CN100566239C - The key transmission method of multi-stage intelligent key apparatus and system - Google Patents
The key transmission method of multi-stage intelligent key apparatus and system Download PDFInfo
- Publication number
- CN100566239C CN100566239C CNB2006101144462A CN200610114446A CN100566239C CN 100566239 C CN100566239 C CN 100566239C CN B2006101144462 A CNB2006101144462 A CN B2006101144462A CN 200610114446 A CN200610114446 A CN 200610114446A CN 100566239 C CN100566239 C CN 100566239C
- Authority
- CN
- China
- Prior art keywords
- key
- intelligent key
- key apparatus
- intelligent
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 37
- MIVWVMMAZAALNA-IJLUTSLNSA-N SCB2 Chemical compound CCCCCCC[C@@H](O)[C@H]1[C@H](CO)COC1=O MIVWVMMAZAALNA-IJLUTSLNSA-N 0.000 claims description 7
- MIVWVMMAZAALNA-UHFFFAOYSA-N SCB2 Natural products CCCCCCCC(O)C1C(CO)COC1=O MIVWVMMAZAALNA-UHFFFAOYSA-N 0.000 claims description 7
- 238000004891 communication Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 13
- 230000008676 import Effects 0.000 description 7
- 238000013475 authorization Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides the key transmission method and the system of multi-stage intelligent key apparatus, belong to the secure communication field.Key is transmitting unsafe problem between the superior and the subordinate in the prior art in order to solve, the invention provides the key transmission method of multi-stage intelligent key apparatus, be included in a plurality of keys that prestore in the intelligent key apparatus at the corresponding levels, with a part of secret key encryption in described a plurality of keys, and send to secondary mandate intelligent key apparatus; All the other secret key encryptions in a plurality of keys obtain ciphertext, and ciphertext is sent to the secondary operation intelligent key apparatus, and the secondary operation intelligent key apparatus is stored after receiving ciphertext.The present invention also provides the key transmission system of multi-stage intelligent key apparatus, comprises that cipher key storage block and key transmit module.Adopt scheme of the present invention to guarantee that key in that transmission is not stolen between the superior and the subordinate, improves the fail safe of using intelligent key apparatus.
Description
Technical field
The present invention relates to the secure communication field, particularly the key transmission method of multi-stage intelligent key apparatus and system.
Background technology
Intelligent key apparatus is a kind of small hardware device that has processor and memory, and it can be connected with computer by the data communication interface of computer.Intelligent key apparatus adopts the legitimacy of PIN code identifying user identity, when carrying out authentication, intelligent key apparatus is linked to each other with computer, the user imports PIN code on computers, the correctness of automatic this PIN code of verification of intelligent key apparatus meeting, when having only the PIN code of importing as the user correct, just allow user's operative intelligence key device.Intelligent key apparatus also has the key systematic function, but and safe storage key and preset cryptographic algorithm.The intelligent key apparatus computing relevant with key be fully at the device internal operation, and intelligent key apparatus has the anti-characteristic of attacking of physics, and fail safe is high, and intelligent key apparatus commonly used links to each other with computer by USB interface.
Intelligent key apparatus is provided with two Permission Levels---keeper and domestic consumer for improving its fail safe, and wherein keeper's password is SoPIN, i.e. safety officer PIN, and the password of domestic consumer is user PIN, keeper's authority is bigger than domestic consumer.Owing to user's the repeatedly misoperation or the attack of illegal molecule etc., intelligent key apparatus can be protected self when using intelligent key apparatus---and the PIN code of intelligent key apparatus will be pinned automatically, and having only the keeper to import SoPIN could be with its release.
Because intelligent key apparatus has the characteristic of high safety, thus much require the higher field of fail safe all to adopt intelligent key apparatus to carry out authentication, to guarantee the fail safe of operation.For example banking system is utilized intelligent key apparatus authentication teller and user's identity.But multiple management system from head office to province's row, city's row and subbranch as the bank, need the upper level intelligent key apparatus to transmit key and generate the next stage intelligent key apparatus, in the process of transmitting, can cause key to be revealed and produce unsafe factor to the next stage intelligent key apparatus.
Summary of the invention
Key is transmitting unsafe hidden danger between the superior and the subordinate in the prior art in order to solve in the present invention, and the key transmission method and the system of multi-stage intelligent key apparatus is provided.Described technical scheme is as follows:
The key transmission method of multi-stage intelligent key apparatus said method comprising the steps of:
Steps A: in intelligent key apparatus at the corresponding levels, have a plurality of keys;
Step B: with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, is decrypted and stores after described secondary mandate intelligent key apparatus is received described encrypted secret key; All the other secret key encryptions in described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
Described intelligent key apparatus at the corresponding levels comprises that at least one is authorized intelligent key apparatus and an operative intelligence key device.
Also comprise before the described steps A:
The ciphertext of the key stored in the described operative intelligence key device at the corresponding levels is sent at the corresponding levels the mandate in the intelligent key apparatus, described at the corresponding levels authorize intelligent key apparatus to receive described ciphertext after, described ciphertext is decrypted.
Described mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of authorizing intelligent key apparatus.
Among the step B with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, described secondary mandate intelligent key apparatus receives that the step that is decrypted and stores after the described encrypted secret key specifically comprises:
Step B1: secondary mandate intelligent key apparatus generates asymmetrical public private key pair, and the PKI in the described public private key pair is sent to intelligent key apparatus at the corresponding levels;
Step B2: described intelligent key apparatus at the corresponding levels is encrypted a part of key in described a plurality of keys after receiving described PKI, and the key after will encrypting sends to described secondary mandate intelligent key apparatus;
Step B3: after described secondary mandate intelligent key apparatus is received key after the described encryption, with the private key in the described public private key pair with its deciphering and storage.
The algorithm that all the other secret key encryptions with in described a plurality of keys among the described step B obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SSF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
The parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
The present invention provides the key transmission system of multi-stage intelligent key apparatus simultaneously, and described system comprises with lower module:
Cipher key storage block is used at a plurality of keys of intelligent key apparatus storage;
Key transmits module, is used for a part of secret key encryption with described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus is decrypted and stores after receiving key after the described encryption; Also be used for all the other secret key encryptions of described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
Described secondary mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of described secondary mandate intelligent key apparatus.
The algorithm that all the other secret key encryptions with in described a plurality of keys in the described key transmission module obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SSF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
The parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
Described system also comprises:
Key at the same level transmits module, is used for the ciphertext that described operative intelligence key device at the corresponding levels is stored is sent at the corresponding levels the mandate in the intelligent key apparatus, and the described corresponding levels are decrypted described ciphertext after authorizing intelligent key apparatus to receive described ciphertext.
The present invention provides the key transmission system of another kind of multi-stage intelligent key apparatus simultaneously, and described system comprises:
Operative intelligence key device at the corresponding levels is used to store the key of ciphertext form, and described key is sent to the intelligent key apparatus of authorizing at the corresponding levels;
The intelligent key apparatus of authorizing at the corresponding levels is used to receive the key of ciphertext form of the transmission of operative intelligence key device at the corresponding levels, and the key of described ciphertext form is decrypted; Also be used for the original secret key encryption of described mandate intelligent key apparatus at the corresponding levels is sent to secondary mandate intelligent key apparatus, to carry out computing again from the key that operative intelligence key device at the corresponding levels receives and deciphering obtains, send to the secondary operation intelligent key apparatus then;
Secondary mandate intelligent key apparatus is used to receive described encrypted secret key of authorizing intelligent key apparatus to send at the corresponding levels, and described encrypted secret key is decrypted, and the key after the deciphering is stored;
The secondary operation intelligent key apparatus is used to receive the key after the described corresponding levels are authorized the computing of intelligent key apparatus transmission, stores the key of ciphertext form then.
Described secondary mandate intelligent key apparatus also comprises the public private key pair generation unit, is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the described public private key pair is sent to the intelligent key apparatus of authorizing at the corresponding levels.
The described intelligent key apparatus of authorizing at the corresponding levels uses described PKI that the key of storage is encrypted the generation ciphertext, described ciphertext is sent to described secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus uses the ciphertext of receiving the private key deciphering of described public private key pair.
The beneficial effect that technical scheme of the present invention is brought is:
Key transmission method and system by multi-stage intelligent key apparatus provided by the invention, solved that key is transmitting unsafe hidden danger between the superior and the subordinate in the prior art, guaranteed that key in that transmission is not stolen between the superior and the subordinate, improves the fail safe of using intelligent key apparatus.
Description of drawings
Fig. 1 is the method flow diagram that one-level mandate intelligent key apparatus is set provided by the invention;
Fig. 2 is the method flow diagram that one-level operative intelligence key device is set provided by the invention;
Fig. 3 is the method flow diagram that secondary mandate intelligent key apparatus is set provided by the invention;
Fig. 4 is provided by the invention for the method flow diagram of secondary operation intelligent key apparatus release;
Fig. 5 is the method flow diagram of the user's of setting intelligent key apparatus provided by the invention;
Fig. 6 is the key transmission system schematic diagram of multi-stage intelligent key apparatus provided by the invention;
Fig. 7 is the key transmission system schematic diagram of another kind of multi-stage intelligent key apparatus provided by the invention.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
The present invention is that example describes with the banking system, bank comprises head office from top to bottom, economize row, four grades of city's row and subbranch, head office holds the master control intelligent key apparatus in the technical scheme of the present invention, economize row, city's row and subbranch hold one respectively and authorize intelligent key apparatus, economize row, everyone holds an operative intelligence key device teller of city's row and subbranch, for convenience of description, the mandate intelligent key apparatus that the present invention will economize row is called one-level mandate intelligent key apparatus, the operative intelligence key device of economizing row is called one-level operative intelligence key device, same, city's row be called secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus, subbranch is called three grades and authorizes intelligent key apparatus and three grades of operative intelligence key devices, and the intelligent key apparatus that the user holds is called user's intelligent key apparatus.
Master control intelligent key apparatus and mandate intelligent key apparatus at different levels are safe carriers, and its key is stored in the secure storage section of intelligent key apparatus with form expressly; Key in the operative intelligence key devices at different levels is stored with the ciphertext form.The master control intelligent key apparatus of head office can be provided with the one-level mandate intelligent key apparatus and the one-level operative intelligence key device of province's row, economize the one-level mandate intelligent key apparatus of row and secondary mandate intelligent key apparatus and the secondary operation intelligent key apparatus that one-level operative intelligence key device is provided with city-level jointly, same, the secondary mandate intelligent key apparatus of city's row and secondary operation intelligent key apparatus are provided with three grades of mandate intelligent key apparatus of subbranch, three grades of level operative intelligence key devices jointly.User's intelligent key apparatus can be provided with by the master control intelligent key apparatus, also can be provided with jointly by one-level mandate intelligent key apparatus and one-level operative intelligence key device, equally also can be provided with jointly by two intelligent key apparatus of secondary or three grades.When specific implementation, can set the number of grade as required, be not limited to four grades in the present embodiment.
Higher level's intelligent key apparatus that the next stage intelligent key apparatus is set in the present embodiment is an intelligent key apparatus at the corresponding levels, and to be that secondary intelligence is close will install the next stage intelligent key apparatus that is set up.When for example the one-level intelligent key apparatus is provided with the second-level intelligence key device, the one-level intelligent key apparatus is an intelligent key apparatus at the corresponding levels, to be that secondary intelligence is close will install the second-level intelligence key device, when the second-level intelligence key device is provided with three grades of intelligent key apparatus, the second-level intelligence key device is as intelligent key apparatus at the corresponding levels, and this moment, three grades of intelligent key apparatus were secondary intelligent key apparatus.
Store four keys with the plaintext form in the master control intelligent key apparatus, be respectively the first authorization key Ka1, the second authorization key Ka2, the first operation key K o1 and the second operation key K o2, wherein Ka1 and Ka2 pass to one-level mandate intelligent key apparatus, and Ko1 and Ko2 pass to one-level operative intelligence key device.
Referring to Fig. 1, for the method flow diagram of one-level mandate intelligent key apparatus is set, detailed process is as follows:
Step 101: master control intelligent key apparatus and one-level mandate intelligent key apparatus are connected to main frame simultaneously;
Step 102: one-level mandate intelligent key apparatus generates the public private key pair of unsymmetrical key system, and the PKI of this public private key pair is sent to the master control intelligent key apparatus by main frame, and private key is kept in this one-level mandate intelligent key apparatus;
Step 103: its inner key K a1 of the public key encryption that the utilization of master control intelligent key apparatus sends over obtains first and authorizes encryption key Ka1 ', sends to one-level mandate intelligent key apparatus by main frame then;
Step 104: one-level mandate intelligent key apparatus obtains the expressly Ka1 of form with Ka1 ' with corresponding private key deciphering, and is saved in its secure storage section;
Step 105: the master control intelligent key apparatus requires the operator to import provincial information (for example internal code of provincial branches), and the operator imports provincial information by main frame;
Step 106: the master control intelligent key apparatus obtains character string Ka2.1 after with Ka2 and provincial information combination, utilizes PKI that character string Ka2.1 is encrypted the back then and generates ciphertext Ka2.1 ', and Ka2.1 ' is sent to one-level mandate intelligent key apparatus by main frame;
Step 107: one-level mandate intelligent key apparatus obtains the expressly character string Ka2.1 of form with Ka2.1 ' with corresponding private key deciphering, and Ka2.1 is preserved;
Step 108: one-level mandate intelligent key apparatus sends to the master control intelligent key apparatus with its sequence number;
Step 109: after the master control intelligent key apparatus is received the sequence number of one-level mandate intelligent key apparatus, this sequence number and Ka2, Ko2 are made up, and the result after will making up carries out the hash computing and obtains hashed value, and this hashed value is set to the password SoPIN of one-level mandate intelligent key apparatus then.
The method of combination can be with hardware sequence number, Ka2, Ko2 summation, also can be three values to be connected etc.
So far, there is the first authorization key Ka1 in the one-level mandate intelligent key apparatus and has the second authorization key character string Ka2.1 of provincial information, and set its password SoPIN, finished setting up procedure.
Referring to Fig. 2, for the method flow diagram of one-level operative intelligence key device is set, concrete steps are as follows:
Step 201: master control intelligent key apparatus and one-level operative intelligence key device are connected to main frame;
Step 202: the master control intelligent key apparatus requires the operator to import provincial information (internal code of provincial branches for example, identical with provincial information in the above-mentioned steps 105), and the operator imports provincial information by main frame;
Step 203: the master control intelligent key apparatus obtains character string Ka2.1 after with Ka2 and provincial information combination, will obtain character string Ko2.1 after Ko2 and the provincial information combination;
Step 204: one-level operative intelligence key device is sent to the master control intelligent key apparatus with its hardware sequence number;
Step 205: the master control intelligent key apparatus makes up the hardware sequence number and the character string Ka2.1 of one-level operative intelligence key device, result to combination asks hashed value to obtain a temporary key X then, with X Ko1 is carried out cryptographic calculation and obtain the first operation encryption key Ko1 ', this cryptographic calculation adopts symmetric encipherment algorithm, and present embodiment is 3DES;
Step 206: the master control intelligent key apparatus carries out cryptographic calculation with X to Ko2.1 and obtains the second operation encryption key Ko2.1 ', and this cryptographic calculation adopts symmetric encipherment algorithm, and present embodiment is 3DES;
Step 207: the master control intelligent key apparatus is sent to Ko1 ' and Ko2.1 ' in the one-level operative intelligence key device by main frame;
Step 208: the master control intelligent key apparatus carries out the hardware sequence number and Ka2, the Ko2 combination of one-level operative intelligence key device the hash computing to the result who makes up again and obtains hashed value; This hashed value is set to the password SoPIN of one-level operative intelligence key device then.
So far, there are Ko1 ' and Ko2.1 ' in the one-level operative intelligence key device, and set its SoPIN, finished its setting up procedure.
Referring to Fig. 3, for the part method flow diagram of second-level intelligence key device is set, concrete steps are as follows:
Step 301: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 302: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 303: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with Ko1 ' and Ko2.1 ';
Step 304: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form, utilizes key X that Ko2.1 ' deciphering is obtained the expressly Ko2.1 of form;
Step 305: secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus are sent to its hardware sequence number one-level mandate intelligent key apparatus respectively;
Step 306: after one-level mandate intelligent key apparatus is received hardware sequence number, hardware sequence number and Ka2.1, the Ko2.1 of secondary mandate intelligent key apparatus are made up, and the result that will make up asks hashed value, and this hashed value is set to the password SoPIN of secondary mandate intelligent key apparatus then; Hardware sequence number and Ka2.1, the Ko2.1 of secondary operation intelligent key apparatus are made up, and the result that will make up asks hashed value, this hashed value is set to the password SoPIN of secondary operation intelligent key apparatus then.
So far, had Ka1, Ka2.1, Ko1 and Ko2.1 in the one-level mandate intelligent key apparatus, the method for secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus that generates with one-level mandate intelligent key apparatus is identical with the method step that generates one-level mandate intelligent key apparatus and one-level operative intelligence key device with the master control intelligent key apparatus; Same method generates three grades and authorizes intelligent key apparatus and three grades of operative intelligence key devices.Different is that input city-level information replaces provincial information when generating the second-level intelligence key device, imports subbranch's information when generating three grades of intelligent key apparatus and replaces provincial information.
Referring to Fig. 4, for utilizing one-level mandate intelligent key apparatus and the one-level operative intelligence key device method flow diagram for the release of secondary operation intelligent key apparatus, concrete steps are as follows:
Step 401: one-level mandate intelligent key apparatus, one-level operative intelligence key device and secondary operation intelligent key apparatus are connected to main frame;
Step 402: one-level operative intelligence key device is sent to its hardware sequence number in the one-level mandate intelligent key apparatus;
Step 403: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 404: one-level operative intelligence key device sends to one-level mandate intelligent key apparatus with Ko1 ' and Ko2.1 ';
Step 405: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form, utilizes key X that Ko2.1 ' deciphering is obtained the expressly Ko2.1 of form;
Step 406: the secondary operation intelligent key apparatus is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 407: one-level mandate intelligent key apparatus makes up hardware sequence number and Ka2.1, the Ko2.1 of the secondary operation intelligent key apparatus received, and the result that will make up asks hashed value, obtains the SoPIN of secondary operation intelligent key apparatus;
Step 408: one-level mandate intelligent key apparatus utilizes SoPIN value release secondary operation intelligent key apparatus.
The unlock method of secondary mandate intelligent key apparatus and three grades of intelligent key apparatus is identical with above-mentioned steps, the release of one-level mandate intelligent key apparatus or one-level operative intelligence key device is finished by the master control intelligent key apparatus, the master control intelligent key apparatus utilizes hardware sequence number and Ka2, the Ko2 of one-level mandate intelligent key apparatus or one-level operative intelligence key device to make up respectively, and the hashed value of the result after will making up is respectively as the SoPIN of one-level mandate intelligent key apparatus or one-level operative intelligence key device release for it.
Referring to Fig. 5, for the method flow diagram of user's intelligent key apparatus is set, the SoPIN that user's intelligent key apparatus is set with one-level mandate intelligent key apparatus and one-level operative intelligence key device is an example, and concrete steps are as follows:
Step 501: one-level mandate intelligent key apparatus, one-level operative intelligence key device and user's intelligent key apparatus are connected to main frame;
Step 502: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 503: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 504: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with Ko1 ';
Step 505: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form;
Step 506: user's intelligent key apparatus is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 507: one-level mandate intelligent key apparatus utilizes the hardware sequence number of user's intelligent key apparatus and Ko1, Ka1 to make up, and the result of its combination is asked hashed value, and this hashed value is set to the password SoPIN of user's intelligent key apparatus then.
Same secondary or three grades of SoPIN that authorize intelligent key apparatus and operative intelligence key device that user's intelligent key apparatus is set jointly of utilizing.
When release user intelligent key apparatus, use the same method and try to achieve SoPIN, utilize SoPIN release user intelligent key apparatus.
When specific implementation, above-mentioned all use in the step of hashing algorithm, the hash computing can be replaced with AES, DES, 3DES, SSF33, SCB2, ECC or RSA Algorithm.
Above-mentioned all use in the step of 3DES algorithm, the 3DES algorithm can be replaced with AES, DES, SSF33, SCB2, ECC or RSA Algorithm.
Referring to Fig. 6, be a kind of key transmission system schematic diagram of multi-stage intelligent key apparatus, this system comprises with lower module:
Cipher key storage block is used at a plurality of keys of intelligent key apparatus storage;
Key transmits module, be used for a part of secret key encryption with a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and secondary mandate intelligent key apparatus receives to be decrypted behind the key after the encryption and obtain the expressly key of form, then the storage key of form expressly;
Also be used for all the other secret key encryptions of a plurality of keys are obtained ciphertext, and ciphertext is sent to the secondary operation intelligent key apparatus, the secondary operation intelligent key apparatus is stored after receiving ciphertext.
Wherein, secondary mandate intelligent key apparatus is safe storage medium, and key is stored in the secure storage areas of secondary mandate intelligent key apparatus.
Key transmits module and further comprises:
The public private key pair generation unit is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the public private key pair is sent to intelligent key apparatus at the corresponding levels;
The secret key encryption unit be used for after intelligent key apparatus at the corresponding levels is received PKI a part of key of a plurality of keys being encrypted, and the key after will encrypting sends to the next stage intelligent key apparatus;
Decrypting device, be used for the key after secondary mandate intelligent key apparatus is received encryption after, with private key its deciphering is obtained the expressly key of form, and the storage key of form expressly.
The algorithm that all the other secret key encryptions with in a plurality of keys in the key transmission module obtain the ciphertext employing comprises aes algorithm, DES algorithm, 3DES algorithm, SSF33 algorithm, SCB2 algorithm, ECC algorithm or RSA Algorithm.
The parameter of using in the algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
System also comprises:
Key transmission module at the same level is used for the ciphertext that operative intelligence key device at the corresponding levels is stored is sent at the corresponding levels the mandate in the intelligent key apparatus, after the corresponding levels authorize intelligent key apparatus to receive ciphertext, ciphertext is decrypted the key that obtains the plaintext form.
Referring to Fig. 7, the key transmission system of another kind of multi-stage intelligent key apparatus provided by the invention, this system comprises:
Operative intelligence key device at the corresponding levels is used to store the key of ciphertext form, and key is sent to the intelligent key apparatus of authorizing at the corresponding levels;
The intelligent key apparatus of authorizing at the corresponding levels is used to receive the key of ciphertext form of the transmission of operative intelligence key device at the corresponding levels, and the key of this ciphertext form is decrypted; Also be used for authorizing the original secret key encryption of intelligent key apparatus to send to secondary mandate intelligent key apparatus the corresponding levels, will carry out computing again, send to the secondary operation intelligent key apparatus then from the key that operative intelligence key device at the corresponding levels receives and deciphering obtains;
Secondary mandate intelligent key apparatus is used to receive the intelligent key apparatus of authorizing at the corresponding levels and sends encrypted secret key, and encrypted secret key is decrypted, and the key after the deciphering is stored;
The secondary operation intelligent key apparatus is used to receive the key after the corresponding levels are authorized the computing of intelligent key apparatus transmission, stores the key of ciphertext then.
Wherein, secondary mandate intelligent key apparatus also comprises the public private key pair generation unit, is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the public private key pair is sent to the intelligent key apparatus of authorizing at the corresponding levels.
Mandate intelligent key apparatus at the corresponding levels uses public-key the key of storage is encrypted the generation ciphertext, and ciphertext is sent to secondary mandate intelligent key apparatus, and secondary mandate intelligent key apparatus uses the ciphertext of receiving the private key deciphering of public private key pair.
Above-described embodiment is more preferably several embodiments of the present invention, and common variation that those skilled in the art carries out in the technical solution of the present invention scope and replacement all should be included in protection scope of the present invention.
Claims (15)
1. the key transmission method of multi-stage intelligent key apparatus is characterized in that, said method comprising the steps of:
Steps A: in intelligent key apparatus at the corresponding levels, have a plurality of keys;
Step B: with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, is decrypted and stores after described secondary mandate intelligent key apparatus is received described encrypted secret key; All the other secret key encryptions in described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
2. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 1 is characterized in that, described intelligent key apparatus at the corresponding levels comprises that at least one is authorized intelligent key apparatus and an operative intelligence key device.
3. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 2 is characterized in that, also comprises before the described steps A:
The ciphertext of the key stored in the described operative intelligence key device at the corresponding levels is sent at the corresponding levels the mandate in the intelligent key apparatus, described at the corresponding levels authorize intelligent key apparatus to receive described ciphertext after, described ciphertext is decrypted.
4. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 1 or 2 is characterized in that, described mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of authorizing intelligent key apparatus.
5. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 1, it is characterized in that, among the step B with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus receives that the step that is decrypted and stores after the described encrypted secret key specifically comprises:
Step B1: secondary mandate intelligent key apparatus generates asymmetrical public private key pair, and the PKI in the described public private key pair is sent to intelligent key apparatus at the corresponding levels;
Step B2: described intelligent key apparatus at the corresponding levels is encrypted a part of key in described a plurality of keys after receiving described PKI, and the key after will encrypting sends to described secondary mandate intelligent key apparatus;
Step B3: after described secondary mandate intelligent key apparatus is received key after the described encryption, with the private key in the described public private key pair with its deciphering and storage.
6. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 1, it is characterized in that the algorithm that all the other secret key encryptions with in described a plurality of keys among the described step B obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SSF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
7. the key transmission method of multi-stage intelligent key apparatus as claimed in claim 6 is characterized in that, the parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
8. the key transmission system of multi-stage intelligent key apparatus is characterized in that, described system comprises with lower module:
Cipher key storage block is used at a plurality of keys of intelligent key apparatus storage;
Key transmits module, is used for a part of secret key encryption with described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus is decrypted and stores after receiving key after the described encryption; Also be used for all the other secret key encryptions of described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
9. the key transmission system of multi-stage intelligent key apparatus as claimed in claim 8 is characterized in that, described secondary mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of described secondary mandate intelligent key apparatus.
10. the key transmission system of multi-stage intelligent key apparatus as claimed in claim 8, it is characterized in that the algorithm that all the other secret key encryptions with in described a plurality of keys in the described key transmission module obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SFF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
11. the key transmission system of multi-stage intelligent key apparatus as claimed in claim 10 is characterized in that, the parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
12. the key transmission system of multi-stage intelligent key apparatus as claimed in claim 8 is characterized in that, described system also comprises:
Key at the same level transmits module, is used for the ciphertext that described operative intelligence key device at the corresponding levels is stored is sent at the corresponding levels the mandate in the intelligent key apparatus, and the described corresponding levels are decrypted described ciphertext after authorizing intelligent key apparatus to receive described ciphertext.
13. the key transmission system of multi-stage intelligent key apparatus is characterized in that, described system comprises:
Operative intelligence key device at the corresponding levels is used to store the key of ciphertext form, and described key is sent to the intelligent key apparatus of authorizing at the corresponding levels;
The intelligent key apparatus of authorizing at the corresponding levels is used to receive the key of ciphertext form of the transmission of operative intelligence key device at the corresponding levels, and the key of described ciphertext form is decrypted; Also be used for the original secret key encryption of described mandate intelligent key apparatus at the corresponding levels is sent to secondary mandate intelligent key apparatus, to carry out computing again from the key that operative intelligence key device at the corresponding levels receives and deciphering obtains, send to the secondary operation intelligent key apparatus then;
Secondary mandate intelligent key apparatus is used to receive described encrypted secret key of authorizing intelligent key apparatus to send at the corresponding levels, and described encrypted secret key is decrypted, and the key after the deciphering is stored;
The secondary operation intelligent key apparatus is used to receive the key after the described corresponding levels are authorized the computing of intelligent key apparatus transmission, stores the key of ciphertext form then.
14. according to the described multi-stage intelligent key apparatus of claim 13 the key transmission system, it is characterized in that, described secondary mandate intelligent key apparatus also comprises the public private key pair generation unit, be used for secondary mandate intelligent key apparatus and generate asymmetrical public private key pair, and the PKI in the described public private key pair is sent to the intelligent key apparatus of authorizing at the corresponding levels.
15. according to the described multi-stage intelligent key apparatus of claim 14 the key transmission system, it is characterized in that, the described intelligent key apparatus of authorizing at the corresponding levels uses described PKI that the key of storage is encrypted the generation ciphertext, described ciphertext is sent to described secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus uses the ciphertext of receiving the private key deciphering of described public private key pair.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101144462A CN100566239C (en) | 2006-11-10 | 2006-11-10 | The key transmission method of multi-stage intelligent key apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101144462A CN100566239C (en) | 2006-11-10 | 2006-11-10 | The key transmission method of multi-stage intelligent key apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1949707A CN1949707A (en) | 2007-04-18 |
| CN100566239C true CN100566239C (en) | 2009-12-02 |
Family
ID=38019100
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101144462A Expired - Fee Related CN100566239C (en) | 2006-11-10 | 2006-11-10 | The key transmission method of multi-stage intelligent key apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100566239C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101883096B (en) * | 2010-06-07 | 2014-07-02 | 天地融科技股份有限公司 | Method, device and system for safely transferring data between electronic signature tools |
| CN102571326B (en) * | 2010-12-09 | 2016-03-23 | 上海华虹集成电路有限责任公司 | The method for testing security of differentiated control mode key management system |
| WO2017166111A1 (en) * | 2016-03-30 | 2017-10-05 | 李昕光 | Key management system |
| CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
-
2006
- 2006-11-10 CN CNB2006101144462A patent/CN100566239C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1949707A (en) | 2007-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101986596B (en) | Key management mechanism | |
| CN201181472Y (en) | Hardware key device and movable memory system | |
| CN103067160B (en) | A kind of method and system for the dynamic key production for encrypting SD card | |
| CN101447870B (en) | Safe storage method of private key based on technology of distributed password | |
| CN109379387B (en) | Safety certification and data communication system between Internet of things equipment | |
| CN103580855B (en) | Usbkey management method based on sharing technology | |
| US20030145203A1 (en) | System and method for performing mutual authentications between security tokens | |
| CN109951453A (en) | A kind of safe encryption method based on block chain | |
| CN107135070A (en) | Method for implanting, framework and the system of RSA key pair and certificate | |
| CN108881960B (en) | Intelligent camera safety control and data confidentiality method based on identification password | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| CN103095452A (en) | Random encryption method needing to adopt exhaustion method for deciphering | |
| CN102236756A (en) | File encryption method based on TCM (trusted cryptography module) and USBkey | |
| CN114036539A (en) | Safety auditable Internet of things data sharing system and method based on block chain | |
| CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
| CN111884814B (en) | Method and system for preventing intelligent terminal from being counterfeited | |
| CN1953366B (en) | Password management method and system for intelligent secret key device | |
| TWI476629B (en) | Data security and security systems and methods | |
| JP2024511236A (en) | Computer file security encryption method, decryption method and readable storage medium | |
| CN110224816A (en) | Anti- quantum calculation application system and short distance energy-saving communication method and computer equipment based on key card and sequence number | |
| CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
| CN100566239C (en) | The key transmission method of multi-stage intelligent key apparatus and system | |
| CN102811124A (en) | System validation method based on two-card three-password technique | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
| CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: FEITIAN CHENGXIN TECHNOLOGIES CO., LTD. Free format text: FORMER NAME: BEIJING FEITIAN CHENGXIN SCIENCE + TECHNOLOGY CO. LTD. |
|
| CP03 | Change of name, title or address |
Address after: 100085 Beijing city Haidian District Xueqing Road No. 9 Ebizal building B block 17 layer Patentee after: Feitian Technologies Co.,Ltd. Address before: 100083, Haidian District, Xueyuan Road, No. 40 research, 7 floor, 5 floor, Beijing Patentee before: FEITIAN TECHNOLOGIES Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091202 |