CN101282219A - Information safety equipment for improving use security as well as implementing method thereof - Google Patents
Information safety equipment for improving use security as well as implementing method thereof Download PDFInfo
- Publication number
- CN101282219A CN101282219A CNA2008101065597A CN200810106559A CN101282219A CN 101282219 A CN101282219 A CN 101282219A CN A2008101065597 A CNA2008101065597 A CN A2008101065597A CN 200810106559 A CN200810106559 A CN 200810106559A CN 101282219 A CN101282219 A CN 101282219A
- Authority
- CN
- China
- Prior art keywords
- command
- command buffer
- computer
- order
- equipment according
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses an information security device which increases the using security and a realization method thereof. The invention adopts a technical process which is totally different from the authorization checking and key using of existing information security device. The conventional admittance process is amended to a discharging process. The subscriber is leaded to possess higher security when the information security device is used. The generation of the background attacking behavior is effectively avoided. The invention greatly reduces the safety risk which exists in the using process of the key of the existing information security device, and has an extraordinary significant actual meaning to the large-are generalization of the information security device.
Description
Technical field
The present invention relates to information safety devices and key management technology thereof, particularly a kind of technology and its implementation that can carry out safeguard protection to authority checking in the information safety devices and key use.
Background technology
Ecommerce has changed the operating mode of traditional commercial affairs, greatly improved commercial efficiency and reduced transaction cost, yet so new business model is also simultaneously facing to huge security threat.Therefore, in all E-business applications, safety all is used as most important factor and considers.The topmost potential safety hazard of ecommerce comes from client at present, for example employed computer of user and the software that runs on the computer, perhaps mobile device (as PDA) and operation software thereon.Therefore, ecommerce generally all will be taked the very high authentication means of security intensity, to confirm user's identity in ecommerce, prevents personation and swindle.
In all identification authentication mode, support PKI (Public Key Infrastructure, public key architecture) USB Key is one of safety certification means of highest level, by being stored in the digital certificate and the key of USB Key inside, and carries out safety identification authentication between the server.In the bank, bank does not carry out the restriction of aspects such as amount to adopting USB Key as the user's of authentication means transaction on the net, thinks that this is very reliable safety method.Chinese patent 200410028723.9 has been announced a kind of guard method that is used for internet bank trade safety---" apparatus and method that Web bank's data are encrypted, authenticated ", it is characterized in that, comprise the steps: a) according to the digital certificate of user profile generation at this user; B) described digital certificate is deposited among the USB KEY that will distribute to this user; C) user's debarkation net goes to bank the user when carrying out data processing, confirms user identity or digital signature by described USB KEY.This invention also discloses a kind of USB of utilization KEY and has realized the above-mentioned device that Web bank's data are encrypted, authenticated.Each USB KEY has a unique sequence number, and private key can not go out internal memory, is confirming just to carry out online transaction behind the user identity.Therefore, the inventor thinks that this invention has the confidentiality and the fail safe of height.
Yet USB Key has an inborn weakness, is exactly that its all safety operations all must be finished under the cooperation of computer, and all are all finished by computer (comprising PDA etc.) the operation of USB Key.Because the employed computer system of user is faced with various security attacks, so the assailant also can come illegal operation to be connected the equipment on the USB interface and uses the digital certificate and the key of USB Key inside fully by means such as computer wooden horses.
In order to prevent the illegal use to digital certificate and key, the user can be required to import a PIN code usually to obtain the authorization before using key or digital certificate.USB Key is after the checking of finishing PIN code, will authorize computer to wherein the key or the usage license of digital certificate, the computer software key or the digital certificate that just can call among the USB Key finished the information security function like this, for example carries out digital signature.
But there is potential security risk in this authorization: after the user imports PIN code, USBKey will allow wherein key or digital certificate conducted interviews, if after this hacker utilizes wooden horse also on user's computer key or digital certificate to be conducted interviews, thereby the user can't perceive and make success attack.For example, the user fails in time USB Key to be extracted from computer after using Web bank to conclude the business, and at this time the hacker just may carry out attacker in the backstage on user's computer, steals user's account.Although computer software also may be after the user imports PIN, use that key or digital certificate just send the reset instruction of USB Key so that USB Key returns to the state before the PIN code input, thereby but wooden horse is easy to intercept and capture such reset instruction it was lost efficacy, it is insecure carrying out such management with computer software.
Other verification mode such as fingerprint authentication, iris checking etc. verify that with PIN code danger is equal to when facing this type of attack means.
Generally speaking, prior USB Key information safety devices is owing to fail safe management is carried out in the use of key or digital certificate, but adopt checking by after just give the method for access rights, attack so can not resist the backstage.
Summary of the invention
The present invention proposes a kind of new authority checking and the technical process of key or digital certificate use, changed original " checking " → " use " method.
Specifically, use to information safety devices is similar to " access of opening the door " traditionally, the modes such as PIN code, checking fingerprint of promptly importing by the user obtain the access power to information safety devices, and computer just can be operated information safety devices then.The present invention has then adopted " clearance " means, at first required safety operation is ready to, and after the user confirmed by modes such as checking PIN code, checking fingerprints, information safety devices once or was continuously finished described safety operation.By this method, the user is actually operation is before being confirmed in checking PIN code, checking fingerprint, and the safety operation that does not therefore have any the unknown is carried out on information safety devices.
In order to realize above-mentioned functions, need to increase a command buffer in the information safety devices, be used to deposit or manage pending order.Command buffer waits for that the user imports PIN code or adopts other verification mode to carry out demonstration validation after being ready to command queue, checking is finished command process by the post command buffer with the command execution module that command queue consigns to information safety devices.
Concrete job step is:
A, command buffer are accepted the operational order of computer, and carry out queue management;
B, command buffer are accepted the execution command of computer, send to access control module and confirm request;
C, access control module are finished authorization verification process, will verify that the result reports to command buffer;
D, command buffer are passed to command execution module with the instruction in the formation, finish execution process instruction.
In the steps A, the computer operation order that command buffer is accepted can be one, also can be a plurality of.When command buffer carries out queue management to order, both order can be buffered in the information safety devices internal storage region, also can be buffered in the memory block of computer.If be buffered in the computer storage area, command buffer can also be numbered and encryption order, to improve its fail safe.
Command buffer can require to carry out authority checking before accepting computer-managed instruction, for example import PIN code.But the proof procedure among proof procedure and the step C must be able to not be same.
Among the step B, the execution command that computer sends can be explicit, also can be implicit expression.Described explicit execution command is: the special command buffer that requires that computer sends begins to carry out the instruction of ordering in the formation.Described implicit instructions is: by appointment rule between computer and the command buffer just begins to carry out the order in the formation under given conditions.For example, computer and command buffer can be arranged the order bar of each buffer memory and be counted the upper limit, just can start implementation automatically when surpassing the command buffer of prescribing a time limit on this.
Described access control module is the responsible part that user's identity is confirmed in the information safety devices, belongs to mature technique in the information safety devices.
In step C, the authorization verification process that access control module is finished comprises means such as PIN code checking, biometric information verification.Wherein, access control module can also provide the special service for checking credentials for command buffer, avoids conflicting mutually with other proof procedure or obscuring.
Before step C, command buffer can also send to computer with the information of related command, is shown by computer, so that the user confirms order.
In step D, the order that described command execution module is accepted and the process information safety means are supported.Command execution module is mature technique and a function in the information safety devices.
Through after the above-mentioned steps, the user confirms the order that will carry out.After this, unless the user confirms that once more otherwise any other order all can not be performed.
According to an aspect of the present invention, provide a kind of information safety devices that improves safety in utilization, it is characterized in that this equipment comprises:
Access control module is used for user identity is confirmed;
Command buffer is used for receiving, transmitting instruction;
Command execution module is used for execution command.
According to an aspect of the present invention, its feature is that also the computer instruction that command buffer is accepted is one or more instructions.
According to an aspect of the present invention, its feature is that also command buffer is accepted the operational order of computer, and command queue is managed.
According to an aspect of the present invention, its feature is that also command buffer is accepted the execution command of computer, sends to access control module and confirms request.
According to an aspect of the present invention, its feature is that also access control module is finished authorization verification process, will verify that the result reports to command buffer.
According to an aspect of the present invention, its feature is that also command buffer is passed to command execution module with the instruction in the command queue, finishes execution process instruction by command execution module.
According to an aspect of the present invention, its feature also is, when command buffer manages command queue, order is buffered in the internal storage region of information safety devices, perhaps order is buffered in the memory block of computer.
According to an aspect of the present invention, its feature is that also if order is buffered in the computer storage area, then command buffer also is numbered and encryption order.
According to an aspect of the present invention, its feature is that also command buffer carried out authority checking before accepting computer-managed instruction.
According to an aspect of the present invention, its feature is that also the authorization verification process that access control module is finished comprises PIN code checking, biometric information verification.
According to an aspect of the present invention, its feature is that also access control module provides special checking for command buffer.
According to an aspect of the present invention, its feature also is, command buffer sends the information that order is confirmed be convenient to computer.
According to another aspect of the present invention, provide a kind of method that improves the information safety devices safety in utilization, it is characterized in that this information safety devices comprises:
Access control module is used for user identity is confirmed;
Command buffer is used for receiving, transmitting instruction;
Command execution module is used for execution command;
Wherein, the method comprising the steps of:
(1) command buffer is accepted the operational order of computer, and command queue is managed;
(2) command buffer is accepted the execution command of computer, sends to access control module and confirms request;
(3) access control module is finished authorization verification process, will verify that the result reports to command buffer;
(4) command buffer is passed to command execution module with the instruction in the command queue, finishes execution process instruction.
According to another aspect of the present invention, its feature also is, when command buffer manages command queue, order is buffered in the internal storage region of information safety devices, perhaps order is buffered in the memory block of computer.
According to another aspect of the present invention, its feature is that also if order is buffered in the computer storage area, then command buffer is numbered and encryption order.
According to another aspect of the present invention, its feature is that also command buffer carried out authority checking before accepting computer-managed instruction.
According to another aspect of the present invention, its feature is that also the authorization verification process that access control module is finished comprises PIN code checking, biometric information verification.
According to another aspect of the present invention, its feature is that also access control module provides special checking for command buffer.
According to another aspect of the present invention, its feature also is, command buffer sends the information that order is confirmed be convenient to computer.
Description of drawings
Fig. 1 is a structural representation of the present invention.
Fig. 2 is the workflow diagram according to one embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing specific embodiments of the invention are described in detail.
Present embodiment increases a commands buffer module in the MiKey information safety devices of deep thinking Luo Ke company, module is added in the mode of firmware module.
The major function of MiKey be utilize that its inner RSA key is encrypted, deciphering and digital signature computing.Based on these cryptography arithmetics, MiKey provides standard interface function libraries such as the CSP of standard or PKCS#11, for Secure Application such as Web bank provide service.
In original product, MiKey just can obtain corresponding use authority after the user imports a PIN code.This mandate is in case obtain, unless initiatively change safe condition, licensing status keeps, and may be utilized by trojan horse program.The security mechanism that other USB Key equipment is adopted all is similar.
In the present embodiment, if the user need use the key among the USB Key to carry out digital signature, the just order that must at first be prepared to be correlated with by commands buffer could fill order after acquisition user's the affirmation.Comprise a plurality of RSA keys that can be used for digital signature among user's the MiKey, be respectively Kr1, Kr2, Kr3.The mode that the user confirms command queue is the input PIN code.
With reference to figure 2, its workflow is:
Step 101: computer sends the selection cipher key command to the command buffer of MiKey, selects key K r2;
Step 102: command buffer deposits the order in the step 101 in the memory block of MiKey inside;
Step 103: computer sends data to be signed to the command buffer of MiKey;
Step 104: command buffer deposits the data in the step 103 in inner memory block;
Step 105: computer sends the signature order to the command buffer of MiKey, requires to begin immediately signature operation;
Step 106:MiKey command buffer is a report information with mentioned order formation arrangement, returns to computer requirement client and confirms;
Step 107:MiKey command buffer sends the checking requirement to access control module;
Step 108:MiKey access control module requires the user to import PIN code on computers;
Step 109: the user confirms whether the information of the report in the step 106 is correct, if correctly promptly import the PIN code complete operation, otherwise thinks and mistake occurs, error process;
Employed command queue is the simplest a kind of in the present embodiment, in fact can also be very flexible and complicated.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to and replace and improvement etc., all should be included within protection scope of the present invention.
Claims (19)
1, a kind of information safety devices that improves safety in utilization is characterized in that, this equipment comprises:
Access control module is used for user identity is confirmed;
Command buffer is used for receiving, transmitting instruction;
Command execution module is used for execution command.
2, equipment according to claim 1 is characterized in that, the computer instruction that command buffer is accepted is one or more instructions.
3, equipment according to claim 2 is characterized in that, command buffer is accepted the operational order of computer, and command queue is managed.
4, equipment according to claim 3 is characterized in that, command buffer is accepted the execution command of computer, sends to access control module and confirms request.
5, equipment according to claim 4 is characterized in that, access control module is finished authorization verification process, will verify that the result reports to command buffer.
6, equipment according to claim 5 is characterized in that, command buffer is passed to command execution module with the instruction in the command queue, finishes execution process instruction by command execution module.
7, equipment according to claim 3 is characterized in that, when command buffer manages command queue, order is buffered in the internal storage region of information safety devices, perhaps order is buffered in the memory block of computer.
8, equipment according to claim 7 is characterized in that, if order is buffered in the computer storage area, then command buffer also is numbered and encryption order.
9, equipment according to claim 4 is characterized in that, command buffer carried out authority checking before accepting computer-managed instruction.
10, equipment according to claim 5 is characterized in that, the authorization verification process that access control module is finished comprises PIN code checking, biometric information verification.
11, equipment according to claim 10 is characterized in that, access control module provides special checking for command buffer.
12, equipment according to claim 5 is characterized in that, command buffer sends the information that order is confirmed be convenient to computer.
13, a kind of method that improves the information safety devices safety in utilization is characterized in that, this information safety devices comprises:
Access control module is used for user identity is confirmed;
Command buffer is used for receiving, transmitting instruction;
Command execution module is used for execution command;
Wherein, the method comprising the steps of:
(1) command buffer is accepted the operational order of computer, and command queue is managed;
(2) command buffer is accepted the execution command of computer, sends to access control module and confirms request;
(3) access control module is finished authorization verification process, will verify that the result reports to command buffer;
(4) command buffer is passed to command execution module with the instruction in the command queue, finishes execution process instruction.
14, method according to claim 13 is characterized in that, when command buffer manages command queue, order is buffered in the internal storage region of information safety devices, perhaps order is buffered in the memory block of computer.
15, method according to claim 14 is characterized in that, if order is buffered in the computer storage area, then command buffer is numbered and encryption order.
16, method according to claim 13 is characterized in that, command buffer carried out authority checking before accepting computer-managed instruction.
17, method according to claim 13 is characterized in that, it is characterized in that, the authorization verification process that access control module is finished comprises PIN code checking, biometric information verification.
18, equipment according to claim 17 is characterized in that, access control module provides special checking for command buffer.
19, equipment according to claim 13 is characterized in that, command buffer sends the information that order is confirmed be convenient to computer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101065597A CN101282219A (en) | 2008-05-14 | 2008-05-14 | Information safety equipment for improving use security as well as implementing method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101065597A CN101282219A (en) | 2008-05-14 | 2008-05-14 | Information safety equipment for improving use security as well as implementing method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101282219A true CN101282219A (en) | 2008-10-08 |
Family
ID=40014516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101065597A Pending CN101282219A (en) | 2008-05-14 | 2008-05-14 | Information safety equipment for improving use security as well as implementing method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101282219A (en) |
-
2008
- 2008-05-14 CN CNA2008101065597A patent/CN101282219A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11314891B2 (en) | Method and system for managing access to personal data by means of a smart contract | |
| TWI667585B (en) | Method and device for safety authentication based on biological characteristics | |
| CN111213171B (en) | Method and apparatus for secure offline payment | |
| US9037851B2 (en) | User authentication system, user authentication apparatus, smart card, and user authentication method for ubiquitous authentication management | |
| CN102099810B (en) | Mobile device assisted secure computer network communications | |
| KR100876003B1 (en) | User Authentication Method Using Biological Information | |
| CN101662469B (en) | Method and system based on USBKey online banking trade information authentication | |
| CN101345619B (en) | Electronic data protection method and device based on biological characteristic and mobile cryptographic key | |
| CN101661599B (en) | Method for authenticating validity of self-contained software of equipment system | |
| CN105427099A (en) | Network authentication method for secure electronic transactions | |
| CN101221641B (en) | On-line trading method and its safety affirmation equipment | |
| CN102694781A (en) | Internet-based system and method for security information interaction | |
| KR20160139885A (en) | Certification System for Using Biometrics and Certification Method for Using Key Sharing and Recording medium Storing a Program to Implement the Method | |
| CN102694782A (en) | Internet-based device and method for security information interaction | |
| CN108768941B (en) | Method and device for remotely unlocking safety equipment | |
| CN110650021A (en) | Authentication terminal network real-name authentication method and system | |
| CN104135480A (en) | Entrance guard authorization system and entrance guard authorization method | |
| CN101282220B (en) | Information safety equipment for reinforcing key use security as well as implementing method thereof | |
| CN101425901A (en) | Control method and device for customer identity verification in processing terminals | |
| CN103051618A (en) | Terminal authentication equipment and network authentication method | |
| KR101856530B1 (en) | Encryption system providing user cognition-based encryption protocol and method for processing on-line settlement, security apparatus and transaction approval server using thereof | |
| CN101290645A (en) | Method for enhancing information safety equipment verification safety | |
| CN101282219A (en) | Information safety equipment for improving use security as well as implementing method thereof | |
| CN102752265A (en) | Security information interaction system and method based on Internet | |
| JP5736953B2 (en) | Information processing apparatus, authentication system, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081008 |