CN101345619B - Electronic data protection method and device based on biological characteristic and mobile cryptographic key - Google Patents
Electronic data protection method and device based on biological characteristic and mobile cryptographic key Download PDFInfo
- Publication number
- CN101345619B CN101345619B CN2008101422024A CN200810142202A CN101345619B CN 101345619 B CN101345619 B CN 101345619B CN 2008101422024 A CN2008101422024 A CN 2008101422024A CN 200810142202 A CN200810142202 A CN 200810142202A CN 101345619 B CN101345619 B CN 101345619B
- Authority
- CN
- China
- Prior art keywords
- biometric templates
- cryptographic key
- ciphertext
- mobile cryptographic
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
A electronic data protection method based on biological characteristic and mobile key comprises that user accesses mobile key device to local computer for register, storing mixedly of biological characteristic template ciphertext and secondary key in the device; enciphering or deciphering the access file, accessing the device for detecting communication pipeline safety; analyzing the ciphertext and secondary key, deciphering biological characteristic template using secondary cipher and returning to local computer; inputting user biological characteristic, checking validity of key ownership; if checking is passing, enciphering or deciphering the file using the biological characteristic template cleartext, or operation is forbidden. In the invention, the biological characteristic and secondary key are transferred to mobile device, correlation is introduced to key and owner, key safety is promoted. The local computer has not key and has only ciphered data, even if deciphering guard system obtains enciphered data, it can not decipher the enciphered data for lack of key.
Description
Technical field
The present invention relates to the electronic data resist technology, specifically is a kind of electronic data protection method and device based on biological characteristic and mobile cryptographic key.
Background technology
Along with the development of information technology, the shared ratio of electronic information is more and more higher, and the status is also more and more important.Under the support of carriers such as electronic computer, portable digital-assistant, multifunctional mobile telephone, the data volume of electronic bits of data increases rapidly.How to protect the safety of the electronic data of magnanimity like this, become the outstanding problem in the current electronic information security field.
What traditional electronic data security protection technology adopted is cryptoguard mechanism.By password the encryption and decryption of data is finished the mutual conversion of clear data to encrypt data, reach the purpose of protection clear data.This mechanism is simple, but the complexity of password and security performance are a pair of unsurmountable contradiction forever.Need high security performance, must adopt the password of high complexity, but be not easy to memory.Under the restriction of this contradiction, seek a kind of more convenient, safer data protection means, just become the hot issue that receives much concern in this field.
Under the support of network technology and hardware manufacturing technology; the multiple derivative form of electronic data protection beginning to have occurred; electronic data protection scheme based on long-range control of authority for example shown in Figure 1, and electronic data protection scheme based on IC-card/Electronic Coding dog shown in Figure 2 or the like.These two kinds of forms have remedied the deficiency of conventional cipher protection to a certain extent, but still have hidden danger.Long-range control of authority has high dependence to network, and additional risk increases, and maintenance cost strengthens, and is not suitable for the service object group of middle and small scale; And protect based on the electronic data of IC-card/Electronic Coding dog, though replaced cipher memory with identity documents dexterously, cause weak link to transfer on the identity documents.No matter be IC-card or Electronic Coding dog,, just directly obtained the access rights of protected data in case be stolen.
The development of biometrics identification technology is for the solution of these problems provides important help.Biological characteristic is inherent, varies with each individual; And carry, be difficult for losing.The most important thing is that it is difficult to forge or steal.These three big characteristics make biometrics identification technology have ample scope for one's abilities in the electronic data protection.Present electronic data protection scheme based on biometrics identification technology shown in Figure 3 has multiple, mainly contains the encryption and decryption protection of system login control of authority and document.The system login control of authority reaches the purpose of specific user, specified permission by the biological information of prompting checking user when system login, and this mode can be protected all computer-internal electronic data theoretically; The encryption and decryption protection of document is dissolved into biological characteristic in the protection process of electronic data then from the incision of encryption and decryption angle.Its flow process commonly used is:
1. the user asks the encryption and decryption operation;
2. before encrypting, prompting input biological information produces biometric templates, utilizes secondary key to encrypt;
3. before the deciphering, prompting input biological information is compared with original biometric templates, if pass through, then utilizes decruption key to be decrypted; Otherwise, do not carry out any decryption oprerations.
Electronic data protection system based on biometrics identification technology is formed as shown in Figure 4; this mode has been utilized the advantage of biological characteristic; need not to remember tediously long complex password; only need pass through fingerprint; biological characteristics such as palmmprint can be finished the electronic data protection and conciliate the protection operation; complicated encryption and decryption key (be equivalent to need the user to remember originally password) is then transferred to computer and is preserved; this hands to computer to the memory link from the user to a great extent; improved the convenience of protection system, the user only need provide the biological information of oneself to get final product (this always carries).Yet; the reliably not anti-data theft mechanism of present this Data Protection Scheme; encryption and decryption key, biometric templates data are all deposited in the computer; manufacturer only passes through to strengthen the formation mechanism of encryption and decryption key, and biological characteristic comes the raising system to crack difficulty with the complexity of the related corresponding mechanism of protected document.In case from computer, steal key or biometric templates information, just can decode protected document easily.
This shows no matter be based on the data protection of IC-card/Electronic Coding dog, also be based on the data protection of biometrics identification technology, on protection mechanism and framework, all exist weak link at present.The short slab effect that this weak link produces makes the safety reliability of whole data protection system significantly reduce.If from address this is that at all, the weakness of electronic data protection will forever not exist, and restrict the development process of whole electronic information technology.
Defective to above-mentioned each data protection mechanism exists can be summarized as follows:
1. cryptoguard mode: for guaranteeing security performance, complex password must be set, memory inconvenience.
2. traditional key encryption and decryption protected mode: the encryption and decryption key is stored in the local computer, is stolen easily.
3. based on the protected mode of IC-card/Electronic Coding dog:, just possessed corresponding administration authority (common this Permission Levels are very high) as long as anyone steals IC-card or Electronic Coding dog.
4. based on network protected mode: network is relied on seriously, and additional risk is big, the maintenance cost height.
5. based on the protected mode of biometrics identification technology: the biometric templates deposit data is stolen in local computer easily.In case stolen this data, just can decode the protected data content easily.The mechanism of production of common encryption and decryption data protected mode weak link is analyzed as follows:
1. will decode the electronic data of having encrypted, key is an essential element (unless take mode such as this class Brute Force of the method for exhaustion, but it is almost nil to decode the possibility of encrypt data in this way in the limited time smoothly).For key, its deposit a little also will become the side of cracking at first at target.
2. general defence program all adopts relatively-stationary path to depositing of key, so that call (the key location mode of dynamic route almost can not be used, because this will increase the work load of defence program greatly) at any time.Therefore, as long as simple be familiar with defence program, know key to deposit the path not difficult.
3. important key is left on the computer at encrypted data place, provide convenience for stealing these different data simultaneously.The incident that certain probability of happening is much arranged, for example fire compartment wall is closed, is not provided with login password or the login critical point is broken, and can assist the side of cracking to obtain key and encrypt file simultaneously.The side of cracking even can create these conditions and reach the purpose that cracks.After this defence program will become decrypted program, again the unprotect function.
Summary of the invention
The objective of the invention is to overcome the deficiency that existing electronic data protection method exists; a kind of electronic data protection method and mobile cryptographic key device based on biological characteristic and mobile cryptographic key is provided; by to the protection structure system perfect; eliminate the short slab effect that weak link produced; fundamentally improve the security performance of whole electronic data protection system, make its have that anti-hardware is stolen, anti-information is stolen, easily, data protection performance reliably.
The present invention is based on the electronic data protection method of biological characteristic and mobile cryptographic key, may further comprise the steps:
A. the user inserts mobile cryptographic key device to local computer and registers, with the secondary key that produces at random biometric templates (as the fingerprint characteristic template etc.) is encrypted to the biometric templates ciphertext, with this biometric templates ciphertext and secondary key thereof through fusion obscure processing storage in the memory block of mobile cryptographic key device, and generate a PKI that mates with this biometric templates ciphertext and deposit in the local computer disk;
B. the user carries out file encryption or decryption oprerations to the local computer request, inserts the mobile cryptographic key device, checks the fail safe of communication pipe in " impact/response " mode;
C. the mobile cryptographic key device reads the data that processing is obscured in described fusion from its memory block, adopts fusion to obscure arithmetic analysis and goes out biometric templates ciphertext and secondary key thereof, decrypts biometric templates expressly with secondary key, and passes local computer back;
D. by physical characteristics collecting equipment input user's oneself biological information, verified users is to the legitimacy of mobile cryptographic key ownership;
E. if verification is passed through, expressly document is encrypted or decryption oprerations, otherwise forbidden encrypting or decryption oprerations with this biometric templates.
Among the above-mentioned steps b, check that in " impact/response " mode the method for the fail safe of communication pipe comprises:
B1. the client-side program by local computer produces a big random number, and according to this random number the PKI in the local computer disk is carried out Hash operation, and Hash operation result and this random number are passed to the mobile cryptographic key device;
B2. the mobile cryptographic key device carries out Hash operation according to this random number to the biometric templates ciphertext of obscuring arithmetic analysis by fusion and going out;
B3. by two operation results among mobile cryptographic key device inspection step b1, the b2,, do not pass through otherwise authenticate if identical then authentication is passed through.
Among the above-mentioned steps a, mobile cryptographic key device registration method for optimizing comprises:
A1. press the local computer prompting, the user inserts the mobile cryptographic key device, gathers, selects user's biometric templates by physical characteristics collecting equipment; And generate a secondary key at random, send the biometric templates of secondary key and selection to the mobile cryptographic key device;
A2. the mobile cryptographic key device is encrypted to the biometric templates ciphertext with this secondary key to this biometric templates, generates a PKI that mates with this biometric templates ciphertext by local computer, deposits in its disk;
A3. the mobile cryptographic key device carries out suitable data fusion with biometric templates ciphertext and secondary key thereof and obscures processing, and the data that fusion is obscured after the processing write its memory block;
The biological information of a4. pointing out the user to import oneself again carries out the reliability testing test to the biometric templates template of having selected, finishes by registration.
Above-mentioned biotinylated biomolecule feature templates ciphertext can be a fingerprint feature templates ciphertext etc.
Be used for the mobile cryptographic key device based on biological characteristic of the inventive method, it is characterized in that comprising: a communication unit, its serial data port connects a USB interface; One memory is used to store biometric templates ciphertext and secondary key thereof; And, a main control unit, described communication unit and memory are connected to the corresponding port of main control unit; During registration, main control unit is encrypted to the biometric templates ciphertext with secondary key to user's biometric templates, and this biometric templates ciphertext and secondary key thereof are obscured the storage of processing in memory through merging; When document is encrypted or is deciphered, read the data that processing is obscured in described fusion in the memory, adopt fusion to obscure arithmetic analysis and go out biometric templates ciphertext and secondary key thereof, decrypt biometric templates expressly with secondary key, and pass local computer back through communication unit, treat the user to mobile cryptographic key have legal power verification by the time, allow local computer expressly document to be encrypted or decryption oprerations with this biometric templates.
The inventive method has increased a mobile cryptographic key device newly, and key is transferred to this device and stores.System just has only data encrypted on local computer after introducing this device, key has not then existed.Even the side of cracking has cracked the guard system of local computer, obtained encrypted data, but owing to there is not key, encrypted data still can't be decoded by the side of cracking.Like this, just fundamentally stopped situation generation by cracking local computer with various illegal forms (comprising offline mode and online mode), stealing secondary key and then decode encrypted data.
General defence program only can be concerned about the data content of key, and and be indifferent to the practical significance of this content representative.The present invention is set at key data user's biometric templates data.Have clear and definite and unique incidence relation between these data and the user, a user's biological characteristic is fixing and unique, and other users do not have this feature.
In the methods of the invention, defence program is not concerned about singly whether key is corresponding with protected data, and is concerned about whether key is corresponding with the key user.Compare by key (biometric templates data) and my biological characteristic that the user provides, can judge whether a kind of corresponding relation in back is set up; Under the prerequisite of setting up, defence program just can use this key that encrypted data are decrypted operation; Otherwise defence program will be refused decryption oprerations, perhaps initiatively destroys current key.
The strong correlation of biological characteristic makes that this key---the safety that can fundamentally protect mobile cryptographic key is judged in the association between the user.Under the support of this strong correlation, related judgement makes mobile cryptographic key to occur simultaneously encrypting with its lawful owner and separates operation, even the user has lost mobile cryptographic key accidentally, because user's biological characteristic can not lost, so must not worry that mobile cryptographic key is illegally used, not worry that more the safety of encrypted data is on the hazard.
The security performance of the inventive method is to obtain to promote by the method that increases the assembly assigned risk.Be not difficult to find, the related judgement with key-user of new component architecture is equal to be brought mobile cryptographic key, user within the scope of risk exposure into, make and crack risk and scatter again, reach the purpose that reduces each side's risk from local computer one direction local computer, mobile cryptographic key, user three parts.
In a word, the maximum of the inventive method breaks through and is important biological attribute data and encryption and decryption key data, transfer on a kind of removable key device from local computer, and introduced authentication link, finished key and its current owner's related judgement based on biometrics identification technology.The universal significance of this method is by a newly-increased movable-component in data protection system and to the checking link of this assembly ownership legitimacy, protects the legal possessor's of this assembly the interests can be not impaired because of losing of this assembly.The existence of this movable-component has improved the fail safe and the protectability of key data; The related existence of judging makes the illegal possessor of this moving assembly, because can't set up legal incidence relation between own and the assembly, thus can't obtain the right to use of this moving assembly, and then can't finish encryption or decryption oprerations.
Description of drawings
Fig. 1 is for being the system architecture schematic diagram of traditional teledata protection scheme;
Fig. 2 is the system architecture schematic diagram of IC-card/Electronic Coding dog protection scheme;
Fig. 3 is the schematic diagram based on the system of biometrics identification technology and logon rights management data protection scheme;
Fig. 4 is the schematic diagram based on the document encryption and decryption protection scheme of biometrics identification technology;
Fig. 5 is for realizing a kind of system architecture schematic diagram of the inventive method;
Fig. 6 is the register flow path figure of the inventive method;
Fig. 7 is the inventive method " impact/response " communication security certificate scheme schematic diagram;
Fig. 8 is the document enciphering/deciphering flow chart of the inventive method;
The mobile cryptographic key principle of device block diagram that Fig. 9 adopts for the inventive method based on biological characteristic.
Embodiment
Below in conjunction with accompanying drawing to the detailed description of the invention.
With reference to shown in Figure 5, system of the present invention comprises local computer, physical characteristics collecting equipment and mobile cryptographic key device, the mobile cryptographic key device can be connected to the communication interface of local computer by USB interface, and physical characteristics collecting equipment is connected with the local computer input.Software section comprises user's registration, data encryption, data decryption, program hommization operation style program or the like.Wherein mobile cryptographic key device such as Fig. 9, this mobile cryptographic key device comprises: communication unit, its serial data port connects a USB interface; Memory is used to store biometric templates ciphertext and secondary key thereof; And, main control unit, described communication unit and memory are connected to the corresponding port of main control unit.During registration, main control unit is encrypted to the biometric templates ciphertext with secondary key to user's biometric templates, and this biometric templates ciphertext and secondary key thereof are obscured the storage of processing in memory through merging; When document is encrypted or is deciphered, read the data that processing is obscured in described fusion in the memory, adopt fusion to obscure arithmetic analysis and go out biometric templates ciphertext and secondary key thereof, decrypt biometric templates expressly with secondary key, and pass local computer back through communication unit, treat the user to mobile cryptographic key have legal power verification by the time, allow local computer expressly document to be encrypted or decryption oprerations with this biometric templates.
Fig. 6 represents the key register flow path, and key registration detailed step is as follows:
1) checks the connection situation of physical characteristics collecting equipment on local computer;
2) the prompting user inserts the mobile cryptographic key device;
3) check whether the mobile cryptographic key device is compatible type, and check its user mode.If key is registered, whether prompting removes former registration content; Otherwise end;
4) the prompting user imports oneself biological characteristic, as fingerprint characteristic etc., imports altogether three times;
5) carry out the extraction of biometric templates, can produce three biometric templates altogether;
6), select the best biometric templates of test result with above-mentioned each template and all the other two tests of comparing;
7) local computer is passed to the mobile cryptographic key device with biometric templates;
8) on the mobile cryptographic key device, produce secondary key this biometric templates is encrypted to the biometric templates ciphertext;
9) on local computer, generate a PKI with this ciphertext template matches, leave on the local disk;
10) the mobile cryptographic key device carries out this ciphertext template suitable data fusion together with its secondary key and obscures processing, and result is write the memory block of mobile cryptographic key device;
This data fusion is obscured processing and can be meant, the mobile cryptographic key device is with the biometric templates ciphertext and the exchange of secondary key procession is merged and processing or the like is obscured in array index/content escape.
11) the prompting user imports the biological characteristic of oneself again, and standard form is carried out reliability testing;
12) reliability testing is passed through, and upgrades the log-on message in the key device, and registration is finished.
Above-mentioned steps 8) secondary key in also can be produced at random by local computer, again this secondary key and biometric templates are passed to the mobile cryptographic key device, with this secondary key this biometric templates is encrypted to the biometric templates ciphertext by the mobile cryptographic key device.
What be worth emphasizing is: the secondary key of the encryption and decryption of biometric templates generates when registration at random, will obscure algorithm and the biometric templates ciphertext combines with specific fusion after the generation, is then written in the memory block of mobile cryptographic key device.This rule realizes jointly by the embedded program of encryption and decryption program on the computer and mobile cryptographic key, has further improved the difficulty that cracks of whole system.
In order to prevent that the data theft program is by grasping the deception read-write behavior that the communication command word is implemented mobile cryptographic key, being provided with in the inventive method " impact/response " safety certification communication model, when the user carries out file encryption or decryption oprerations to the local computer request, insert the mobile cryptographic key device, check the fail safe of communication pipe in " impact/response " mode.
Fig. 7 has provided " impact/response " safety certification communication scheme in the inventive method.Wherein, when Figure 71,72 represents the mobile cryptographic key device registration respectively and the communication flow in communication security when authentication, E is for encrypting the secondary key of biometric templates, K ' is the biometric templates ciphertext, S is the PKI that is complementary with the biometric templates ciphertext, C is a safety certification challenge word, and A1 is the result of mobile cryptographic key device side Hash operation, and A2 is the result of local computer side Hash operation.
The detailed step of communication security authentication is as follows:
1) client-side program by local computer produces a big random number C (being safety certification challenge word, as the random number greater than 32), and passes to the mobile cryptographic key device;
2) client-side program carries out Hash operation A2=HASH according to this random number C to the PKI S that is complementary with the biometric templates ciphertext on the local disk (C S), and passes to the mobile cryptographic key device with operation result A2;
3) the mobile cryptographic key device carries out Hash operation A1=HASH (C, K ') according to this random number C to the biometric templates ciphertext K ' that obscures arithmetic analysis by fusion and go out;
4) further check step 2 by the mobile cryptographic key device), 3) in two operation result A2 and A1, if identical then authentication is passed through; Otherwise being considered as authentication does not pass through.
Whether carry out follow-up communication process by the decision of mobile cryptographic key device herein, can avoid the rogue program on the local computer to cheat the memory contents that illegally reads in the mobile cryptographic key by communication.
The PKI that biometric templates ciphertext above-mentioned and the local disk storage is complementary can be done extra encryption by the user, and properly preserves.
Fig. 8 has provided file encryption of the present invention and deciphering flow process.File encryption and deciphering detailed step are as follows:
1) file encryption or decryption oprerations are carried out in user's request;
2) check the connection situation of physical characteristics collecting equipment on local computer;
3) the prompting user inserts the mobile cryptographic key device;
4) compatibility and the availability of inspection mobile cryptographic key device;
5) the mobile cryptographic key device is checked the fail safe of communication pipe in " impact/response " mode, and concrete steps are as indicated above, and execution in step 6 is passed through in the security inspection authentication of communication pipe);
6) the mobile cryptographic key device reads the data that processing is obscured in described fusion from its memory block, adopts fusion to obscure arithmetic analysis and goes out biometric templates ciphertext and secondary key thereof, decrypts biometric templates expressly with secondary key, and passes local computer back;
7) the prompting user imports the biological characteristic of oneself;
8) carry out the verification of key ownership legitimacy, verification is by execution in step 9), or not do not end subsequent operation by then removing the buffering area at biometric templates place, report an error and return;
9) the maximum key length that allows with cryptographic algorithm, segmentation intercepting biometric templates (expressly) is as the enciphering/deciphering key of file, file is carried out many wheel encrypt/decrypts, perhaps file is divided into some piecemeals, every is carried out encrypt/decrypt successively with different template (expressly) data segment.Different template (expressly) data segment can recycle;
10) after the enciphering/deciphering operation is finished, remove the buffering area at biometric templates place.Increase the procedure operation record, program turns back to step 1);
11) if user's termination routine is then removed all ephemeral datas on the local computer.If during program running, carried out decryption oprerations, inquire then whether the user needs to delete the document of nearest deciphering, finish corresponding processing by customer requirements after, EP (end of program).
The 11st) but the step for selection operation.It is all to empty stencil buffer after each the encryption that the user can preset, and still just empties stencil buffer after EP (end of program) or key are extracted.The former needs the user to carry out the biological characteristic input operation before each cryptographic operation, but has reduced the risk of stealing biometric templates by the unauthorized access memory headroom to a certain extent.
Consider the convenience the when user uses, adding in the data protection program in the inventive method has intelligent flow process, reduces the in use unnecessary number of operations of user.This method adopts following hommization operation style design:
1) with log form display routine ruuning situation and prompt facility connection status.
2) increase preset options, exempt unnecessary affirmation operation.
3) in the registration process, after the prompting user imports the biological characteristic of oneself,, produce three biometric templates, and show collection result synchronously by the biological information of physical characteristics collecting equipment with three these users of certain hour interval continuous acquisition; Make each template all with the test of comparing of all the other two templates, select the highest biometric templates of test score.
4) in system's right button shortcut menu, add encryption, deciphering option.
5) reside in after the program running in the middle of the internal memory, the user is decrypted operation if desired, a document that needs direct double-click to encrypt, and program promptly starts automatically deciphers flow process.After deciphering is finished, call the application program opening document of document associations automatically.
6) in program, increase the batch process function.
7) program is only carried out the encryption and decryption operation at document content, and is indifferent to the concrete file type of document, does not more get in touch with the associated application program of document, and this has just guaranteed the independence and the versatility of this program.
Fig. 9 is the mobile cryptographic key device based on biological characteristic that adopts in the inventive method.This device comprises: communication unit, and its serial data port connects a USB interface; Memory is used to store biometric templates ciphertext and secondary key thereof; And, main control unit, described communication unit and memory are connected to the corresponding port of main control unit.Wherein, the biometric templates ciphertext is a fingerprint feature templates ciphertext etc.
1) main control unit
Main control unit is responsible for controlling the workflow of whole key device circuit, and it can realize following function:
A. utilize the ISP mouth that main control chip is carried out program burn writing.
B. the transmitting-receiving of data flow control.
C. the soft encryption and decryption of transceive data is handled.
D. to the read-write and the management of key storage chip.
E. respond the operation requests of host computer.
F. send operation requests to host computer.
G. the electrification reset of key.
Main control unit is selected industrial general type 51 series monolithics for use, and as the AT89S52 chip, built-in 8K byte is at system programmable Flash memory, 1000 erase-write cycles, static maximum operation frequency 33MHz, three grades of encipheror memories, and can with MCS-51 series monolithic compatibility.In the method, when setting this chip actual operating frequency and being 11MHz, can satisfy data processing speed requirement generally speaking.Where necessary, can new actual operating frequency be set by disposing suitable crystal oscillator.In the methods of the invention, P00~P07 pin of selecting this chip for use is as the data communication pin to host computer, and P20~P27 pin is as the Control on Communication pin to pin-saving chip on the key.In addition, MOSI, MCURST, four pin multiplexings of MISO, SCK are the online programming pin.
2) communication unit
Communication unit is responsible for realizing the data flow transmission between key device and the host computer.Communication unit is indifferent to the content of concrete transmission, and only according to main control unit and the peripheral circuit preset state to it, finishes the transmitted in both directions of data with certain transmission rule.
In the methods of the invention, select for use the PDIUSBD12 chip as communication chip.This chip has been realized a kind of USB2.0 of following communication protocol and backward compatible data-transformation facility from hardware, supports data-transmission modes such as byte transmission, bulk transfer and DMA transmission.In the methods of the invention, 8 data pins of this communication chip link to each other with the P00~P07 pin of master control AT89S52 chip respectively, as data pins; Conducts such as sheet choosing in addition, read gate, write gate, interruption are provided with pin, also link to each other with the corresponding pin of master control AT89S52 chip; D+ links to each other with USB interface as the correspondence with foreign country pin with D-two pins.Since do not need to carry out the transmission of big data quantity, the byte transmission mode adopted, under the prerequisite that satisfies the transmission speed requirement, to improve reliability of data transmission.In addition, the GoodLink that utilizes this chip to provide
TMDeixis increases circuit of LED, so that to the work at present state of user feedback key.
3) memory
This memory is used to store biometric templates ciphertext and secondary key thereof, has the power down memory function.In the methods of the invention, the memory data output that key will satisfy is also little, thus select for use AT24C02 as the actual storage chip, to reduce the firmware cost of key.This chip is E
2The PROM storage chip has the data capacity of 2K, 1,000,000 secondary data erase-write cycles, and the power down data holding ability reaches 100 years.This chip is followed I
2C communication protocol adopts two-tube pin serial communication form, need increase I in the program of main control chip
2C software simulation module can realize the data write operation, but can reduce the complexity of hardware circuit to a great extent.A0~A2 pin is that address of devices is set pin, and WP is a device write-protect pin, all ground connection.So the device write address is 0xA0, it is 0xA1 that device is read the address, and write-protect is closed.For cooperating the transmission mode of transfer of data chip, adopt the byte read-write mode.
After key is linked into computer, the program in the AT89S52 main control chip will cooperate the PDIUSBD12 communication chip to finish following operation successively:
The a.USB bus reset.
B. use default address 0 to obtain device descriptor.
C. set device address.
D. use new address to obtain device descriptor.
E. obtain the configuration descriptor.
F. set configuration.
G. configuration successful.
After this, the main control chip program is finished the communication end point initialization to communication chip, enters major cycle subsequently.The main control chip program is with the form of interrupt response, and the facilitating communications chip is finished the uplink and downlink transmission operation of data.
Claims (9)
1. electronic data protection method based on biological characteristic and mobile cryptographic key is characterized in that may further comprise the steps:
A. the user inserts mobile cryptographic key device to local computer and registers, with the secondary key that produces at random user's biometric templates is encrypted to the biometric templates ciphertext, with this biometric templates ciphertext and secondary key thereof through fusion obscure processing storage in the memory block of mobile cryptographic key device, and generate a PKI that mates with this biometric templates ciphertext and deposit in the local computer disk;
B. the user carries out file encryption or decryption oprerations to the local computer request, inserts the mobile cryptographic key device, checks the fail safe of communication pipe in " impact/response " mode;
C. the mobile cryptographic key device reads the data that processing is obscured in described fusion from its memory block, adopts fusion to obscure arithmetic analysis and goes out biometric templates ciphertext and secondary key thereof, decrypts biometric templates expressly with secondary key, and passes local computer back;
D. by physical characteristics collecting equipment input user's oneself biological information, verified users is to the legitimacy of mobile cryptographic key ownership;
E. if verification is passed through, expressly document is encrypted or decryption oprerations, otherwise forbidden encrypting or decryption oprerations with this biometric templates.
2. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 1, it is characterized in that: among the step a, the mobile cryptographic key device registration method may further comprise the steps:
A1. press the local computer prompting, the user inserts the mobile cryptographic key device, gathers, selects user's biometric templates by physical characteristics collecting equipment; And generate a secondary key at random, send the biometric templates of secondary key and selection to the mobile cryptographic key device;
A2. the mobile cryptographic key device is encrypted to the biometric templates ciphertext with this secondary key to this biometric templates, generates a PKI that mates with this biometric templates ciphertext by local computer, deposits in its disk;
A3. the mobile cryptographic key device carries out data fusion with biometric templates ciphertext and secondary key thereof and obscures processing, and the data that fusion is obscured after the processing write its memory block;
The biological information of a4. pointing out the user to import oneself again carries out reliability testing to the biometric templates of having selected, finishes by registration.
3. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 2, it is characterized in that: among the step a1, the method of collection and selection user's biometric templates is, by the biological information of physical characteristics collecting equipment, produce three biometric templates with three these users of certain hour interval continuous acquisition; Make each template all with the test of comparing of all the other two templates, select the highest biometric templates of test score.
4. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 2; it is characterized in that: among the step a3, the mobile cryptographic key device is with the biometric templates ciphertext and the exchange of secondary key procession is merged and processing is obscured in array index/content escape.
5. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 1, it is characterized in that: among the step a, the mobile cryptographic key device registration method may further comprise the steps:
A1. press the local computer prompting, the user inserts the mobile cryptographic key device, and the biometric templates by the collection of physical characteristics collecting equipment, selection user sends the biometric templates of selecting to the mobile cryptographic key device;
A2. produce secondary key by the mobile cryptographic key device, and this biometric templates is encrypted to the biometric templates ciphertext, generate a PKI that mates with this biometric templates ciphertext, deposit in its disk by local computer with this secondary key;
A3. the mobile cryptographic key device carries out data fusion with biometric templates ciphertext and secondary key thereof and obscures processing, and the data that fusion is obscured after the processing write its memory block;
The biological information of a4. pointing out the user to import oneself again carries out reliability testing to the biometric templates of having selected, finishes by registration.
6. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 5, it is characterized in that:
Among the step a1, the method for collection and selection user's biometric templates is by the biological information of physical characteristics collecting equipment with three these users of certain hour interval continuous acquisition, to produce three biometric templates; Make each template all with the test of comparing of all the other two templates, select the highest biometric templates of test score;
Among the step a3, the mobile cryptographic key device is with the biometric templates ciphertext and the exchange of secondary key procession is merged and processing is obscured in array index/content escape.
7. according to the electronic data protection method based on biological characteristic and mobile cryptographic key of claim 1, it is characterized in that: described biometric templates ciphertext is a fingerprint feature templates ciphertext.
8. be used for the mobile cryptographic key device based on biological characteristic of any one described method of 1-7 as requested, it is characterized in that comprising: a communication unit, its serial data port connects a USB interface; One memory is used to store biometric templates ciphertext and secondary key thereof; And, a main control unit, described communication unit and memory are connected to the corresponding port of main control unit;
During registration, main control unit is encrypted to the biometric templates ciphertext with secondary key to user's biometric templates, and this biometric templates ciphertext and secondary key thereof are obscured the storage of processing in memory through merging; When document is encrypted or is deciphered, read the data that processing is obscured in described fusion in the memory, adopt fusion to obscure arithmetic analysis and go out biometric templates ciphertext and secondary key thereof, decrypt biometric templates expressly with secondary key, and pass local computer back through communication unit, treat the user to mobile cryptographic key have legal power verification by the time, allow local computer expressly document to be encrypted or decryption oprerations with this biometric templates.
9. the mobile cryptographic key device based on biological characteristic according to Claim 8, it is characterized in that: described biometric templates ciphertext is a fingerprint feature templates ciphertext.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101422024A CN101345619B (en) | 2008-08-01 | 2008-08-01 | Electronic data protection method and device based on biological characteristic and mobile cryptographic key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101422024A CN101345619B (en) | 2008-08-01 | 2008-08-01 | Electronic data protection method and device based on biological characteristic and mobile cryptographic key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101345619A CN101345619A (en) | 2009-01-14 |
| CN101345619B true CN101345619B (en) | 2011-01-26 |
Family
ID=40247516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101422024A Expired - Fee Related CN101345619B (en) | 2008-08-01 | 2008-08-01 | Electronic data protection method and device based on biological characteristic and mobile cryptographic key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101345619B (en) |
Families Citing this family (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101552792B (en) * | 2009-05-20 | 2013-04-10 | 中国电信股份有限公司 | A method and apparatus for transmitting information with dynamic secondary cipher key |
| CN102810154B (en) * | 2011-06-02 | 2016-05-11 | 国民技术股份有限公司 | A kind of physical characteristics collecting fusion method and system based on trusted module |
| CN103116720B (en) * | 2011-11-16 | 2016-02-24 | 航天信息股份有限公司 | A kind of USB Key device and account management thereof and checking using method |
| CN102624699B (en) * | 2012-01-19 | 2015-07-08 | 歌尔声学股份有限公司 | Method and system for protecting data |
| CN102761417B (en) * | 2012-06-27 | 2016-09-21 | 宇龙计算机通信科技(深圳)有限公司 | The processing method of terminal data transmission and terminal |
| CN105960775B (en) * | 2014-03-03 | 2020-01-07 | 英特尔公司 | Method and apparatus for migrating keys |
| CN104022871B (en) * | 2014-06-23 | 2017-07-25 | 凉山彝族自治州科学技术情报研究所 | Encryption method based on symmetrical expression |
| CN104751042B (en) * | 2015-01-16 | 2018-03-06 | 西安电子科技大学 | Creditability detection method based on cryptographic hash and living things feature recognition |
| CN106161000A (en) * | 2015-03-30 | 2016-11-23 | 日本电气株式会社 | The method and system that data file is encrypted and decrypted |
| CN104834868A (en) * | 2015-04-28 | 2015-08-12 | 一铂有限公司 | Electronic data protection method, device and terminal equipment |
| CN107710671B (en) * | 2015-04-30 | 2020-06-12 | 德山真旭 | Terminal device and computer-readable storage medium |
| CN105099712B (en) | 2015-09-17 | 2018-11-20 | 深圳三元色数码科技有限公司 | A kind of data ciphering method based on Dicode verification |
| CN106340089B (en) * | 2016-08-08 | 2018-08-24 | 杭州指安科技股份有限公司 | A kind of smart electronics lock more verify datas fusions and split storage and merge restoring method |
| CN110392030B (en) * | 2018-04-20 | 2021-12-14 | 武汉真元生物数据有限公司 | Identity authentication and service processing method and system based on biological characteristics |
| CN108737383B (en) * | 2018-04-23 | 2021-05-11 | 同济大学 | Anonymous authentication method capable of confusing |
| CN108900296B (en) * | 2018-07-04 | 2021-11-09 | 昆明我行科技有限公司 | Secret key storage method based on biological feature identification |
| CN109035519B (en) * | 2018-07-26 | 2021-06-08 | 杭州晟元数据安全技术股份有限公司 | Biological feature recognition device and method |
| CN109714362B (en) * | 2019-02-19 | 2021-06-08 | 重庆邮电大学 | Lightweight industrial wireless network security data fusion method |
| CN111600869B (en) * | 2020-05-13 | 2022-09-20 | 济南大学 | Verification code authentication method and system based on biological characteristics |
| CN111818139B (en) * | 2020-06-28 | 2021-05-21 | 盾钰(上海)互联网科技有限公司 | Wireless heterogeneous control computing system based on neural network |
| CN112487505A (en) * | 2020-11-23 | 2021-03-12 | 华控清交信息科技(北京)有限公司 | Data processing method and device and data processing device |
| CN112800477A (en) * | 2021-04-02 | 2021-05-14 | 西安慧博文定信息技术有限公司 | Data encryption and decryption system and method based on biological characteristic value |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1317744A (en) * | 2001-05-30 | 2001-10-17 | 深圳市朗科科技有限公司 | Semiconductor memory device |
| CN1719373A (en) * | 2005-07-27 | 2006-01-11 | 深圳市亚略特生物识别科技有限公司 | Finger print encryption and decryption method of electron decument |
| CN2779485Y (en) * | 2005-08-16 | 2006-05-10 | 北京捷联浩迪科技有限公司 | High-security mobile data storage device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100512098C (en) * | 2004-03-26 | 2009-07-08 | 上海山丽信息安全有限公司 | Privacy document access authorization system with fingerprint limitation |
-
2008
- 2008-08-01 CN CN2008101422024A patent/CN101345619B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1317744A (en) * | 2001-05-30 | 2001-10-17 | 深圳市朗科科技有限公司 | Semiconductor memory device |
| CN1719373A (en) * | 2005-07-27 | 2006-01-11 | 深圳市亚略特生物识别科技有限公司 | Finger print encryption and decryption method of electron decument |
| CN2779485Y (en) * | 2005-08-16 | 2006-05-10 | 北京捷联浩迪科技有限公司 | High-security mobile data storage device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101345619A (en) | 2009-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101345619B (en) | Electronic data protection method and device based on biological characteristic and mobile cryptographic key | |
| US11734676B2 (en) | Using a contactless card to securely share personal data stored in a blockchain | |
| JP6239788B2 (en) | Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium | |
| CN101340281B (en) | Method and system for safe login input on network | |
| US8949626B2 (en) | Protection of security parameters in storage devices | |
| JP4461145B2 (en) | Computer system and method for SIM device | |
| US7861015B2 (en) | USB apparatus and control method therein | |
| CN101072100B (en) | Authenticating system and method utilizing reliable platform module | |
| US20080155268A1 (en) | Secure data verification via biometric input | |
| CN100533459C (en) | Data safety reading method and safety storage apparatus thereof | |
| CN106575342A (en) | Kernel program including relational data base, and method and device for executing said program | |
| CN104794388B (en) | application program access protection method and application program access protection device | |
| JP2016531508A (en) | Data secure storage | |
| CN101470783A (en) | Identity recognition method and device based on trusted platform module | |
| CN107332671A (en) | A kind of safety mobile terminal system and method for secure transactions based on safety chip | |
| WO2020186457A1 (en) | Authentication method and apparatus for ip camera | |
| US20140137265A1 (en) | System and Method For Securing Critical Data In A Remotely Accessible Database | |
| US20090187770A1 (en) | Data Security Including Real-Time Key Generation | |
| CN105279453B (en) | It is a kind of to support the partitions of file for separating storage management to hide system and method | |
| CN106156549B (en) | application program authorization processing method and device | |
| CN103838997A (en) | Single-chip microcomputer password verification method and device | |
| CN101883357A (en) | Method, device and system for mutual authentication between terminal and intelligent card | |
| US9768964B2 (en) | Certified identification system and method | |
| CN107967432B (en) | Safe storage device, system and method | |
| CN101562523B (en) | Security certification method applied on mobile storage device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| DD01 | Delivery of document by public notice |
Addressee: Wang Suolin Zhang Huifang Document name: patent for invention |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110126 Termination date: 20140801 |
|
| EXPY | Termination of patent right or utility model |