is not correct, indicating that update has failed; if Response 'acquired from the client to the Response - induced, then the random seed to the security device receives information

SEED是正确的;在信息安全设备内利用散列算法获得新的认证密钥NEW—AKEY =HMAC(AKEY, SEED),用NEW—AKEY更新信息安全设备中的原始认证密钥AKEY,并通 SEED is correct; using a hash algorithm to obtain the information security device in the new authentication key NEW-AKEY = HMAC (AKEY, SEED), NEW-AKEY update information with the security device in the original authentication key AKEY, and through

知服务器端更新成功;服务器端得到客户端更新成功的通知后,在服务器端做同样的散列运算得到新认证密钥NEW—AKEY = HMAC(AKEY, SEED),把服务器端数据库中当前值复制到旧值存储单元中,将新认证密钥NEW一AKEY替换到数据库中当前值存储单元中,完成远程认证密钥的更新过程。 Known successful update server; to give the server client update success notification, do the same hash operation to obtain a new server side authentication key NEW-AKEY = HMAC (AKEY, SEED), the server copies the current value in the database to the old value storage unit, a new authentication key AKEY nEW database to replace the current value storage unit, the completion of the remote authentication key update process.

实施例2 Example 2

如图2所示,本发明实施例还提出了一种更新认证密钥的方法,具体包括以下步骤:-步骤201:服务器端从客户端获取信息安全设备的硬件序列号HSN,并产生一随机种子. SEED。 As illustrated, Example 2 of the present invention further provides a method for updating an authentication key, includes the following steps: - Step 201: Get the server hardware security device serial number HSN information from the client, and generates a random seed. sEED.

步骤202:服务器端将随机种子SEED通过网络传送给客户端。 Step 202: The server SEED the random seed to the client via the network. 步骤203:信息安全设备从客户端获取随机种子SEED。 Step 203: Safety equipment to obtain information from the client random seed SEED.

步骤204:分别在信息安全设备内和服务器端,对随机种子SEED和原始认证密钥做相同的加密运算,产生新认证密钥NEW一AKEY,并用新认证密钥NEW—AKEY更新信息安全设备内和服务器端数据库中的认证密钥。 Step 204: the information security device respectively the inner side and the server, and the SEED the random seed original authentication keys do the same encryption algorithm, to generate a new authentication key AKEY NEW, and new authentication key NEW-AKEY the update information with the security device and server-side database authentication key.

在信息安全设备内生成和更新认证密钥NEW—AKEY的方法:在信息安全设备内对从客户端获取的随机种子SEED和信息安全设备内预存的原始认证密钥做加密运算,得到新认证密钥,并将新认证密钥替换到信息安全设备内认证密钥存储位置。 The method of generating and updating the authentication key NEW-AKEY in the information security device: the information security device made in the original authentication key encryption algorithm stored in the SEED the random seed and the information security device is acquired from the client, obtain a new authentication password key, and replaced by a new authentication key to the information security device authentication key storage location. 加密运算包括散列运算、 对称加密运算或者非对称加密运算等。 Encryption operation comprises hashing, symmetric encryption algorithms or asymmetric encryption algorithms and so on.

在服务器端生成和更新认证密钥的方法:服务器端对其产生的随机种子SEED和服务器端数据库中预先存储的原始认证密钥做与信息安全设备内相同的加密运算,得到新认证密钥, 将原始认证密钥替换到服务器数据库中旧值的位置,将新认证密钥替换到服务器数据库当前值的位置。 On the server side authentication key generating and updating process: the same encryption algorithm and the equipment to do the original security authentication key information SEED the random seed and its server-side database server generated stored in advance, to give a new authentication key, the original authentication key position to replace the old value of the database server, will be replaced with the new authentication key to the position of the current value of the database server. 加密运算包括散列运算、对称加密运算或者非对称加密运算等。 Encryption operation comprises hashing, symmetric encryption algorithms or asymmetric encryption algorithms and so on.

为了更加淸楚地描述本实施例的技术方案,下面以具体的例子来进一步说明: In order to more Qing Chu described technical solution of the present embodiment, the following specific examples further illustrate:

服务器端首先产生一随机种子SEED,并从客户端获取信息安全设备的硬件序列号HSN; 服务器端将随机种子SEED通过网络传送到客户端;信息安全设备从客户端获取到随机种子SEED后,在其内部对随机种子SEED和其内预存的原始认证密钥做散列运算获得新的认证密钥NEW一AKEY-HMAC(AKEY, SEED),用NEW_AKEY更新信息安全设备中原始认证密钥AKEY,并通知服务器端更新成功;服务器端得到客户端更新成功的通知后,在服务器端对其产生的随机种子和根据获取的信息安全设备的硬件序列号HSN从服务器数据库中读取的原始认证密钥AKEY做相同的散列运算,得到新认证密钥NEW—AKEY = HMAC(AKEY, SEED),把服务器端数据库中当前值复制到旧值存储单元中,然后将新认证密钥NEW—AKEY 替换到数据库中当前值存储单元中,完成远程认证密钥更新的过程。 The server first generates a random seed SEED, and acquires the hardware serial number HSN information security device from the client; server random seed SEED transmitted to the client through the network; the information security device acquired from the client to the random seed SEED, in therein sEED the random seed and the original pre-stored within the authentication key is used for hashing a new authentication key to obtain a nEW AKEY-HMAC (AKEY, sEED), the security device with the update information NEW_AKEY original authentication key AKEY, and notification server update is successful; after the server notifies the client to get the update is successful, the random seed generated on the server side and its original authentication key AKEY read from the database according to the server hardware security device serial number information acquired HSN do the same hash operation to obtain new authentication key nEW-AKEY = HMAC (AKEY, SEED), the database server to copy the old value of the current value storage unit, and then replaced with the new authentication key to the database nEW-AKEY the current value storage unit, the process is completed the remote authentication key update.

在进行认证密钥更新的过程中,有时会由于网络问题出现客户端认证密钥更新与服务器端认证密钥更新不同步的情况,例如当服务器端将随机种子传送给客户端时,网络发生中断, 随机种子没有成功传送到客户端,信息安全设备的认证密钥更新无法正常完成,即其内部存储的认证密钥还是原始认证密钥,而服务器端却进行了认证密钥更新的操作,即其数据库中的认证密钥为更新后的认证密钥,这样就出现了认证密钥更新不同步的问题。 During the authentication key update process, sometimes due to circumstances the client and server-side authentication key update authentication key updates are not synchronized network problems, such as when the server random seed to the client, network interruption , random seed is not successfully transmitted to the client, the authentication key update information security devices can not be completed properly, authentication key that is stored therein or the original authentication key, and the server has been certified key update operation, that is, authentication key in its database for authentication key updated, so there is not a certification key update synchronization problems. 利用服务器端数据库中同时保留最近两次认证密钥的方法,可以解决认证密钥更新不同步的问题,即在服务器端数据库中有2个存储位置用以存放认证密钥, 一个旧值存储位置和一个当前值存储位置。 Using a database server while retaining the last two methods authentication key, the authentication key update can not solve the problem of synchronization, i.e., there are two memory locations for storing the authentication key in the database on the server side, an old value memory location and a current value storage location. 在身份认证时,利用服务器数据库中同时保存最近两次认证密钥的方法实现客户端认证密钥更新与服务器端认证密钥更新同步的过程包括以下步骤,如图3所示: When authentication by the server database while preserving the method of implementation of the last two key authentication client authentication and server authentication key updating process of synchronizing the key update comprises the following steps, shown in Figure 3:

步骤301:服务器端收到客户端发送来的身份认证请求后,产生一隨机数,并将随机数发送给客户端。 Step 301: When the server receives the authentication request sent by the client, generating a random number and sends the random number to the client.

步骤302:信息安全设备从客户端获取随机数。 Step 302: the information security device acquires a random number from the client.

步骤303:在信息安全设备内部对其内部存储的认证密钥与随机数进行加密运算,并将加密运算结果发送回服务器端。 Step 303: the authentication key cryptographic operations with its internal random number stored in the internal information security device, and the encryption operation result is transmitted back to the server.

加密运算包括散列运算、对称加密运算和非对称加密运算等。 Encryption operation comprises hashing, symmetric encryption and asymmetric encryption arithmetic operation or the like.

步骤304:服务器端对其数据库当前值位置的认证密钥与随机数进行与步骤303同样的加密运算,将加密运算结果与从信息安全设备获取的加密运算结果进行比对,如果比对结果一致,则执行步骤307,否则执行步骤305。 Step 304: The server side authentication key with their current position value of the random number database with the same encryption computation step 303, the encryption operation to compare the results with the results of calculation from the encrypted security information acquired from the device, if the comparison result is consistent , it proceeds to step 307, otherwise step 305.

步骤305:服务器端对其数据库旧值位置的认证密钥与随机数进行与步骤303同样的加密运算,将加密运算结果与获取的加密运算结果比对,如果比对结果一致,则执行步骤306, 否则执行步骤308。 Step 305: The server side authentication key for its old value and the random number database with the position of the same cryptographic operations step 303, the encrypted encryption operation with the operation result obtained by comparing the results, if the comparison result is consistent, then step 306 is executed otherwise, step 308 is performed.

步骤306:将服务器端数据库中旧值存储位置上的认证密钥替换到当前值存储位置上, 完成同步,之后身份认证时使用当前值位置的认证密钥即可。 Step 306: The server side authentication key on the database to replace the old value stored in the current value storage position location, complete synchronization, then the authentication key to the current position when the authentication value. 步骤307:身份认证成功,结束。 Step 307: The authentication is successful, the end. 步骤308:身份认证失败,结束。 Step 308: The authentication has failed over. 参见图4,本发明实施例提供了一种更新认证密钥的系统,系统包括服务器计算机和与客户端计算机相连的信息安全设备,服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,信息安全设备包括验证模块、客户端认证密钥生成模块和客户端认证密钥存储模块; Referring to Figure 4, embodiments of the present invention provides a system for updating an authentication key, the system includes a server computer and the information security device connected to the client computer, the server computer comprising a pre-processing module, the authentication server and server authentication key generation module key storage module, the information security device includes a verification module, the client authentication key generation module and the client authentication key storage module;

预处理模块用于利用服务器端产生的随机种子和从客户端获取的随机数产生验证数据,— 根据服务器端获取的信息安全设备的硬件标识,从服务器数据库中读取原始认证密钥,对验证数据和原始认证密钥进行加密运算,得到运算结果,并通过网络将随机种子和运算结果传送给客户端; Preprocessing means for generating authentication data generated using a random seed and the server random number acquired from the client, - the identification information based on the hardware security device of the server acquired by reading an original authentication key from the server database, validation data and the original authentication key cryptographic operations to obtain the operation result, and the network transmits the random seed and the calculation result to the client;

服务器认证密钥生成模块用于对随机种子和原始认证密钥进行加密运算,生成新认证密 Means for generating the server authentication key and the random seed to the original authentication key encryption operation to generate a new authentication password

钥; key;

服务器认证密钥存储模块用于存储和更新认证密钥; 验证模块用于验证从客户端获取的随机种子的正确性; Server authentication key storage means for storing and updating the authentication key; verification module for verifying the correctness of acquired random seed from the client;

客户端认证密钥生成模块用于对获取的随机种子和信息安全设备内预存的原始认证密钥进行加密运算,生成新认证密钥; The client module is configured to generate the authentication key for the original authentication key stored in the random seed and the information security device encrypts the acquired operation, generating a new authentication key;

客户端认证密钥存储模块用于存储和更新认证密钥。 Client authentication key storage means for storing and updating the authentication key.

系统还包括认证密钥更新同步模块,认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥进行认证密钥更新同步。 The system further comprises a synchronization module authentication key updating, the authentication key updating for the last two synchronization module an authentication key when authentication by the server while retaining the authentication key update synchronization.

参见图5,本发明实施例还提供了一种更新认证密钥的系统,系统包括服务器计算机和与客户端计算机相连的信息安全设备,服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,信息安全设备包括客户端认证密钥生成模块和客户端认证密钥存储模块; Referring to Figure 5, embodiments of the present invention further provides a system for updating an authentication key, the system includes a server computer and the information security device connected to the client computer, the server computer comprising a pre-processing module, the server authentication key generation module and a server authentication key storage module, the information security device includes a client authentication key generation module and the client authentication key storage module;

预处理模块用于在服务器端产生随机种子和从客户端获取信息安全设备的硬件标识,并通过网络将随机种子传送到客户端; Pre-processing means for generating a random seed at the server, and obtaining a hardware security device identification information from the client, and transmits the random seed through the network to the client;

服务器认证密钥生成模块用于对随机种子和原始认证密钥进行加密运算,生成新认证密 Means for generating the server authentication key and the random seed to the original authentication key encryption operation to generate a new authentication password

钥; key;

服务器认证密钥存储模块用于存储和更新认证密钥; Server authentication key storage means for storing and updating the authentication key;

客户端认证密钥生成模块用于对获取的随机种子和信息安全设备内预存的原始认证密钥进行加密运算,生成新认证密钥; The client module is configured to generate the authentication key for the original authentication key stored in the random seed and the information security device encrypts the acquired operation, generating a new authentication key;

客户端认证密钥存储模块用于存储和更新认证密钥。 Client authentication key storage means for storing and updating the authentication key. 系统还包括认证密钥更新同步模块,认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥进行认证密钥更新同步。 The system further comprises a synchronization module authentication key updating, the authentication key updating for the last two synchronization module an authentication key when authentication by the server while retaining the authentication key update synchronization.

以上所述的实施例只是本发明较优选的具体实施方式的几种,本领域的技术人员在本发明技术方案范围内进行的通常变化和替换都应包含在本发明的保护范围内。 The embodiments described above are just a few more preferred embodiment of the present invention, changes and substitutions typically skilled in the art will be within the technical scope of the present invention should be included within the scope of the present invention.

Claims (13)

1.一种更新认证密钥的方法,其特征在于,所述方法包括以下步骤: 步骤A:服务器端从客户端获取随机数和信息安全设备的硬件标识,并产生随机种子; 其中,所述服务器端从与所述客户端相连的所述信息安全设备中获取所述随机数; 步骤B:所述服务器端对所述随机种子和所述随机数进行运算,产生验证数据; 步骤C:所述服务器端根据所述信息安全设备的硬件标识,从其数据库中读取出原始认证密钥,对所述原始认证密钥和所述验证数据进行加密运算,并将所述随机种子和加密运算结果通过网络传送给所述客户端; 步骤D:所述信息安全设备从所述客户端获取所述随机种子和所述加密运算结果,并验证所述随机种子的正确性,其中,所述验证所述随机种子的正确性包括:所述信息安全设备对所述随机种子和所述随机数进行与所述服务器端相同 CLAIMS 1. A method of updating the authentication key, characterized in that the method comprises the following steps: Step A: obtaining hardware identification server random number and the information security device from the client, and generating a random seed; wherein said obtaining information from the server with the client security device coupled to said random number; step B: the server the random seed and the random number calculation, verification data is generated; step C: the the server said information identifying the hardware security device, the reading from the original database and the authentication key, the original key and the authentication data is encrypted authentication operation, and the encryption algorithms and random seed results through the network to the client; step D: the correctness of the information security device acquires the encrypted random seed and the calculation result from the client, and verifying the random seed, wherein said verification the random seed correctness comprising: the information security device of the random number and the random seed with the same server 运算,产生验证数据,对所述验证数据和所述信息安全设备内预存的原始认证密钥进行与所述服务器端相同的加密运算,并将加密运算结果与从所述客户端获取到的加密运算结果进行比对,如果结果一致,则所述随机种子是正确的,如果比对结果不一致,则提示更新失败; 步骤E:分别在所述信息安全设备内和服务器端,对所述随机种子和原始认证密钥进行相同的加密运算,生成新认证密钥,并用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥。 Computing, generating authentication data, the authentication data stored within the security device and the original authentication information with the same key server cryptographic operations, and sends the encrypted result of the operation acquired from the client to encrypt comparing the operation result, if the results are consistent, then the random seed is correct, if the comparison result is inconsistent, the system prompts the update fails; step E: respectively in the information security device and the server, the random seed original authentication key and the same encryption algorithm to generate a new authentication key, the authentication and key update with said new authentication key within the information security device and server-side database.
2. 如权利要求1所述的更新认证密钥的方法,其特征在于,所述随机数预先在所述信息安全设备内产生,并存储在所述信息安全设备内。 2. The method of updating the authentication key according to claim 1, wherein the pre-generated random number in the security information apparatus, and information stored in the security device.
3. 如权利要求1所述的更新认证密钥的方法,其特征在于,所述运算包括组合、与、或、 非、异或、加法、减法和/或乘法运算。 Authentication key update method according to claim 1, wherein said operation or, addition, subtraction and / or multiplication comprises a combination, AND, OR, NOT, XOR.
4. 如权利要求1所述的更新认证密钥的方法,其特征在于,所述步骤E具体包括:所述信息安全设备对获取到的所述随机种子和其内预存的原始认证密钥进行加密运算,得到新认证密钥,并用所述新认证密钥更新其内预存的认证密钥;所述服务器端对所述随机种子和其数据库中预先存储的原始认证密钥进行与所述信息安全设备内相同的加密运算,得到新认证密钥,并将其数据库中预先存储的原始认证密钥替换到服务器端数据库中旧值的位置,将所述新认证密钥替换到服务器端数据库中当前值的位置。 4. The authentication key updating method according to claim 1, wherein said step E comprises: obtaining the information security device and the random seed to the original pre-stored within the authentication key encryption operation to obtain new authentication key, and the key update the authentication key stored therein with the new authentication; the original server authentication key and the random seed pre-stored in its database with the information encryption operations within the same security device, to obtain a new authentication key, and replaces the original authentication key previously stored in its database to the location server side database to the old value to replace said new authentication key to the server database the current position value.
5. 如权利要求1所述的更新认证密钥的方法,其特征在于,所述方法还包括认证密钥更新同步的步骤:所述服务器端接收到所述客户端发送来的身份认证请求后,产生随机数,并将所述随机数发送给所述客户端,所述信息安全设备从所述客户端获取所述随机数,在其内部对其存储的认证密钥与所述随机数进行加密运算,并将加密运算结果发送到所述服务器端;所述服务器端对其数据库当前值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果进行比对,如果比对结果一致,则身份认证成功;如果比对结果不一致,则将其数据库旧值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果比对,如果比对结果不一致,则身份认证失败; After the server receives the authentication request sent by the client: 5. The method of updating the authentication key according to claim 1, wherein said method further comprises the step of synchronizing the updating an authentication key , generating a random number, and transmits the random number to the client, the information security device acquires the random number from the client, for its authentication key and the random number stored in its interior cryptographic operations, and the calculation result is transmitted to the encryption server; the server performs the same encryption operation within the information security device authentication key with their current location and the value of the random number database, the encryption operation the results were compared to the results obtained with the encryption algorithm, if compared to the same result, the identity authentication is successful; if the comparison result is inconsistent, it is the old database authentication key value of the position and the random number and the information security encryption operation within the same device, the encrypted encryption operation with the operation result obtained by comparing the results, if the comparison result is inconsistent, then the authentication fails; 如果比对结果一致,则将其数据库旧值位置的认证密钥替换到其数据库当前值位置。 If the comparison results are consistent, then the authentication key value of the position of its old database to replace the current value of its location database.
6. 如权利要求1或4或5所述的更新认证密钥的方法,其特征在于,所述加密运算包括散列运算、对称加密运算和非对称加密运算。 Updating the authentication key 1 or 4 or 5 as claimed in claim 6, wherein said cryptographic operation comprises hashing, symmetric encryption and asymmetric encryption arithmetic operation.
7. —种更新认证密钥的方法,其特征在于,所述方法包括以下步骤:步骤A:服务器端从客户端获取信息安全设备的硬件标识,并产生随机种子;步骤B:所述服务器端将所述随机种子通过网络传送给所述客户端;步骤C:所述信息安全设备从所述客户端获取所述随机种子;步骤D:分别在所述信息安全设备内和服务器端,对所述随机种子和原始认证密钥进行相同的加密运算,生成新认证密钥,并用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥,其中,在用所述新认证密钥更新所述信息安全设备内和服务器端数据库中的认证密钥时包括:所述服务器端接收到所述客户端发送来的身份认证请求后,产生随机数,并将所述随机数发送给所述客户端,所述信息安全设备从所述客户端获取所述随机数,在其内部对其存储的认证密钥与所述随 7. - Regeneration key authentication method, characterized in that the method comprises the following steps: Step A: obtaining hardware identification information of the server from the client the security device, and to generate a random seed; Step B: The server the random seed transmitted across the network to the client; step C: the information security device acquires the random seed from the client; step D: respectively in the information security device and server side of the said original random seed and the same authentication key encryption algorithm to generate a new authentication key, and use the new authentication key updating said authentication key in the information security device and server-side database, wherein using the It includes new authentication key updating the authentication key in the information security device and server-side database: the server receives the authentication request sent by the client, generating a random number and the random number sent to the client, the information security device acquires the random number from the client, with its authentication key stored in the inside thereof 数进行加密运算,并将加密运算结果发送到所述服务器端;所述服务器端对其数据库当前值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的运算,将运算结果与获取的加密运算结果进行比对,如果比对结果一致,则身份认证成功;如果比对结果不一致,则对其数据库旧值位置的认证密钥和所述随机数进行与所述信息安全设备内相同的加密运算,将加密运算结果与获取的加密运算结果比对,如果比对结果不一致,则身份认证失败;如果比对结果一致,则将其数据库旧值位置的认证密钥替换到其数据库当前值位置。 The number of cryptographic operations, and the calculation result is transmitted to the encryption server; the server within the same operation with their current information security device authentication key and the random number value of the position database, the operational the results were compared to the results obtained with the encryption algorithm, if compared to the same result, the identity authentication is successful; if the comparison results do not match, with the information security certification for its key database location of the old values ​​and the random number encryption operation within the same device, the encrypted encryption operation with the operation result obtained by comparing the results, if not a comparison result, the authentication fails; if the comparison result is consistent, then the authentication key in its database to replace the old value of the position its database current value of the position.
8.如权利要求7所述的更新认证密钥的方法,其特征在于,所述步骤D具体包括:所述信息安全设备对获取到的所述随机种子和其内预存的原始认证密钥进行加密运算,得到新认证密钥,并用所述新认证密钥更新其内预存的认证密钥;所述服务器端对所述随机种子和其数据库中预先存储的原始认证密钥进行与所述信息安全设备内相同的加密运算,得到新认证密钥,并将其数据库中预先存储的原始认证密钥替换到服务器端数据库中旧值的位置,将所述新认证密钥替换到服务器端数据库中当前值的位置。 8. The method of updating the authentication key according to claim 7, wherein the step D comprises: the information security device of the acquired random seed and the original pre-stored within the authentication key encryption operation to obtain new authentication key, and the key update the authentication key stored therein with the new authentication; the original server authentication key and the random seed pre-stored in its database with the information encryption operations within the same security device, to obtain a new authentication key, and replaces the original authentication key previously stored in its database to the location server side database to the old value to replace said new authentication key to the server database the current position value.
9. 如权利要求7或8所述的更新认证密钥的方法,其特征在于,所述加密运算包括散列运算、对称加密运算和非对称加密运算。 9. The method of updating the authentication key 7 or claim 8, wherein said cryptographic operation comprises hashing, symmetric encryption and asymmetric encryption arithmetic operation.
10. —种更新认证密钥的系统,其特征在于,所述系统包括服务器计算机和与客户端计算机相连的信息安全设备,所述服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,所述信息安全设备包括验证模块、客户端认证密钥生成模块和客户端认证密钥存储模块;所述预处理模块用于利用服务器端产生的随机种子和从客户端相连的信息安全设备中获取的随机数进行运算,产生验证数据,其中,所述随机数为预先在所述信息安全设备内部产生并存储在所述信息安全设备中的;根据服务器端获取的所述信息安全设备的硬件标识,从服务器数据库的服务器认证密钥存储模块中读取原始认证密钥,对所述验证数据和所述原始认证密钥进行加密运算,得到加密运算结果,并通过网络将所述随机种子和所述加密运算结果传送给所述客 10. - Regeneration authentication key system, characterized in that the system includes a server computer and the information security device connected to the client computer, the server computer comprising a pre-processing module, the authentication server and server authentication key generation module key storage module, the information security device includes a verification module, the client authentication key generation module and the client authentication key storage module; pre-processing module is connected to the server using the generated random seeds and from the client information security device acquired random number calculation, verification data is generated, wherein the random number is generated in advance and stored in the information security device in the interior of the information security device; according to the information acquisition server identifying hardware security device, the authentication server reads the key from the storage module in the original database server certification key, the verification of the original data and the authentication key encryption operation, an encryption operation result obtained, through the network encrypting said random seed and the calculation result is transmitted to the customer 户端;所述服务器认证密钥生成模块用于对所述随机种子和所述原始认证密钥进行加密运算,生成新认证密钥;所述服务器认证密钥存储模块用于存储认证密钥,并根据所述服务器认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥;所述验证模块用于对所述随机种子和所述随机数进行与所述服务器端相同的运算,产生验证数据,对所述验证数据和所述信息安全设备内预存的原始认证密钥进行与所述服务器端相同的加密算法,并将加密运算结果与从所述客户端获取到的加密运算结果进行比对,如果比对结果一致,则从所述客户端获取的所述随机种子是正确的;所述客户端认证密钥生成模块用于当所述验证模块验证所述从客户端获取的随机种子正确后,对获取的随机种子和信息安全设备的客户端认证密钥存储模块内预存的原始认证密钥进 Client; the server authentication key generating means for the random seed and the original authentication key encryption operation to generate a new authentication key; the server authentication key storage means for storing an authentication key, the new authentication key and the key generation module generates the authentication server, the authentication key updating the stored; said authentication module for performing the random seed and the random number the same as the server computing, generating authentication data, the authentication data stored within the security device and the key authentication information from the original server with the same encryption algorithm, and the encryption operation result acquired from the client to encrypt calculation results for comparison, if the comparison result is consistent, the random seed from the client acquired is correct; the client authentication key generation module configured to, when the authentication module verifies the client from after obtaining the correct random seed, for within the client authentication key storage module random seed and a security device to obtain pre-stored authentication key into the original 与所述服务器端相同的加密运算,生成新认证密钥;所述客户端认证密钥存储模块用于存储认证密钥,并根据所述客户端认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥。 The server the same encryption algorithm to generate a new authentication key; the client authentication key storage means for storing an authentication key, and the new key generation module generates the authentication key according to the authentication client, updating the stored authentication key.
11.如权利要求IO所述的更新认证密钥的系统,其特征在于,所述系统还包括认证密钥更新同步模块,所述认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥迸行认证密钥更新同步。 11. The authentication key update system according to claim IO, characterized in that the system further comprises a synchronization module updates the authentication key, the authentication key updating means for synchronizing the time of authentication by the server at the same time reservations last two authentication key into line authentication key update synchronization.
12.—种更新认证密钥的系统,其特征在于,所述系统包括服务器计算机和与客户端计算机相连的信息安全设备,所述服务器计算机包括预处理模块、服务器认证密钥生成模块和服务器认证密钥存储模块,所述信息安全设备包括客户端认证密钥生成模块和客户端认证密钥存储模块;所述预处理模块用于在服务器端产生随机种子和从客户端获取信息安全设备的硬件标识,并通过网络将随机种子传送到客户端;所述服务器认证密钥生成模块用于对所述随机种子和所述服务器认证密钥存储模块中的原始认证密钥进行加密运算,生成新认证密钥;所述服务器认证密钥存储模块用于存储认证密钥,并根据所述服务器认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥;所述客户端认证密钥生成模块用于对获取的随机种子和信息安全设备内客户端认证 12.- Regeneration key authentication system, wherein said system comprises a server computer and the information security device connected to the client computer, the server computer comprising a pre-processing module, the authentication server and server authentication key generation module key storage module, the information security device includes a client authentication key generation module and the client authentication key storage module; the preprocessing hardware module for generating a random seed from the security device and to obtain information on the server side of the client identification, and transmits the random seed into a client through a network; the server authentication key generating module is configured to authenticate an original key and the random seed key stored in the authentication server performs the encryption operation module, generate a new authentication key; the server authentication key storage means for storing an authentication key, and a new authentication key according to the key generation module generates the authentication server, the authentication key updating the stored; said encrypted authentication client key generating means for the random seed to the security device and the information acquired client authentication 钥存储模块中预存的原始认证密钥进行与所述服务器端相同的加密运算,生成新认证密钥;所述客户端认证密钥存储模块用于存储认证密钥,并根据所述客户端认证密钥生成模块生成的新认证密钥,更新所述存储的认证密钥。 Key pre-stored in the storage module of the original with the same authentication key encryption operation server, generating a new authentication key; the client authentication key storage means for storing an authentication key, and authentication based on the client key generation module generates a new authentication key, the authentication key updating said stored.
13.如权利要求12所述的更新认证密钥的系统,其特征在于,所述系统还包括认证密钥更新同歩模块,所述认证密钥更新同步模块用于在身份认证时通过服务器端同时保留的最近两次认证密钥进行认证密钥更新同步。 13. The authentication key update system according to claim 12, characterized in that the system further comprises an authentication key updating ho module with the authentication key updating a server-side synchronization means for the authentication while retaining the last two authentication key for authentication key update synchronization.
CN 200610169759 2006-12-28 2006-12-28 Method and system for updating certification key CN100561916C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610169759 CN100561916C (en) 2006-12-28 2006-12-28 Method and system for updating certification key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610169759 CN100561916C (en) 2006-12-28 2006-12-28 Method and system for updating certification key

Publications (2)

Publication Number Publication Date
CN101005357A CN101005357A (en) 2007-07-25
CN100561916C true CN100561916C (en) 2009-11-18

Family

ID=38704253

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610169759 CN100561916C (en) 2006-12-28 2006-12-28 Method and system for updating certification key

Country Status (1)

Country Link
CN (1) CN100561916C (en)

Families Citing this family (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8230035B2 (en) * 2007-10-04 2012-07-24 Alcatel Lucent Method for authenticating mobile units attached to a femtocell that operates according to code division multiple access
CN101197667B (en) 2007-12-26 2010-07-14 北京飞天诚信科技有限公司 Dynamic password authentication method
CN101588351B (en) 2008-05-21 2012-06-27 飞天诚信科技股份有限公司 Method for information security device for binding network software
CN101527706B (en) 2008-06-13 2012-02-15 珠海市顺生科技实业有限公司 For improving network security digital authentication method
CN101739756B (en) 2008-11-10 2012-01-11 中兴通讯股份有限公司 Method for generating secrete key of smart card
US8347096B2 (en) * 2009-07-10 2013-01-01 Vasco Data Security, Inc. Authentication token with incremental key establishment capacity
CN101808089A (en) * 2010-03-05 2010-08-18 中国人民解放军国防科学技术大学 Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm
CN102196436B (en) 2010-03-11 2014-12-17 华为技术有限公司 Security authentication method, device and system
CN102202040B (en) * 2010-03-26 2014-06-04 联想(北京)有限公司 Client authentication method and device
CN102025504A (en) * 2010-11-23 2011-04-20 深圳市文鼎创数据科技有限公司 Security authentication method and security authentication device
CN102111265B (en) * 2011-01-13 2014-03-26 中国电力科学研究院 Method for encrypting secure chip of power system acquisition terminal
CN102307095B (en) * 2011-04-27 2014-08-27 上海动联信息技术股份有限公司 Injection and deformation method for seed key of dynamic token
CN102255917B (en) * 2011-08-15 2014-09-03 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN102307193A (en) * 2011-08-22 2012-01-04 北京宏基恒信科技有限责任公司 Key updating and synchronizing method, system and device for dynamic token
CN102510374B (en) * 2011-10-08 2015-01-14 北京视博数字电视科技有限公司 License management method and device capable of detecting clone for front-end system
CN102315933B (en) * 2011-10-18 2014-02-05 飞天诚信科技股份有限公司 Method for updating key and system
CN102404119B (en) * 2011-10-27 2016-03-16 深圳市文鼎创数据科技有限公司 The method of setting dynamic token key factors, and dynamic token server
CN102571356A (en) * 2012-02-23 2012-07-11 深圳市乐讯科技有限公司 Method and device for authenticating user identity
CN102882684A (en) * 2012-09-26 2013-01-16 长城瑞通(北京)科技有限公司 Method and device for implementation of multi-key dynamic password
CN103078731B (en) * 2013-01-05 2016-01-06 深圳市思乐数据技术有限公司 Encryption method and system for lottery data
CN103220271A (en) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN103491094B (en) * 2013-09-26 2016-10-05 成都三零瑞通移动通信有限公司 A rapid method for identity authentication c / s mode based on
CN103516524A (en) * 2013-10-21 2014-01-15 北京旋极信息技术股份有限公司 Security authentication method and system
KR101451639B1 (en) * 2014-02-18 2014-10-16 주식회사 시큐브 Identification and theft prevention system using one times random key, and method thereof
CN103888243B (en) * 2014-04-15 2017-03-22 飞天诚信科技股份有限公司 Latter seed transmission of key security methods
CN104168110B (en) * 2014-08-28 2018-08-14 北京海泰方圆科技股份有限公司 Online kinds of symmetric key method updated
CN104537300B (en) * 2014-12-25 2019-05-17 绵阳艾佳科技有限公司 Security password setting and verification mode
CN106034134A (en) * 2015-03-19 2016-10-19 腾讯科技(深圳)有限公司 Method and device and auxiliary method and device for implementing identity authentication request in webpage application
CN106302379A (en) * 2015-06-26 2017-01-04 比亚迪股份有限公司 Onboard electric appliance authentication method and system and device thereof
CN105391549B (en) * 2015-12-10 2018-10-12 四川长虹电器股份有限公司 The method of dynamic keys for communication between the client and the server
CN107566112A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 Dynamic encryption and decryption method and server
CN106027263A (en) * 2016-07-22 2016-10-12 北京信安世纪科技有限公司 Token seed updating method and device, and relevant equipment
CN106255108A (en) * 2016-08-31 2016-12-21 华自科技股份有限公司 RF communication method and RF communication device
CN106571915A (en) * 2016-11-15 2017-04-19 中国银联股份有限公司 Terminal master key setting method and apparatus
CN107222306A (en) * 2017-01-22 2017-09-29 天地融科技股份有限公司 Key update method, device and system
CN107454115A (en) * 2017-10-10 2017-12-08 北京奇艺世纪科技有限公司 Digest authentication method and digest authentication system
CN107547572A (en) * 2017-10-13 2018-01-05 北京洋浦伟业科技发展有限公司 CAN bus communication method based on pseudo-random number

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1551561A (en) 2003-05-16 2004-12-01 华为技术有限公司 Method for realizing high-srate grouped data business identification
CN1859087A (en) 2005-12-30 2006-11-08 华为技术有限公司 Key consulting method and its system for customer end and server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1551561A (en) 2003-05-16 2004-12-01 华为技术有限公司 Method for realizing high-srate grouped data business identification
CN1859087A (en) 2005-12-30 2006-11-08 华为技术有限公司 Key consulting method and its system for customer end and server

Also Published As

Publication number Publication date
CN101005357A (en) 2007-07-25

Similar Documents

Publication Publication Date Title
JP5650348B2 (en) System and method for secure the data in the mobile
JP5690412B2 (en) The key provision method and apparatus of the hardware device
US9330245B2 (en) Cloud-based data backup and sync with secure local storage of access keys
CN101479984B (en) Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks
US9911010B2 (en) Secure field-programmable gate array (FPGA) architecture
US7502946B2 (en) Using hardware to secure areas of long term storage in CE devices
US20020071560A1 (en) Computer system having an autonomous process for centralized cryptographic key administration
US20020073309A1 (en) Centralized cryptographic key administration scheme for enabling secure context-free application operation
US7992193B2 (en) Method and apparatus to secure AAA protocol messages
CN100432889C (en) System and method providing disconnected authentication
US20130227286A1 (en) Dynamic Identity Verification and Authentication, Dynamic Distributed Key Infrastructures, Dynamic Distributed Key Systems and Method for Identity Management, Authentication Servers, Data Security and Preventing Man-in-the-Middle Attacks, Side Channel Attacks, Botnet Attacks, and Credit Card and Financial Transaction Fraud, Mitigating Biometric False Positives and False Negatives, and Controlling Life of Accessible Data in the Cloud
CN100576196C (en) Contents encryption method, system and method for providing contents through network using the encryption method
US8438628B2 (en) Method and apparatus for split-terminating a secure network connection, with client authentication
CN102099810B (en) Mobile device assisted secure computer network communications
US7240201B2 (en) Method and apparatus to provide secure communication between systems
US8375420B2 (en) Challenge-response system and method
US20060195402A1 (en) Secure data transmission using undiscoverable or black data
Paulson Inductive analysis of the Internet protocol TLS
CN1939028B (en) Protection from the plurality of data storage devices to access the network
CN101411159B (en) Policy-based security certificate filtering method and system
US20070260871A1 (en) Inspecting encrypted communications with end-to-end integrity
CN102098157B (en) No certificates based on public key infrastructure for security systems and methods for client / server communication protocol to strengthen
KR101498323B1 (en) Secure communications in computer cluster systems
KR101054970B1 (en) System for using an electronic certificate containing personal information to authenticate a communication partner, an apparatus, a method, and a computer-readable recording medium
US8291231B2 (en) Common key setting method, relay apparatus, and program

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted
C56 Change in the name or address of the patentee

Owner name: FEITIAN CHENGXIN TECHNOLOGIES CO., LTD.

Free format text: FORMER NAME: BEIJING FEITIAN CHENGXIN SCIENCE + TECHNOLOGY CO. LTD.