CN101281563A - Digital signing apparatus with using counter - Google Patents
Digital signing apparatus with using counter Download PDFInfo
- Publication number
- CN101281563A CN101281563A CNA2007100907004A CN200710090700A CN101281563A CN 101281563 A CN101281563 A CN 101281563A CN A2007100907004 A CNA2007100907004 A CN A2007100907004A CN 200710090700 A CN200710090700 A CN 200710090700A CN 101281563 A CN101281563 A CN 101281563A
- Authority
- CN
- China
- Prior art keywords
- usage counter
- data
- digital signature
- user
- outside
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention is used for software protection and the like. A use counter is arranged in a USBKEY, software to be protected can determine whether the device is shared with other users or programs by detecting the use counter, and then protection measures are taken accordingly. The use counter operates in USBKEY and other digital security equipments, is protected by the security equipments, the value of the counter is protected by digital signature in public key encryption system when read out.
Description
Technical field
The present invention relates to a kind of device that is applied to digital signature.
Background technology
In traditional commercial activity, for the safety that guarantees to conclude the business with true, a contract in writing or official document will be signed, be affixed one's seal by litigant or its responsible official, so that allow both parties discern is the contract of whose label, the people who guarantees sign or seal approves the particulars of a contract, can admit just that legally this part contract is effective.And in the virtual world of ecommerce, contract or file be with the performance of the form of e-file and transmit, on e-file, and traditional handwritten signature and affix one's seal and can't carry out, this just must rely on technological means to substitute.Can in e-file, discern both sides negotiator's true identity, guarantee security and the authenticity and the non repudiation of transaction, play the electronic technology means with the signature of the handwritten signature or the equivalent effect of affixing one's seal, be referred to as electronic signature.Legally, signature has two functions: promptly identify signer and the expression signer approval to file content.
It is a variety of to realize that the technological means that signs electronically has, but present comparative maturity, the electronic signature technology that advanced country in the world generally uses also is based on the digital signature technology of public key architecture.
Whitfield.diffie in 1976 and martin.hellman have openly proposed the public-key cryptography theory first, have established the basis of pki system.Pki is the abbreviation of public key infrastruction, just so-called public key architecture.Public key architecture is a kind of public key cryptography technology that utilizes contemporary cryptology provides data encryption and digital signature service in disclosed network environment a unified technological frame.Public key algorithm commonly used has rsa, dsa and deffie.hellman (dh) algorithm etc.The user of use public key algorithm has the PKI and the private key for user of coupling simultaneously, and private key for user is preserved and can not be leaked by the user, and PKI is then wanted extensive disclosed issue, and private key for user can't calculate by PKI and obtain.
In the ordinary course of things, because the algorithm and the PKI that use in the public key architecture all are disclosed, make described private key for user become the weakest link in the PKI system.For strictly protecting private key for user not leaked, the use of not gone beyond one's commission, people have invented numerous private key for user protective devices, solve the preservation and the use problem of private key for user, and present widely used USBKEY promptly is a kind of reasonable private key for user protective device.
USBKEY is a kind of small and exquisite hardware device of USB interface, and what difference shape and the USB flash disk that we are common do not have.But its inner structure is remarkable, and it is built-in CPU, storer, chip operating system (COS) can be stored user's private key for user or digital certificate, and built-in cryptographic algorithm.The built-in CPU of USBKEY realizes that the various algorithms of encryption and decryption and signature carry out, and have guaranteed that private key for user does not appear in the calculator memory, thereby have stopped the possibility that private key for user is intercepted by the hacker in USBKEY.
USBKEY has the secure data storage space, can store secret datas such as digital certificate, private key for user, the use of private key is finished on the spot in device inside among the USBKEY, the user does not need private key for user to be exported to the device outside yet, thereby having stopped with a USBKEY is master, and the complete copy another one stores the possibility of the USBKEY of same subscriber key.
USBKEY generally has hardware PIN code protection, and PIN code and hardware have constituted two necessary factors that the user uses USBKEY.The user has only and has obtained USBKEY and user's PIN code simultaneously, just can use the private key for user among the USBKEY.Even user's PIN code is leaked, as long as the USBKEY that the user holds is not stolen, the identity of validated user just can not be by counterfeit; If user's USBKEY loses, the person of picking up is not owing to know user's PIN code, identity that yet can't counterfeit validated user.
In the application of existing digital signature device; the possessor of digital signature device is generally the obligee; what digital signature device was protected is device possessor's a certain right, and what existing in other words digital signature device mainly solved is the problem that private key for user is not replicated and is not usurped by the people outside the legal holder.
But; in some special application, device need be used to someone a certain right outside the protective device holder, in this case; we may just need certain means and determine the situation that private key for user is used in the device, number of times that for example is used or the like.
A typical example is that when USBKEY was used for software protection, USBKEY, generally can only be used by a user in the same moment as the row power voucher in the software licensing system.And under present network environment; the device of similar USBKEY and so on and equipment are easy to be shared very much; if we are provided with a usage counter in USBKEY; then protected software is by detecting this usage counter; can determine this device at an easy rate whether also by other user or program sharing, this is a purpose of the present invention
Summary of the invention
The objective of the invention is a usage counter to be set in USBKEY, make the protected software can be, determine that this device is whether also by other user or program sharing by detecting this usage counter in order to satisfy the application such as software protection.As a whole set of safety approach; this usage counter works in numeric security device interiors such as USBKEY; by the protection of the security system of device, in the process of reading this usage counter value, the value of usage counter is disclosed the digital signature protection in the secret key encryption system.
The invention allows for the described device of a kind of use; determine the method whether described digital signature device is being shared by multiple spot reliably; the main points of this method are that a usage counter is set in digital signature device inside; user that device is outside or program are by visiting the value of described usage counter continuously; and it is whether continuous by the result of relatively twice connected reference; to determine that device is whether by other user or procedure sharing; to be digital signature device be delivered to the value of usage counter before the target location supporting safety practice; earlier to the protection of signing of the value of usage counter; so that the recipient of information can determine the source of information, can confirmation in transmittance process, not be replaced or distort again.
Apparatus and method described herein can be applied to software protection, also can be applicable to the application of aspects such as network entry, and for example limited subscriber can only be logined a service point a moment.Whether specific implementation also is by visiting the value of described usage counter continuously, and relatively whether the result of twice connected reference is continuous, use being shared by other service point to determine device.
So-called visit result is continuous, for instance, is to add one if change the method for usage counter among the USBKEY, if previous visit result is N, after once visit result be N+1, we say that the visit result is continuous.Visit result explanation does not continuously have this equipment of other user or routine access in the middle of this locates the gap of the twice described equipment of visit.
Description of drawings
Shown in Figure 1, on original digital signature device basis, increasing the flow chart of usage counter.
Original digital signature device is directly to being signed by signed data; And the signature apparatus of new band usage counter is, earlier the value of a usage counter is combined to from install that the outside imports into by on the signed data, then the data that made up described usage counter are signed, adjust the value of described usage counter at last, for example it is added one.
Just one of embodiments of the present invention shown in Figure 1, the just improvement description on original USBKEY enforcement basis is described also at this place, so the master routine that do not draw in flow chart.As for the one-piece construction of USBKEY, can consult related disclosure.
Shown in Figure 2, be the flow chart of counterpart in the old USBKEY embodiment.As for how to increase a usage counter to device, perhaps the CPU the inside from USBKEY distributes a storage unit to use for usage counter in program design, is well-known technology, and this paper repeats no more.
Embodiment
Signature described herein refers in particular in the public key encryption technology, the transform operation that uses so-called private key (some data also is called it " golden key ") that a data block is carried out.
In the public key encryption system, the corresponding PKI B of a private key (we can be referred to as A), a signature algorithm S, and a signature verification algorithm V;
Provide a blocks of data D1 arbitrarily, we can pass through signature algorithm S, with parameter A D1 are carried out conversion, obtain data D2:
D2=S (A, D1), S is an algorithm, and D1, D2 are data, and A is a parameter.
And by signature verification algorithm V, with B parameter D2 is carried out conversion and just obtain data D1:
D1=V (B D2), V is an algorithm, and D1, D2 are data, and B is a parameter.
Under the situation of only knowing signature verification algorithm V and PKI B, people extremely difficulty know S and A simultaneously by inference; Also extremely difficult algorithm S2 and the corresponding key A 2 that substitutes of releasing is with the algorithm function that realizes that intactly S and A combination can realize.
D2=S2 (A2, D1), S2 is an algorithm, and D1, D2 are data, and A2 is a parameter.
Digital digest described herein refers in particular to the digital digest algorithm that uses in the public key encryption system, and a data block is carried out the numeric results that computing draws, and promptly is called as summary in the public key encryption system.
The mathematical description of digest algorithm can be, has an algorithm E, and it carries out computing to input data D1 and obtains D2;
D2=E (D1), E are algorithm, and D1, D2 are data.
Digest algorithm E can calculate output D2 easily according to input D1; And be difficult to determine input D1 according to the output D2 of appointment; Also be difficult to find two different inputs, make it draw identical output by computing E.
First kind of typical embodiment of the digital signature device of described band usage counter, be on existing USBKEY device basic, increase a usage counter, when the described digital signature device of each use is signed, with the value of described usage counter and being made up of importing into from the outside, again the data that made up are signed earlier by signed data.Certainly, use described digital signature device to carry out the once signed operation, the value of described usage counter just needs to change once, for example adds one at every turn.
Second kind of typical embodiment, be on existing USBKEY device basic, increase a usage counter, when the described digital signature device of each use is signed, earlier with the value of described usage counter and being made up of importing into from the outside by signed data, calculate the digital digest of the data of described combination then, at last described digital digest is signed.Identical with aforementioned embodiments, use described digital signature device to carry out the once signed operation at every turn, the value of described usage counter just needs to change once, for example subtracts one.
The third typical embodiment, be on existing USBKEY device basic, increase a usage counter, when the described digital signature device of each use is signed, calculate earlier import into from the outside by the digital digest of signed data, then digital digest and the described usage counter that calculates made up, at last the digital digest that made up usage counter is signed.Identical with aforementioned embodiments, use described digital signature device to carry out the once signed operation at every turn, the value of described usage counter just needs to change once, for example takes advantage of seven.
The 4th kind of typical embodiment is on existing USBKEY device basic, increases a usage counter, installs the digital signature operation of every execution one correlations, and this usage counter is once adjusted.The usage counter sense command of a special use is provided simultaneously, the sense command of each execution usage counter is when the value of described usage counter is transmitted in the device outside, carry out digital signature with the private key in the device to this usage counter earlier, the data that just will sign name then are sent to the device outside.
So-called usage counter and other data being made up, can be that series arrangement is together simply with the data bit of two parts data.For example hypothesis " other data " is 16 system 0xABCD EF01 2,345 6789, and " usage counter " value is 16 system 0x0001, and then combined result can be 16 system 0xABCD EF01 23,456,789 0001.Combinatorial operation is not special computing, so no longer go through.
Of particular note, remove in the critical use of device, for example signature operation changes the value of described usage counter, and device resets and described usage counter can be changed to outside the predetermined value, and described usage counter can not be revised by other approach.
Also of particular note, the value of change usage counter described herein is not limited to add one, subtracts one, perhaps take advantage of seven or the like, can be any one computing that can change the usage counter value in principle, certainly, add one operation be the computing that should preferentially be selected for use.
Also of particular note, a usage counter of described increase, can be a storage chip on physical aspect, connect together, the CPU of existing USBKEY can be conducted interviews to it by I2C bus certain idle I/O pin in the cpu chip of prior USB KEY.The design proposal of optimizing is directly to use certain storage space of the cpu chip of USBKEY, as the physical location of depositing described usage counter.
A kind of improvement design of the digital signature device of aforementioned band usage counter, be that one group of usage counter is set in device, and be not only a usage counter, the external users selects one in this group usage counter to conduct interviews by a call number or usage counter identification number.Specific implementation is on the basis of aforementioned implementation method, wherein " making up with the value of usage counter with by signed data " is revised as " according to the call number of outside input; selected usage counter, and with the value of described call number and described usage counter with made up by signed data "; Corresponding becoming " changes the described value by the selected usage counter of call number of this section " and " change the value of described usage counter " in the aforementioned implementation method.
What preamble was described is the typical way of the digital signature device of several this kind of realization band usage counters.Increase usage counter to digital signature device; and make the user of device understand the situation that device is used by a reliable passage or means; particularly when such device is applied to software protection; make protected program can judge reliably that whether this digital signature device is shared by many places, is only spirit of the present invention.
Distinguish mutually with the signature apparatus of the existing band usage counter that may exist, it is means with the digital signature protection that the device that the present invention provides provides a kind of value with described usage counter, is delivered to the method for destination reliably.If in digital signature device, be provided with usage counter; but means that provide any quilt to transmit reliably for the usage counter that is provided with in this kind device not; the means of reading by digital signature protection are not provided in other words, and then this kind device is not within the scope that the present invention is contained.
Below by more popular narration spirit of the present invention is further introduced.Essence of the present invention as the narration of preamble, is to wish and can provide means for the program of using USBKEY and so on encryption device, and allow it can detect the operating position of digital signature devices such as USBKEY, it is inferior for example what to be used in certain time period.Certainly, we to require this detection be credible and be not easy to be handled.
Guarantee the credible of the information that detects, first wants the collection of guarantee information errorless, and the secondth, the transmission of guarantee information errorless.Digital signature equipment such as USBKEY are a kind of very special safety features, it forms, does not provide program dynamic updating, its design and manufacture process even its technology that adopts all to be subjected to stricter control by a relatively little system, we generally regard its integral body as a place of safety, believe that the information that it is gathered is reliable.And the information of being gathered is in transmittance process, and we do not have condition to suppose that this group information do not pass through non-place of safety; And in fact, described information must be passed through non-place of safety, bears to comprise monitoring, distort, replace, reset, postpone or the like panoramic attack.By digital signature the information of the described digital signature device behaviour in service of described reflection is protected; make us at first can determine the source of the information of the described digital signature device behaviour in service of described reflection; next is that we can be determined, described information sees through when transmit described non-place of safety and do not distorted.
In device, increase a usage counter; and this usage counter is increased in the inside, place of safety of device; whether then no matter install in standard signature is used on value with this usage counter is combined to by signed data; as long as device provides a usage counter sense command; and the realization of this sense command has been carried out digital signature protection to this usage counter, then belongs to category of the present invention.Certainly, reading by the value of the described usage counter of described digital signature protection along band by aforesaid digital signature order, is the preferred version of reading so-called usage counter.
So-called the protection of signing of certain data was meant before digital signature, in some way these data is joined by among the signed data, so that the result that signs can reflect the feature of protected data.Even a bit little change takes place, all can be destroyed the validity of digital signature by the data of signature protection.
Again from the logical organization aspect, the device that the present invention proposes is once described substantially below.At first, usage counter of the present invention is designed in the place of safety of digital signature device interiors such as USBKEY, and other safety component that itself and USBKEY internal security area are realized is the same, is subjected to the protection of USBKEY security mechanism, is not easy victim and attacks; Secondly, finish the place of safety that is implemented in USBKEY inside of described usage counter, for example the signature of its relevant program code and USBKEY and deciphering algorithmic code store together, achieve and be not easy to be distorted, can reflect the operating position of USBKEY with the value that guarantees described usage counter truly; Once more, we provide the means of reading by digital signature protection for described usage counter, guarantee that the value of the described usage counter of reading is not distorted in transmitting the way.
Figure 2 shows that the block diagram of one section program code in the USBKEY place of safety, Figure 1 shows that the block diagram that program code shown in Figure 2 is made amendment.
Place of safety described herein can be interpreted as simply, and the memory block that is similar to private key among the USBKEY is the storage security district, and the memory block that is similar among the USBKEY signature or decipherment algorithm is the code security district; Usage counter described herein requires to leave the place that is similar to described storage security district in, and its relevant fetcher code must be deposited the place that is similar to described code security district.
Determine the implementation method whether described device is shared by multiple spot,, repeat no more at preamble by the agency of.
The value of mentioning for the preamble many places with usage counter is combined on " other data ", be not limited to " other data " not destroyed, because " other data " may have redundant, for example the value of usage counter is 0x0001, " other data " are 0xABCDEFGH1234, we can may usage counter replace part position in " other data ", for example obtain 0xABCD00011234, also belong to syntagmatic category described herein.
Claims (10)
1. digital signature device, this device comprises the smart card of a band central processing unit and private key for user storer, described smart card can be a parameter with the private key for user that is stored in wherein, use public key encryption algorithm, sign or decrypt operation to installing the data of sending into the outside, and the result is sent to the device outside; Also have a usage counter in this device, and at least one such private key, the described private key of every use carries out digital signature one time, and the state of described usage counter changes once; This device also provides order, the result data that the data in the described usage counter and other data combination draw is signed, and the result that will sign sends to the device outside.
2. digital signature device according to claim 1, the smart card of a described band central processing unit and private key for user storer is USBKEY.
3. digital signature device according to claim 1, described " other data " are empty, " result data that the data in the usage counter and other data combination draw " be " data in the usage counter " self.
4. digital signature device according to claim 1, described " other data " for from install that the outside imports into by signed data or from install that the outside imports into by the digital digest of signed data.
5. digital signature device according to claim 1, before " result data that the data in the usage counter and other data combination draw " carried out digital signature, advanced line number word summary digital digest is signed, and the result that will sign sends to the device outside again.
6. digital signature device according to claim 1, the state of described change usage counter are that the value to usage counter adds one, subtracts first-class single-valued function conversion, and transformation results is stored in the original usage counter.
7. digital signature device according to claim 1, described usage counter are one group of usage counters, and which usage counter certain signature uses, and can be specified by the mode of selecting similar call number by the outside.
8. determine the method whether described digital signature device is being shared by multiple spot reliably for one kind; The main points of this method are that a usage counter is set in digital signature device inside, user that device is outside or program are by visiting the value of described usage counter continuously, and whether the value of more double its usage counter of visit is continuous, determines that device is whether by other user or procedure sharing; And digital signature device before data transmit in advance to the protection of signing of the value of usage counter so that the recipient of information can determine the source of information, can confirmation in transmittance process, whether be replaced or distort again.
9. described digital signature device of claim 1-8 and the application of method in software protection.
10. described digital signature device of claim 1-8 and the application of method aspect network entry, for example limited subscriber can only be logined a service point a moment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100907004A CN101281563A (en) | 2007-04-04 | 2007-04-04 | Digital signing apparatus with using counter |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100907004A CN101281563A (en) | 2007-04-04 | 2007-04-04 | Digital signing apparatus with using counter |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101281563A true CN101281563A (en) | 2008-10-08 |
Family
ID=40014030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100907004A Pending CN101281563A (en) | 2007-04-04 | 2007-04-04 | Digital signing apparatus with using counter |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101281563A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103490894A (en) * | 2013-09-09 | 2014-01-01 | 飞天诚信科技股份有限公司 | Implementation method and device for determining lifecycle of intelligent key device |
| CN104253813A (en) * | 2014-09-05 | 2014-12-31 | 国电南瑞科技股份有限公司 | Modulation integrated system remote maintenance-based safety protection method |
| CN105262595A (en) * | 2011-02-17 | 2016-01-20 | 英飞凌科技股份有限公司 | Systems and methods for device and data authentication |
| CN107948174A (en) * | 2017-11-30 | 2018-04-20 | 广州酷狗计算机科技有限公司 | The method and apparatus that completeness check is carried out when transmitting data |
| WO2021253254A1 (en) * | 2020-06-17 | 2021-12-23 | 深圳市欢太科技有限公司 | Chip, chip encapsulation structure and electronic device |
-
2007
- 2007-04-04 CN CNA2007100907004A patent/CN101281563A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262595A (en) * | 2011-02-17 | 2016-01-20 | 英飞凌科技股份有限公司 | Systems and methods for device and data authentication |
| CN103490894A (en) * | 2013-09-09 | 2014-01-01 | 飞天诚信科技股份有限公司 | Implementation method and device for determining lifecycle of intelligent key device |
| CN104253813A (en) * | 2014-09-05 | 2014-12-31 | 国电南瑞科技股份有限公司 | Modulation integrated system remote maintenance-based safety protection method |
| CN107948174A (en) * | 2017-11-30 | 2018-04-20 | 广州酷狗计算机科技有限公司 | The method and apparatus that completeness check is carried out when transmitting data |
| WO2021253254A1 (en) * | 2020-06-17 | 2021-12-23 | 深圳市欢太科技有限公司 | Chip, chip encapsulation structure and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107425982B (en) | Method and block chain for realizing intelligent contract data encryption | |
| CN109074433B (en) | Method and system for verifying digital asset integrity using a distributed hash table and a peer-to-peer distributed ledger | |
| WO2018076762A1 (en) | Block chain-based transaction verification method and system, electronic device, and medium | |
| CA2018770C (en) | Public/key date-time notary facility | |
| EP0895149B1 (en) | Computer system for protecting a file and a method for protecting a file | |
| US8528104B2 (en) | Security and ticketing system control and management | |
| CN111046352A (en) | Identity information security authorization system and method based on block chain | |
| CN115391749A (en) | Method and system for protecting computer software using distributed hash table and blockchain | |
| US20160085955A1 (en) | Secure Storing and Offline Transferring of Digitally Transferable Assets | |
| CN113169866B (en) | Techniques for preventing collusion using simultaneous key distribution | |
| CN101311950A (en) | Electronic stamp realization method and device | |
| KR19990044692A (en) | Document authentication system and method | |
| OA10456A (en) | Cryptographic system and method with key escrow feature | |
| JP2002514799A (en) | Electronic transmission, storage and retrieval system and method for authenticated documents | |
| CN101110097A (en) | Method for safely dispensing electronic document | |
| CN109889495B (en) | Quantum computation resistant electronic seal method and system based on multiple asymmetric key pools | |
| CN101739622A (en) | Trusted payment computer system | |
| CN113347008B (en) | Loan information storage method adopting addition homomorphic encryption | |
| CN101281563A (en) | Digital signing apparatus with using counter | |
| CN102024115B (en) | Computer with user security subsystem | |
| Yin et al. | A survey on privacy preservation techniques for blockchain interoperability | |
| CN113420049A (en) | Data circulation method and device, electronic equipment and storage medium | |
| Gallery et al. | Trusted computing: Security and applications | |
| Yi et al. | Blockchain Foundations and Applications | |
| CN108038392A (en) | A kind of smart card encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081008 |