Summary of the invention
Key is transmitting unsafe hidden danger between the superior and the subordinate in the prior art in order to solve in the present invention, and the key transmission method and the system of multi-stage intelligent key apparatus is provided.Described technical scheme is as follows:
The key transmission method of multi-stage intelligent key apparatus said method comprising the steps of:
Steps A: in intelligent key apparatus at the corresponding levels, have a plurality of keys;
Step B: with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, is decrypted and stores after described secondary mandate intelligent key apparatus is received described encrypted secret key; All the other secret key encryptions in described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
Described intelligent key apparatus at the corresponding levels comprises that at least one is authorized intelligent key apparatus and an operative intelligence key device.
Also comprise before the described steps A:
The ciphertext of the key stored in the described operative intelligence key device at the corresponding levels is sent at the corresponding levels the mandate in the intelligent key apparatus, described at the corresponding levels authorize intelligent key apparatus to receive described ciphertext after, described ciphertext is decrypted.
Described mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of authorizing intelligent key apparatus.
Among the step B with a part of secret key encryption in described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, described secondary mandate intelligent key apparatus receives that the step that is decrypted and stores after the described encrypted secret key specifically comprises:
Step B1: secondary mandate intelligent key apparatus generates asymmetrical public private key pair, and the PKI in the described public private key pair is sent to intelligent key apparatus at the corresponding levels;
Step B2: described intelligent key apparatus at the corresponding levels is encrypted a part of key in described a plurality of keys after receiving described PKI, and the key after will encrypting sends to described secondary mandate intelligent key apparatus;
Step B3: after described secondary mandate intelligent key apparatus is received key after the described encryption, with the private key in the described public private key pair with its deciphering and storage.
The algorithm that all the other secret key encryptions with in described a plurality of keys among the described step B obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SSF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
The parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
The present invention provides the key transmission system of multi-stage intelligent key apparatus simultaneously, and described system comprises with lower module:
Cipher key storage block is used at a plurality of keys of intelligent key apparatus storage;
Key transmits module, is used for a part of secret key encryption with described a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus is decrypted and stores after receiving key after the described encryption; Also be used for all the other secret key encryptions of described a plurality of keys are obtained ciphertext, and described ciphertext is sent to the secondary operation intelligent key apparatus, store after described secondary operation intelligent key apparatus is received described ciphertext.
Described secondary mandate intelligent key apparatus is safe storage medium, and the key in it is stored in the secure storage areas of described secondary mandate intelligent key apparatus.
The algorithm that all the other secret key encryptions with in described a plurality of keys in the described key transmission module obtain the ciphertext employing comprises Advanced Encryption Standard aes algorithm, DES Cipher algorithm, triple DES 3DES algorithm, SSF33 algorithm, SCB2 algorithm, elliptic curve cipher ECC algorithm or RSA Algorithm.
The parameter of using in the described algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
Described system also comprises:
Key at the same level transmits module, is used for the ciphertext that described operative intelligence key device at the corresponding levels is stored is sent at the corresponding levels the mandate in the intelligent key apparatus, and the described corresponding levels are decrypted described ciphertext after authorizing intelligent key apparatus to receive described ciphertext.
The present invention provides the key transmission system of another kind of multi-stage intelligent key apparatus simultaneously, and described system comprises:
Operative intelligence key device at the corresponding levels is used to store the key of ciphertext form, and described key is sent to the intelligent key apparatus of authorizing at the corresponding levels;
The intelligent key apparatus of authorizing at the corresponding levels is used to receive the key of ciphertext form of the transmission of operative intelligence key device at the corresponding levels, and the key of described ciphertext form is decrypted; Also be used for the original secret key encryption of described mandate intelligent key apparatus at the corresponding levels is sent to secondary mandate intelligent key apparatus, to carry out computing again from the key that operative intelligence key device at the corresponding levels receives and deciphering obtains, send to the secondary operation intelligent key apparatus then;
Secondary mandate intelligent key apparatus is used to receive described encrypted secret key of authorizing intelligent key apparatus to send at the corresponding levels, and described encrypted secret key is decrypted, and the key after the deciphering is stored;
The secondary operation intelligent key apparatus is used to receive the key after the described corresponding levels are authorized the computing of intelligent key apparatus transmission, stores the key of ciphertext form then.
Described secondary mandate intelligent key apparatus also comprises the public private key pair generation unit, is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the described public private key pair is sent to the intelligent key apparatus of authorizing at the corresponding levels.
The described intelligent key apparatus of authorizing at the corresponding levels uses described PKI that the key of storage is encrypted the generation ciphertext, described ciphertext is sent to described secondary mandate intelligent key apparatus, and described secondary mandate intelligent key apparatus uses the ciphertext of receiving the private key deciphering of described public private key pair.
The beneficial effect that technical scheme of the present invention is brought is:
Key transmission method and system by multi-stage intelligent key apparatus provided by the invention, solved that key is transmitting unsafe hidden danger between the superior and the subordinate in the prior art, guaranteed that key in that transmission is not stolen between the superior and the subordinate, improves the fail safe of using intelligent key apparatus.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
The present invention is that example describes with the banking system, bank comprises head office from top to bottom, economize row, four grades of city's row and subbranch, head office holds the master control intelligent key apparatus in the technical scheme of the present invention, economize row, city's row and subbranch hold one respectively and authorize intelligent key apparatus, economize row, everyone holds an operative intelligence key device teller of city's row and subbranch, for convenience of description, the mandate intelligent key apparatus that the present invention will economize row is called one-level mandate intelligent key apparatus, the operative intelligence key device of economizing row is called one-level operative intelligence key device, same, city's row be called secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus, subbranch is called three grades and authorizes intelligent key apparatus and three grades of operative intelligence key devices, and the intelligent key apparatus that the user holds is called user's intelligent key apparatus.
Master control intelligent key apparatus and mandate intelligent key apparatus at different levels are safe carriers, and its key is stored in the secure storage section of intelligent key apparatus with form expressly; Key in the operative intelligence key devices at different levels is stored with the ciphertext form.The master control intelligent key apparatus of head office can be provided with the one-level mandate intelligent key apparatus and the one-level operative intelligence key device of province's row, economize the one-level mandate intelligent key apparatus of row and secondary mandate intelligent key apparatus and the secondary operation intelligent key apparatus that one-level operative intelligence key device is provided with city-level jointly, same, the secondary mandate intelligent key apparatus of city's row and secondary operation intelligent key apparatus are provided with three grades of mandate intelligent key apparatus of subbranch, three grades of level operative intelligence key devices jointly.User's intelligent key apparatus can be provided with by the master control intelligent key apparatus, also can be provided with jointly by one-level mandate intelligent key apparatus and one-level operative intelligence key device, equally also can be provided with jointly by two intelligent key apparatus of secondary or three grades.When specific implementation, can set the number of grade as required, be not limited to four grades in the present embodiment.
Higher level's intelligent key apparatus that the next stage intelligent key apparatus is set in the present embodiment is an intelligent key apparatus at the corresponding levels, and to be that secondary intelligence is close will install the next stage intelligent key apparatus that is set up.When for example the one-level intelligent key apparatus is provided with the second-level intelligence key device, the one-level intelligent key apparatus is an intelligent key apparatus at the corresponding levels, to be that secondary intelligence is close will install the second-level intelligence key device, when the second-level intelligence key device is provided with three grades of intelligent key apparatus, the second-level intelligence key device is as intelligent key apparatus at the corresponding levels, and this moment, three grades of intelligent key apparatus were secondary intelligent key apparatus.
Store four keys with the plaintext form in the master control intelligent key apparatus, be respectively the first authorization key Ka1, the second authorization key Ka2, the first operation key K o1 and the second operation key K o2, wherein Ka1 and Ka2 pass to one-level mandate intelligent key apparatus, and Ko1 and Ko2 pass to one-level operative intelligence key device.
Referring to Fig. 1, for the method flow diagram of one-level mandate intelligent key apparatus is set, detailed process is as follows:
Step 101: master control intelligent key apparatus and one-level mandate intelligent key apparatus are connected to main frame simultaneously;
Step 102: one-level mandate intelligent key apparatus generates the public private key pair of unsymmetrical key system, and the PKI of this public private key pair is sent to the master control intelligent key apparatus by main frame, and private key is kept in this one-level mandate intelligent key apparatus;
Step 103: its inner key K a1 of the public key encryption that the utilization of master control intelligent key apparatus sends over obtains first and authorizes encryption key Ka1 ', sends to one-level mandate intelligent key apparatus by main frame then;
Step 104: one-level mandate intelligent key apparatus obtains the expressly Ka1 of form with Ka1 ' with corresponding private key deciphering, and is saved in its secure storage section;
Step 105: the master control intelligent key apparatus requires the operator to import provincial information (for example internal code of provincial branches), and the operator imports provincial information by main frame;
Step 106: the master control intelligent key apparatus obtains character string Ka2.1 after with Ka2 and provincial information combination, utilizes PKI that character string Ka2.1 is encrypted the back then and generates ciphertext Ka2.1 ', and Ka2.1 ' is sent to one-level mandate intelligent key apparatus by main frame;
Step 107: one-level mandate intelligent key apparatus obtains the expressly character string Ka2.1 of form with Ka2.1 ' with corresponding private key deciphering, and Ka2.1 is preserved;
Step 108: one-level mandate intelligent key apparatus sends to the master control intelligent key apparatus with its sequence number;
Step 109: after the master control intelligent key apparatus is received the sequence number of one-level mandate intelligent key apparatus, this sequence number and Ka2, Ko2 are made up, and the result after will making up carries out the hash computing and obtains hashed value, and this hashed value is set to the password SoPIN of one-level mandate intelligent key apparatus then.
The method of combination can be with hardware sequence number, Ka2, Ko2 summation, also can be three values to be connected etc.
So far, there is the first authorization key Ka1 in the one-level mandate intelligent key apparatus and has the second authorization key character string Ka2.1 of provincial information, and set its password SoPIN, finished setting up procedure.
Referring to Fig. 2, for the method flow diagram of one-level operative intelligence key device is set, concrete steps are as follows:
Step 201: master control intelligent key apparatus and one-level operative intelligence key device are connected to main frame;
Step 202: the master control intelligent key apparatus requires the operator to import provincial information (internal code of provincial branches for example, identical with provincial information in the above-mentioned steps 105), and the operator imports provincial information by main frame;
Step 203: the master control intelligent key apparatus obtains character string Ka2.1 after with Ka2 and provincial information combination, will obtain character string Ko2.1 after Ko2 and the provincial information combination;
Step 204: one-level operative intelligence key device is sent to the master control intelligent key apparatus with its hardware sequence number;
Step 205: the master control intelligent key apparatus makes up the hardware sequence number and the character string Ka2.1 of one-level operative intelligence key device, result to combination asks hashed value to obtain a temporary key X then, with X Ko1 is carried out cryptographic calculation and obtain the first operation encryption key Ko1 ', this cryptographic calculation adopts symmetric encipherment algorithm, and present embodiment is 3DES;
Step 206: the master control intelligent key apparatus carries out cryptographic calculation with X to Ko2.1 and obtains the second operation encryption key Ko2.1 ', and this cryptographic calculation adopts symmetric encipherment algorithm, and present embodiment is 3DES;
Step 207: the master control intelligent key apparatus is sent to Ko1 ' and Ko2.1 ' in the one-level operative intelligence key device by main frame;
Step 208: the master control intelligent key apparatus carries out the hardware sequence number and Ka2, the Ko2 combination of one-level operative intelligence key device the hash computing to the result who makes up again and obtains hashed value; This hashed value is set to the password SoPIN of one-level operative intelligence key device then.
So far, there are Ko1 ' and Ko2.1 ' in the one-level operative intelligence key device, and set its SoPIN, finished its setting up procedure.
Referring to Fig. 3, for the part method flow diagram of second-level intelligence key device is set, concrete steps are as follows:
Step 301: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 302: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 303: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with Ko1 ' and Ko2.1 ';
Step 304: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form, utilizes key X that Ko2.1 ' deciphering is obtained the expressly Ko2.1 of form;
Step 305: secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus are sent to its hardware sequence number one-level mandate intelligent key apparatus respectively;
Step 306: after one-level mandate intelligent key apparatus is received hardware sequence number, hardware sequence number and Ka2.1, the Ko2.1 of secondary mandate intelligent key apparatus are made up, and the result that will make up asks hashed value, and this hashed value is set to the password SoPIN of secondary mandate intelligent key apparatus then; Hardware sequence number and Ka2.1, the Ko2.1 of secondary operation intelligent key apparatus are made up, and the result that will make up asks hashed value, this hashed value is set to the password SoPIN of secondary operation intelligent key apparatus then.
So far, had Ka1, Ka2.1, Ko1 and Ko2.1 in the one-level mandate intelligent key apparatus, the method for secondary mandate intelligent key apparatus and secondary operation intelligent key apparatus that generates with one-level mandate intelligent key apparatus is identical with the method step that generates one-level mandate intelligent key apparatus and one-level operative intelligence key device with the master control intelligent key apparatus; Same method generates three grades and authorizes intelligent key apparatus and three grades of operative intelligence key devices.Different is that input city-level information replaces provincial information when generating the second-level intelligence key device, imports subbranch's information when generating three grades of intelligent key apparatus and replaces provincial information.
Referring to Fig. 4, for utilizing one-level mandate intelligent key apparatus and the one-level operative intelligence key device method flow diagram for the release of secondary operation intelligent key apparatus, concrete steps are as follows:
Step 401: one-level mandate intelligent key apparatus, one-level operative intelligence key device and secondary operation intelligent key apparatus are connected to main frame;
Step 402: one-level operative intelligence key device is sent to its hardware sequence number in the one-level mandate intelligent key apparatus;
Step 403: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 404: one-level operative intelligence key device sends to one-level mandate intelligent key apparatus with Ko1 ' and Ko2.1 ';
Step 405: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form, utilizes key X that Ko2.1 ' deciphering is obtained the expressly Ko2.1 of form;
Step 406: the secondary operation intelligent key apparatus is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 407: one-level mandate intelligent key apparatus makes up hardware sequence number and Ka2.1, the Ko2.1 of the secondary operation intelligent key apparatus received, and the result that will make up asks hashed value, obtains the SoPIN of secondary operation intelligent key apparatus;
Step 408: one-level mandate intelligent key apparatus utilizes SoPIN value release secondary operation intelligent key apparatus.
The unlock method of secondary mandate intelligent key apparatus and three grades of intelligent key apparatus is identical with above-mentioned steps, the release of one-level mandate intelligent key apparatus or one-level operative intelligence key device is finished by the master control intelligent key apparatus, the master control intelligent key apparatus utilizes hardware sequence number and Ka2, the Ko2 of one-level mandate intelligent key apparatus or one-level operative intelligence key device to make up respectively, and the hashed value of the result after will making up is respectively as the SoPIN of one-level mandate intelligent key apparatus or one-level operative intelligence key device release for it.
Referring to Fig. 5, for the method flow diagram of user's intelligent key apparatus is set, the SoPIN that user's intelligent key apparatus is set with one-level mandate intelligent key apparatus and one-level operative intelligence key device is an example, and concrete steps are as follows:
Step 501: one-level mandate intelligent key apparatus, one-level operative intelligence key device and user's intelligent key apparatus are connected to main frame;
Step 502: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 503: one-level mandate intelligent key apparatus makes up the hardware sequence number and the Ka2.1 of one-level operative intelligence key device, and the result that will make up asks hashed value to get X (identical with the X in the step 205);
Step 504: one-level operative intelligence key device is sent to one-level mandate intelligent key apparatus with Ko1 ';
Step 505: one-level mandate intelligent key apparatus utilizes key X that Ko1 ' deciphering is obtained the expressly Ko1 of form;
Step 506: user's intelligent key apparatus is sent to one-level mandate intelligent key apparatus with its hardware sequence number;
Step 507: one-level mandate intelligent key apparatus utilizes the hardware sequence number of user's intelligent key apparatus and Ko1, Ka1 to make up, and the result of its combination is asked hashed value, and this hashed value is set to the password SoPIN of user's intelligent key apparatus then.
Same secondary or three grades of SoPIN that authorize intelligent key apparatus and operative intelligence key device that user's intelligent key apparatus is set jointly of utilizing.
When release user intelligent key apparatus, use the same method and try to achieve SoPIN, utilize SoPIN release user intelligent key apparatus.
When specific implementation, above-mentioned all use in the step of hashing algorithm, the hash computing can be replaced with AES, DES, 3DES, SSF33, SCB2, ECC or RSA Algorithm.
Above-mentioned all use in the step of 3DES algorithm, the 3DES algorithm can be replaced with AES, DES, SSF33, SCB2, ECC or RSA Algorithm.
Referring to Fig. 6, be a kind of key transmission system schematic diagram of multi-stage intelligent key apparatus, this system comprises with lower module:
Cipher key storage block is used at a plurality of keys of intelligent key apparatus storage;
Key transmits module, be used for a part of secret key encryption with a plurality of keys, and the key after will encrypting sends to secondary mandate intelligent key apparatus, and secondary mandate intelligent key apparatus receives to be decrypted behind the key after the encryption and obtain the expressly key of form, then the storage key of form expressly;
Also be used for all the other secret key encryptions of a plurality of keys are obtained ciphertext, and ciphertext is sent to the secondary operation intelligent key apparatus, the secondary operation intelligent key apparatus is stored after receiving ciphertext.
Wherein, secondary mandate intelligent key apparatus is safe storage medium, and key is stored in the secure storage areas of secondary mandate intelligent key apparatus.
Key transmits module and further comprises:
The public private key pair generation unit is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the public private key pair is sent to intelligent key apparatus at the corresponding levels;
The secret key encryption unit be used for after intelligent key apparatus at the corresponding levels is received PKI a part of key of a plurality of keys being encrypted, and the key after will encrypting sends to the next stage intelligent key apparatus;
Decrypting device, be used for the key after secondary mandate intelligent key apparatus is received encryption after, with private key its deciphering is obtained the expressly key of form, and the storage key of form expressly.
The algorithm that all the other secret key encryptions with in a plurality of keys in the key transmission module obtain the ciphertext employing comprises aes algorithm, DES algorithm, 3DES algorithm, SSF33 algorithm, SCB2 algorithm, ECC algorithm or RSA Algorithm.
The parameter of using in the algorithm is the correlation of the hardware characteristics parameter of described secondary operation intelligent key apparatus.
System also comprises:
Key transmission module at the same level is used for the ciphertext that operative intelligence key device at the corresponding levels is stored is sent at the corresponding levels the mandate in the intelligent key apparatus, after the corresponding levels authorize intelligent key apparatus to receive ciphertext, ciphertext is decrypted the key that obtains the plaintext form.
Referring to Fig. 7, the key transmission system of another kind of multi-stage intelligent key apparatus provided by the invention, this system comprises:
Operative intelligence key device at the corresponding levels is used to store the key of ciphertext form, and key is sent to the intelligent key apparatus of authorizing at the corresponding levels;
The intelligent key apparatus of authorizing at the corresponding levels is used to receive the key of ciphertext form of the transmission of operative intelligence key device at the corresponding levels, and the key of this ciphertext form is decrypted; Also be used for authorizing the original secret key encryption of intelligent key apparatus to send to secondary mandate intelligent key apparatus the corresponding levels, will carry out computing again, send to the secondary operation intelligent key apparatus then from the key that operative intelligence key device at the corresponding levels receives and deciphering obtains;
Secondary mandate intelligent key apparatus is used to receive the intelligent key apparatus of authorizing at the corresponding levels and sends encrypted secret key, and encrypted secret key is decrypted, and the key after the deciphering is stored;
The secondary operation intelligent key apparatus is used to receive the key after the corresponding levels are authorized the computing of intelligent key apparatus transmission, stores the key of ciphertext then.
Wherein, secondary mandate intelligent key apparatus also comprises the public private key pair generation unit, is used for secondary mandate intelligent key apparatus and generates asymmetrical public private key pair, and the PKI in the public private key pair is sent to the intelligent key apparatus of authorizing at the corresponding levels.
Mandate intelligent key apparatus at the corresponding levels uses public-key the key of storage is encrypted the generation ciphertext, and ciphertext is sent to secondary mandate intelligent key apparatus, and secondary mandate intelligent key apparatus uses the ciphertext of receiving the private key deciphering of public private key pair.
Above-described embodiment is more preferably several embodiments of the present invention, and common variation that those skilled in the art carries out in the technical solution of the present invention scope and replacement all should be included in protection scope of the present invention.