CN101599835A - Signature device and method for executing operating instructions thereof - Google Patents
Signature device and method for executing operating instructions thereof Download PDFInfo
- Publication number
- CN101599835A CN101599835A CNA200910089302XA CN200910089302A CN101599835A CN 101599835 A CN101599835 A CN 101599835A CN A200910089302X A CNA200910089302X A CN A200910089302XA CN 200910089302 A CN200910089302 A CN 200910089302A CN 101599835 A CN101599835 A CN 101599835A
- Authority
- CN
- China
- Prior art keywords
- signature device
- user
- signature
- host computer
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000011022 operating instruction Methods 0.000 title claims abstract description 20
- 238000010200 validation analysis Methods 0.000 claims description 75
- 238000004458 analytical method Methods 0.000 claims description 21
- 238000012790 confirmation Methods 0.000 claims description 13
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000012217 deletion Methods 0.000 claims description 4
- 230000037430 deletion Effects 0.000 claims description 4
- 230000036760 body temperature Effects 0.000 claims description 2
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 7
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 7
- 238000012546 transfer Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000015654 memory Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
Images
Abstract
The invention discloses a kind of signature device and method for executing operating instructions thereof, relate to information security field, solved hacker in the prior art and controlled behind the computer problem that can operate Web bank.Signature device in the embodiment of the invention receives the operational order that host computer sends; Whether analyze described operational order is the key operation instruction; When described operational order is the key operation instruction, judge whether to receive the affirmation signal of user by the signature device input; If receive the affirmation signal of user's input, then carry out described key operation instruction.The present invention mainly is used in the occasion of the contour demand for security of Web bank.
Description
Technical field
The present invention relates to field of information security technology, relate in particular to the method that signature device and this signature device are carried out operational order.
Background technology
The popularization of Web bank has made things convenient for people's life, but because the transaction of Web bank need be undertaken by network, make internet bank trade have potential safety hazard, and the lawless person is also changeful at the attack means of Web bank, what therefore, the Internet bank developed in a healthy way primary solution is safety problem.
Bank possesses fairly perfect safety management flow process as professional finance service; And the user of Web bank does not often have enough consciousness and technical capability to protect the safety of client; Simultaneously, the spreading unchecked of various wooden horses and hacker software on the Internet is also at the security context of serious threat client.Therefore, the safety of client is particularly important in the safety problem of Web bank.
In order to guarantee user's fund security, bank has taked multiple measure to improve safety of user authentication.At present Web bank uses the most generally USB-KEY (intelligent key) secure digital certificate based on smart card.USB-KEY combines smart card techniques and PKI (Public Key Infrastructure, public key architecture) technology, uses the intelligent card chip of built-in operating system to protect user's private key, can realize reliable digital identification authentication and digital signature.
Carry out in the process of internet bank trade at the above-mentioned USB-KEY that adopts, the inventor finds that there are the following problems at least in the prior art: USB-KEY commonly used at present, all operations send instruction by computer to USB-KEY to carry out.The trading instruction that need import when the user carries out funds transaction comprises the other side's number of the account, critical data such as the amount of money of transferring accounts, and the USB-KEY password that need input during Trading Authorization, all is by the computer keyboard input, and on the display of computer, show.Because the client computer environment is dangerous, after hacker's wooden horse has been controlled user's computer, the hacker just can obtain user's number of the account and password under the complete unwitting situation of user, if user's USB-KEY is connecting on computers, because the USB-KEY of this moment fully independently accepts computer-controlledly, this moment, the hacker can and utilize USB-KEY to steal fund in the user account by the control user's computer fully.
Summary of the invention
The invention provides a kind of signature device and method for executing operating instructions thereof, the go to bank safety of client of reinforcing mat makes the hacker still can not steal the fund in the user account under the situation of control computer.
For achieving the above object, the present invention adopts following technical scheme:
A kind of method for executing operating instructions of signature device comprises:
Receive the operational order that host computer sends;
Whether analyze described operational order is the key operation instruction;
If described operational order is the key operation instruction, then judge whether to receive the affirmation signal of user by the signature device input;
If receive the affirmation signal of user's input, then carry out described key operation instruction.
A kind of signature device comprises:
Receiver module is used to receive the operational order that host computer sends;
Input module is used for for user's input validation signal;
Analysis module, whether be used to analyze described operational order is the key operation instruction;
Judge module is used for when described operational order is the key operation instruction, judges whether to receive the affirmation signal of user by the input module input of signature device;
Executive Module is used for carrying out described key operation instruction when receiving the affirmation signal of user's input.
Signature device provided by the invention and method for executing operating instructions thereof, the user can pass through signature device input validation signal; And when the operational order that signature device receives is the key operation instruction, need the user to pass through signature device input validation signal, could carry out above-mentioned key operation instruction.Adopt after this scheme, even the hacker has controlled user's computer, and the computer that passes through control sends relevant operational order to signature device, if this operational order is the key operation instruction that relates to situations such as key or fund transfer, then need to operate otherwise can not complete successfully key or fund transfer etc. by just carrying out next step operation behind the signature device input validation signal; Because the hacker can only be by the network control user's computer, can not in reality, pass through signature device input validation signal, so just guarantee the safety of Web bank's user account and fund, made the hacker under the situation of control computer, still can not steal the fund in the user account.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that signature command is carried out in the embodiment of the invention 1;
Fig. 2 is the flow chart that signature command is carried out in the embodiment of the invention 2;
Fig. 3 is the flow chart that signature command is carried out in the embodiment of the invention 3;
Fig. 4 is the flow chart that signature command is carried out in the embodiment of the invention 4;
Fig. 5 is the schematic diagram of signature device in the embodiment of the invention 5.
Embodiment
The embodiment of the invention provides a kind of method for executing operating instructions of signature device, and this signature device at first receives the operational order that host computer sends, and whether analyze this operational order be the key operation instruction; When described operational order was the key operation instruction, this signature device need wait for that the user passes through signature device input validation signal, and judged whether to receive the affirmation signal of user by the signature device input; If receive the affirmation signal of user's input, then this signature device can be carried out described key operation instruction.
The embodiment of the invention also provides a kind of signature device, comprising: receiver module, input module, analysis module, judge module and Executive Module.Wherein, receiver module is used to receive the operational order that host computer sends; Input module is used for for user's input validation signal; Whether analysis module is used to analyze described operational order is the key operation instruction; Judge module is used for when described operational order is the key operation instruction, judges whether to receive the affirmation signal of user by the input module input of signature device; Executive Module is used for carrying out described key operation instruction when receiving the affirmation signal of user's input.
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment 1:
Built-in SHA1 (Secure Hash Algorithm Secure Hash Algorithm) and RSA Algorithm in the signature device that present embodiment provides.This signature device receives instruction from host computer, the instruction that receives is generally the instruction of APDU (Application Protocol Data Unit) form, and this signature device is finished various operations according to instruction.The middleware that cooperates signature device to use is installed in the host computer, and it provides the CryptoAPI interface of Microsoft's definition to upper level applications (as the IE browser).When the application call interface, middleware generates corresponding APDU instruction and issues signature device, and the notice signature device is operated.Carrying out signature operation with host computer indication signature device below is example, describes the detailed process of signature device execution command in detail, and as shown in Figure 1, the method for executing operating instructions of the signature device that the embodiment of the invention provides comprises the steps:
101, host computer issues MSE (Make Security Environment creates security context) instruction to signature device, signature algorithm so that indication signature device agreement is adopted can guarantee that like this signature operation that signature device is finished is that host computer can be discerned.
The MSE instruction that host computer issues is the APDU command sequence, adopt SHA1-RSA as signature algorithm with this MSE instruction indication signature device, and indicated RSA key ID, then the content that is comprised of this APDU command sequence is followed successively by: MSE command identification, signature algorithm are the key ID that sign, RSA are set of SHA1-RSA, and concrete command sequence is roughly as follows:
00?22?41?B6?07?80?01?12?81?02?00?01…
102, after signature device receives the MSE instruction, the RSA key of current use is set by above-mentioned key ID;
103, signature device returns the successful conditional code of expression operation of making an appointment: 0x9000 to host computer;
104, because the user needs signature device to carry out signature operation, so the user need issue hash (Hash) instruction that comprises data to be signed by host computer to signature device; And this hash instruction also can comprise the sign and the data to be signed of hash instruction by APDU instruction expression in this APDU instruction, concrete APDU command sequence is roughly: 00 2a 90 80
105, after signature device receives data to be signed, data to be signed are carried out the hash computing, concrete operation is: use the SHA1 algorithm of host computer appointment that data to be signed are carried out computing, and result of calculation is buffered in device interior;
106, to the conditional code 0x 9000 of host computer return success; Also can return to host computer to the hash operation result this moment.
107, host computer issues the signature command of representing with the APDU form to signature device, and the APDU command sequence that this host computer issues is: 00 2a 9E 00 00 00;
108, whether be key operation instruction to signature device if analyzing described operational order, if this operational order is the key operation instruction, then carries out 109; If this operational order is non-key operational order, then carry out 114;
Particularly, the key operation instruction mainly comprises signature command, generates the key instruction, deletes the key instruction, reads key instruction (signature device allows to read under the situation of key) and decryption instructions; The instruction of perhaps described key operation instruction for key is operated;
109, because signature operation is key operation, so after signature device receives signature command, need to wait for user's input validation signal, signature device returns sign " need wait for button " the conditional code 0x6666 of prior agreement in this process to host computer; Signature device can also be carried out following operation simultaneously:
The first, signature device picks up counting;
The second, by video player or audio player prompting user input validation signal, perhaps indicate host computer video player or audio player prompting user input validation signal; For example: signature device can be pointed out user's input validation signal by modes such as light, sound, and the conditional code that host computer also can return according to signature device is pointed out user's input validation signal by modes such as image, literal, sound;
110, signature device judges whether to receive the affirmation signal of user by the signature device input; If receive the affirmation signal of user's input, then carry out 113; If do not receive the affirmation signal of user's input, then carry out 111;
In order to guarantee that the user has operating right, present embodiment can also be authenticated user identity by signature device before user's input validation signal, and concrete authentication mode includes but not limited to: PIN (PersonalIdentification Number personal identification code) sign indicating number verification mode, biological characteristic validation mode etc.Only authenticating user identification by after just allow user's input validation signal;
In this process the user can by but be not limited to following mode input validation signal: the affirmation signal of user by button input on the signature device, user voice confirmation signal or the biological characteristic confirmation signal of user by the signature device input by the signature device input;
If signature device has started clocking scheme in 111 said process, need then to judge whether the time that timing obtains surpasses the scheduled time; If the time that timing obtains has surpassed the scheduled time, then cancel execution to the operational order that receives, the signature device end operation, and return the conditional code 0x7777 of the expression operation cancellation of prior agreement to host computer; If the time that timing obtains has not surpassed the scheduled time, then carry out 112;
112, because after host computer received conditional code 0x6666, host computer can send instruction of obtaining the signature result or the instruction that sends the cancellation signature to signature device repeatedly to signature device; So need to judge whether to receive the instruction of obtaining the signature result of host computer transmission or the instruction of cancellation signature in this process; If receive the instruction of obtaining the signature result that host computer sends, then return and carry out 109; If receive the instruction of the cancellation signature of host computer transmission, then flow process finishes;
The APDU command sequence of the above-mentioned instruction correspondence of obtaining the signature result is: 80 E3 00 00 00 00;
Above-mentioned cancellation signature command corresponding A PDU command sequence is: 80 E5 00 00 00 00;
113, signature device is according to the specified algorithm sign of MSE instruction, and the hash value front that calculates in step 105 adds the X.509 defined algorithm identification string of standard, carries out cover according to public key cryptography standard (PKCS#1) again; For example: SHA-1 algorithm identification string is 30 20 30 0c, 06 08 2a, 86 4886 f7 0d 02 05 05 00 04 10;
Data behind the cover are carried out the RSA computing obtaining the result that signs, and need simultaneously to send this signature result to host computer, and the conditional code 0x 9000 of return success;
114, directly carry out non-key operational order.
Pass through said process, finished the signature operation of signature device to data to be signed, because signature operation is a key operation, so needing the user to pass through signature device input validation signal, signature device could carry out this operation after receiving instruction, to prevent directly to carry out signature operation after the hacker from controlling user's computer, avoided the hacker to control the user network operations such as carrying out key or fund transfer that goes to bank; Because the hacker can only be by the network control user's computer, can not in reality, pass through signature device input validation signal, so just guarantee the safety of Web bank's user account and fund, made the hacker under the situation of control computer, still can not steal the fund in the user account.
In the present embodiment, the hash computing of carrying out in the step 105 can receive the affirmation information of user's input again and carry out afterwards.In the case, receive the hash instruction that comprises data to be signed after, signature device is to the conditional code 0x9000 of host computer return success.
In the present embodiment, the hash computing of in the signature device data to be signed being carried out can also be finished in host computer, and host computer uses the SHA1 algorithm that data to be signed are carried out computing, and result of calculation is handed down to signature device.
The embodiment of the invention is primarily aimed at the implementation that operational order is key operation instruction, and when the operational order that receives at signature device was non-key operational order, signature device can directly be carried out described operational order.
When practice, can finish signature operation by decryption instructions, in this case, after the signature device that present embodiment provides is receiving decryption instructions, need to wait for user's input validation signal, and behind the affirmation signal that receives user's input, carry out decryption instructions.
For carrying out signature operation, except above-mentioned implementation, can also adopt but be not limited to following three kinds of implementations:
The first, in host computer, data to be signed are carried out the hash computing, then, add the X.509 defined algorithm identification string of standard by the hash value front of signature device after computing, (PKCS#1) carries out cover according to the public key cryptography standard, and the data behind the cover are carried out the RSA computing to obtain the result that signs;
The second, in host computer, data to be signed are carried out the hash computing, and the hash value front after computing adds the X.509 defined algorithm identification string of standard, and the hash value of adding after the algorithm identification string sent to signature device, and signature device does not need to add the X.509 defined algorithm identification string of standard after receiving confirmation signal, but directly carry out cover, and the data behind the cover are carried out the RSA computing to obtain the result that signs according to public key cryptography standard (PKCS#1);
Three, in host computer, successively data to be signed are carried out the hash computing, add X.509 the defined algorithm identification string of standard and carry out cover according to public key cryptography standard (PKCS#1), and the data behind the cover are sent to signature device; And signature device only need carry out the RSA computing to obtain the result that signs to the data behind the cover.
Embodiment 2:
Built-in SHA1, MD5 and RSA Algorithm in the signature device that present embodiment provides.This signature device receives instruction from host computer, the instruction that receives is generally the instruction of APDU (Application Protocol Data Unit) form, and this signature device is finished various operations according to instruction.The middleware that cooperates signature device to use is installed in the host computer, and it provides the CryptoAPI interface of Microsoft's definition to upper level applications (as the IE browser).When the application call interface, middleware generates corresponding APDU instruction and issues signature device, and announcement apparatus is operated.Carrying out signature operation with host computer indication signature device below is example, describes the detailed process of signature device execution command in detail, and as shown in Figure 2, the method for executing operating instructions of the signature device that the embodiment of the invention provides comprises the steps:
201, host computer issues the MSE instruction to signature device, and the signature algorithm so that indication signature device agreement is adopted can guarantee that like this signature operation that signature device is finished is that host computer can be discerned.
The MSE instruction that host computer issues is the APDU command sequence, adopt SHA1-RSA as signature algorithm with this MSE instruction indication signature device, and indicated RSA key ID, then the content that is comprised of this APDU command sequence is followed successively by: MSE command identification, signature algorithm are the key ID that sign, RSA are set of SHA1-RSA, and concrete command sequence is roughly as follows:
00?22?41?B6?07?80?01?12?81?02?00?01…
202, after signature device receives the MSE instruction, the RSA key of current use is set by above-mentioned key ID;
203, signature device returns the successful conditional code of expression operation of making an appointment: 0x9000 to host computer.
204, because the user needs signature device to carry out signature operation, so the user need issue hash (Hash) instruction that comprises data to be signed by host computer to signature device; And this hash instruction also can comprise the sign and the data to be signed of hash instruction by APDU instruction expression in this APDU instruction, concrete APDU command sequence is roughly: 00 2a 90 80
205, after signature device receives data to be signed, use assignment algorithm that data to be signed are carried out the hash computing, concrete operation is: use the SHA1 algorithm of host computer appointment that data to be signed are carried out computing, and result of calculation and hash algorithm are buffered in device interior.
206, signature device is to the conditional code 0x 9000 of host computer return success, and also can return to host computer to the hash operation result this moment.
207, host computer issues the signature command of representing with the APDU form to signature device, and the APDU command sequence that this host computer issues is: 00 2a 9E 00 00 00.
208, whether the hash algorithm of signature device buffer memory is the SHA1 algorithm in the signature device analytical procedure 205, if the hash algorithm of buffer memory is the SHA1 algorithm, then carries out 209; If not the SHA1 algorithm, then carry out 214;
Particularly, the hash algorithm of appointment judges that whether operation that signature device carries out is the key operation of needs button affirmation in the hash instruction that issues according to host computer of signature device.In the present embodiment, host computer and signature device agreement:, then need button to confirm if the hash algorithm of appointment is the SHA1 algorithm in the hash that the receives instruction; If the hash algorithm of appointment is the MD5 algorithm in the hash that signature device the receives instruction, then do not need button to confirm, directly executable operations instruction;
In implementation procedure, can also judge whether to adopt specific hash algorithm in the following way: data to be signed in 205 are compared through length and the predetermined length that obtains cryptographic Hash after the Hash operation, if data to be signed are identical with predetermined length through the length that obtains cryptographic Hash after the Hash operation, represent that then this signature operation need wait for user's input validation information, be data to be signed that adopted specific hash algorithm, carry out 209; If data to be signed are inequality through the length and the predetermined length that obtain cryptographic Hash after the Hash operation, then do not need to wait for user's input validation information, directly carry out 214;
For example: can be set to 20 bytes or 16 bytes (corresponding respectively hash algorithm SHA1 or MD5) by predetermined length, just need wait for user's input validation information when expression has only the SHA1 of employing or MD5 algorithm to sign like this; Adopt SSL3_SHAMD5 algorithm (corresponding length is 36 bytes) commonly used in the SSL traffic process then not need to wait for user's input validation information;
209, after signature device receives signature command, wait for user's input validation signal, signature device returns sign " needs are waited for button " conditional code such as the 0x6666 of prior agreement in this process to host computer; Signature device can also be carried out following operation simultaneously:
The first, signature device picks up counting;
The second, by video player or audio player prompting user input validation signal, perhaps indicate host computer video player or audio player prompting user input validation signal; For example: signature device can be pointed out user's input validation signal by modes such as light, sound, and the conditional code that host computer also can return according to signature device is pointed out user's input validation signal by modes such as image, literal, sound.
210, signature device judges whether to receive the affirmation signal of user by the signature device input; If receive the affirmation signal of user's input, then carry out 213; If do not receive the affirmation signal of user's input, then carry out 211.
In order to guarantee that the user has operating right, present embodiment can also be authenticated user identity by signature device before user's input validation signal, and concrete authentication mode includes but not limited to: PIN code verification mode, biological characteristic validation mode etc.Only authenticating user identification by after just allow user's input validation signal;
In this process the user can by but be not limited to following mode input validation signal: the affirmation signal of user by button input on the signature device, user voice confirmation signal or the biological characteristic confirmation signal of user by the signature device input by the signature device input.
If signature device has started clocking scheme in 211 said process, need then to judge whether the time that timing obtains surpasses the scheduled time; If the time that timing obtains has surpassed the scheduled time, then cancel execution to the operational order that receives, the signature device end operation, and return the conditional code 0x7777 of the expression operation cancellation of prior agreement to host computer; If the time that timing obtains has not surpassed the scheduled time, then carry out 212.
212, because after host computer received conditional code 0x6666, host computer can send instruction of obtaining the signature result or the instruction that sends the cancellation signature to signature device repeatedly to signature device; So need to judge whether to receive the instruction of obtaining the signature result of host computer transmission or the instruction of cancellation signature in this process; If receive the instruction of obtaining the signature result that host computer sends, then return and carry out 209; If receive the instruction of the cancellation signature of host computer transmission, then flow process finishes.
The APDU command sequence of the above-mentioned instruction correspondence of obtaining the signature result is: 80 E3 00 00 00 00;
Above-mentioned cancellation signature command corresponding A PDU command sequence is: 80 E5 00 00 00 00.
213, signature device is according to the specified algorithm sign of MSE instruction, and the hash value front that receives in step 204 adds the X.509 defined algorithm identification string of standard, carries out cover according to public key cryptography standard (PKCS#1) again; For example: SHA-1 algorithm identification string is 30 20 30 0c, 06 08 2a, 86 48 86 f7 0,d02 05 05 00 04 10;
Data behind the cover are carried out the RSA computing obtaining the result that signs, and need simultaneously to send this signature result to host computer, and the conditional code 0x9000 of return success.
214, directly carry out non-key operational order.
Pass through said process, finished the signature operation of signature device to data to be signed, because before signature operation, need the user to pass through signature device input validation signal and could carry out this operation, to prevent directly to carry out signature operation after the hacker from controlling user's computer, avoided the hacker to control the user network operations such as carrying out key or fund transfer that goes to bank; Because the hacker can only be by the network control user's computer, can not in reality, pass through signature device input validation signal, so just guarantee the safety of Web bank's user account and fund, made the hacker under the situation of control computer, still can not steal the fund in the user account.
Embodiment 3:
Built-in RSA Algorithm in the signature device that present embodiment provides.This signature device receives instruction from host computer, the instruction that receives is generally the instruction of APDU (Application Protocol Data Unit) form, and this signature device is finished various operations according to instruction.The middleware that cooperates signature device to use is installed in the host computer, and it provides the CryptoAPI interface of Microsoft's definition to upper level applications (as the IE browser).When the application call interface, middleware generates corresponding APDU instruction and issues signature device, and announcement apparatus is operated.Carrying out signature operation with host computer indication signature device below is example, describes the detailed process of signature device execution command in detail, and as shown in Figure 3, the method for executing operating instructions of the signature device that the embodiment of the invention provides comprises the steps:
301, host computer issues the MSE instruction to signature device, and the signature algorithm so that indication signature device agreement is adopted can guarantee that like this signature operation that signature device is finished is that host computer can be discerned.
The MSE instruction that host computer issues is the APDU command sequence, adopt SHA1-RSA as signature algorithm with this MSE instruction indication signature device, and indicated RSA key ID, then the content that comprised of this APDU command sequence is followed successively by: MSE command identification, signature algorithm are the key ID that sign, RSA are set of SHA1-RSA, and concrete command sequence is roughly as follows:
00?22?41?B6?07?80?01?12?81?02?00?01…
302, after signature device receives the MSE instruction, the RSA key of current use is set by above-mentioned key ID.
303, signature device returns the successful conditional code of expression operation of making an appointment: 0x9000 to host computer;
304, host computer uses the SHA1 algorithm to carry out obtaining corresponding hash value after the hash computing to data to be signed, and this hash value sent to signature device, host computer issues data by APDU instruction expression, the sign and the hash value that comprise the hash instruction in this APDU instruction, particularly, the APDU command sequence that issues of host computer is as follows: 00 2a 90 81 14
305, after signature device receives the hash value of data to be signed, the hash value that receives is buffered in device interior.
306, signature device is to the conditional code 0x9000 of host computer return success.
307, host computer issues the signature command of representing with the APDU form to signature device, and the APDU command sequence that this host computer issues is: 00 2a 9E 00 00 00.
308, whether the hash value length of signature device analysis data to be signed equals the length of specific hash algorithm correspondence, if hash value length equals the length of specific hash algorithm correspondence, then carries out 309; Otherwise carry out 314;
For example: in the present embodiment specific hash algorithm is decided to be SHA1, its corresponding hash value length is respectively 20 bytes, and expression has only employing SHA1 (corresponding 20 bytes of length) just need wait for user's input validation information when signing like this; Adopt SSL3_SHAMD5 algorithm (corresponding length is 36) commonly used in MD5 algorithm (corresponding length is 16 bytes) or the SSL traffic process then not need to wait for user's input validation information.
309, after signature device receives signature command, wait for user's input validation signal, signature device returns sign " needs are waited for button " the conditional code 0x6666 of prior agreement in this process to host computer; Signature device can also be carried out following operation simultaneously:
The first, signature device picks up counting;
The second, by video player or audio player prompting user input validation signal, perhaps indicate host computer video player or audio player prompting user input validation signal; For example: signature device can be pointed out user's input validation signal by modes such as light, sound, and the conditional code that host computer also can return according to signature device is pointed out user's input validation signal by modes such as image, literal, sound;
If 310, signature device receives the affirmation signal of user's input, then carry out 313; If do not receive the affirmation signal of user's input, then carry out 311;
In order to guarantee that the user has operating right, present embodiment can also be authenticated user identity by signature device before user's input validation signal, and concrete authentication mode includes but not limited to: PIN code verification mode, biological characteristic validation mode etc.Only authenticating user identification by after just allow user's input validation signal;
In this process the user can by but be not limited to following mode input validation signal: the affirmation signal of user by button input on the signature device, user voice confirmation signal or the biological characteristic confirmation signal of user by the signature device input by the signature device input;
If signature device has started clocking scheme in 311 said process, need then to judge whether the time that timing obtains surpasses the scheduled time; If the time that timing obtains has surpassed the scheduled time, then cancel execution to the operational order that receives, the signature device end operation, and return the conditional code 0x7777 of the expression operation cancellation of prior agreement to host computer; If the time that timing obtains has not surpassed the scheduled time, then carry out 312;
312, because after host computer received conditional code 0x6666, host computer can send instruction of obtaining the signature result or the instruction that sends the cancellation signature to signature device repeatedly to signature device; If receive the instruction of obtaining the signature result that host computer sends, then return and carry out 309; If receive the instruction of the cancellation signature of host computer transmission, then flow process finishes;
The APDU command sequence of the above-mentioned instruction correspondence of obtaining the signature result is: 80 E3 00 00 00 00;
Above-mentioned cancellation signature command corresponding A PDU command sequence is: 80 E5 00 00 00 00;
313, signature device is according to the specified algorithm sign of MSE instruction, and the hash value front that receives in step 305 adds the X.509 defined algorithm identification string of standard, carries out cover according to public key cryptography standard (PKCS#1) again; For example: SHA-1 algorithm identification string is 30 20 30 0c, 06 08 2a, 86 48 86 f7 0,d02 05 05 00 04 10;
Data behind the cover are carried out the RSA computing obtaining the result that signs, and need simultaneously to send this signature result to host computer, and the conditional code 0x9000 of return success, flow process finishes;
314, directly carry out this operational order.
Pass through said process, finished the signature operation of signature device to data to be signed, because the hash value length of data to be signed is specific, so needing the user to pass through signature device input validation signal, signature device could carry out this operation after receiving instruction, to prevent directly to carry out signature operation after the hacker from controlling user's computer, avoided the hacker to control user network and gone to bank and carry out operation such as key or fund transfer; Because the hacker can only be by the network control user's computer, can not in reality, pass through signature device input validation signal, so just guarantee the safety of Web bank's user account and fund, made the hacker under the situation of control computer, still can not steal the fund in the user account.
Embodiment 4
Built-in RSA Algorithm in the signature device that present embodiment provides.This signature device receives instruction from host computer, the instruction that receives is generally the instruction of APDU (Application Protocol Data Unit) form, and this signature device is finished various operations according to instruction.The middleware that cooperates signature device to use is installed in the host computer, and it provides the CryptoAPI interface of Microsoft's definition to upper level applications (as the IE browser).When the application call interface, middleware generates corresponding APDU instruction and issues signature device, and announcement apparatus is operated.Carrying out signature operation with host computer indication signature device below is example, describes the detailed process of signature device execution command in detail, and as shown in Figure 4, the method for executing operating instructions of the signature device that the embodiment of the invention provides comprises the steps:
401, host computer issues the MSE instruction to signature device, and the key that the RSA computing is used is set.
The MSE instruction that host computer issues is the APDU command sequence, adopt RSA Algorithm with this MSE instruction indication signature device, and indicated RSA key ID, then the content that is comprised of this APDU command sequence is followed successively by: the key ID of MSE command identification, RSA Algorithm sign, RSA, and concrete command sequence is roughly as follows:
00?22?81?B8?07?80?01?80?84?02?00?23
402, after signature device receives the MSE instruction, the RSA key of current use is set by above-mentioned key ID.
403, signature device returns the successful conditional code of expression operation of making an appointment: 0x9000 to host computer;
404, host computer uses specific hash algorithm that data to be signed are carried out the hash computing to data to be signed, the corresponding hash value that obtains after the hash computing according to the defined algorithm identification string of standard X.509, is carried out cover according to public key cryptography standard (PKCS#1) again; For example: SHA-1 algorithm identification string is 30 2030 0c, 06 08 2a, 86 48 86 f7 0d 02 05 05 00 04 10; , open the hash value behind the cover sent to signature device.
405, after signature device receives hash value behind the cover, the hash value that receives is buffered in device interior.
406, signature device is to the conditional code 0x9000 of host computer return success.
407, host computer issues the decryption instructions of representing with the APDU form to signature device, and the APDU command sequence that this host computer issues is: 00 2A 80 86
408, the data that receive of signature device analysis are removed the length whether hash value length after cover and the algorithm identifier equals specific hash algorithm correspondence, if hash value length equals the length of specific hash algorithm correspondence, then carry out 409; Otherwise carry out 414;
For example: specific hash algorithm can be decided to be SHA1 or MD5, its corresponding hash value length is respectively 20 bytes or 16 bytes, and expression has only the SHA1 of employing or MD5 algorithm (corresponding 20 bytes of length or 16 bytes) just need wait for user's input validation information when signing like this; Adopt SSL3_SHAMD5 algorithm (corresponding length is 36 bytes) commonly used in the SSL traffic process then not need to wait for user's input validation information;
409, after signature device receives decryption instructions, wait for user's input validation signal, signature device returns sign " needs are waited for button " the conditional code 0x6666 of prior agreement in this process to host computer; Signature device can also be carried out following operation simultaneously:
The first, signature device picks up counting;
The second, by video player or audio player prompting user input validation signal, perhaps indicate host computer video player or audio player prompting user input validation signal; For example: signature device can be pointed out user's input validation signal by modes such as light, sound, and the conditional code that host computer also can return according to signature device is pointed out user's input validation signal by modes such as image, literal, sound;
If 410, signature device receives the affirmation signal of user's input, then carry out 413; If do not receive the affirmation signal of user's input, then carry out 411;
In order to guarantee that the user has operating right, present embodiment can also be authenticated user identity by signature device before user's input validation signal, and concrete authentication mode includes but not limited to: PIN code verification mode, biological characteristic validation mode etc.Only authenticating user identification by after just allow user's input validation signal;
In this process the user can by but be not limited to following mode input validation signal: the affirmation signal of user by button input on the signature device, user voice confirmation signal or the biological characteristic confirmation signal of user by the signature device input by the signature device input;
If signature device has started clocking scheme in 411 said process, need then to judge whether the time that timing obtains surpasses the scheduled time; If the time that timing obtains has surpassed the scheduled time, then cancel execution to the operational order that receives, the signature device end operation, and return the conditional code 0x7777 of the expression operation cancellation of prior agreement to host computer; If the time that timing obtains has not surpassed the scheduled time, then carry out 412;
412, because after host computer received conditional code 0x6666, host computer can send instruction of obtaining the result or the instruction that sends the cancellation operation to signature device repeatedly to signature device; If receive the instruction of obtaining the result that host computer sends, then return and carry out 409; If receive the instruction of the cancellation operation of host computer transmission, then flow process finishes;
The APDU command sequence of the above-mentioned instruction correspondence of obtaining the result is: 80 E3 00 00 00 00;
The instruction corresponding A PDU command sequence of above-mentioned cancellation operation is: 80 E5 00 00 00 00;
413, the data of signature device after to the cover that receives in the step 405 are carried out the RSA computing, and the result that RSA computing deciphering is obtained sends to host computer as the signature result, and the conditional code 0x9000 of return success, and flow process finishes;
414, directly carry out this operational order.
Pass through said process, finished the signature operation of signature device to data to be signed, because the hash value length that the data that signature device receives are removed behind the cover is specific, so needing the user to pass through signature device input validation signal, signature device could carry out this operation after receiving instruction, to prevent directly to carry out signature operation after the hacker from controlling user's computer, avoided the hacker to control user network and gone to bank and carry out operation such as key or fund transfer; Because the hacker can only be by the network control user's computer, can not in reality, pass through signature device input validation signal, so just guarantee the safety of Web bank's user account and fund, made the hacker under the situation of control computer, still can not steal the fund in the user account.
Embodiment 5:
The embodiment of the invention provides a kind of signature device; this signature device is used to carry out the instruction that host computer sends; be mainly used in generally speaking under the higher occasion of demands for security such as Web bank; such as: need can operate the account of Web bank by the signature of signature device, and then play the go to bank effect of account safety of catch net.As shown in Figure 5, signature device provided by the invention comprises: receiver module 51, input module 52, analysis module 514, judge module 53 and Executive Module 54.
Wherein, receiver module 51 is used to receive the operational order that host computer sends, and in the present embodiment, the function of receiver module 51 can be passed through USB interface, bluetooth communication interface, infrared communication interface, eSATA interface, SDIO interface or pcmcia interface and realize; Input module 52 is used for for user's input validation signal, and in the present embodiment, input module 52 can pass through realizations such as keyboard, voice inductor, fingerprint scanner, body temperature inductor, pressure inductor or photoelectric sensor; Whether analysis module 514 is used to analyze described operational order is the key operation instruction, and the key operation instruction mainly comprises signature command, generates the key instruction, deletes the key instruction, reads key instruction (signature device allows to read under the situation of key) and decryption instructions; The instruction of perhaps described key operation instruction for key is operated; Judge module 53 is used for when described operational order is the key operation instruction, judges whether to receive the affirmation signal of user by input module 52 inputs of signature device; In general, signature command, the instruction of generation key, deletion key instruct, read the key instruction and decryption instructions all is that key operation is instructed, for some unknown operational orders, the insider generally will instruct as key operation to the instruction that key is operated; Executive Module 54 is used for carrying out described key operation instruction when receiving the affirmation signal of user's input.
Analyze after operational order is non-key operational order at analysis module 514, the Executive Module 54 in the embodiment of the invention can directly be carried out this non-key operational order, and need not wait for user's input validation signal.
If be operating as the signature operation in the key operation, a kind of operation during this signature device may need in the following manner so:
What the first, above-mentioned receiver module 51 received is the data to be signed that host computer sends; Shown in the dotted line of Fig. 5, this moment, this signature device also comprised: Hash module 55, add module 56 and cover module 57 wherein, Hash module 55 is used for these data to be signed are carried out the hash computing; Add the hash value interpolation algorithm identification string that module 56 is used to this hash computing to obtain; Cover module 57 is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard;
In such cases, analysis module 514 is analyzed the hash instruction hash of the agreement instruction in advance in this way of signature device buffer memorys, and then this time whether operation is key operation, needs button to confirm; Otherwise do not need to wait for user's input validation information;
What the second, the host computer that receives of above-mentioned receiver module 51 sent carries out hash value after the hash computing to data to be signed; As shown in phantom in Figure 5, this signature device also comprises so: add module 58 and cover module 59; Wherein adding module 58 is used to this hash value to add the algorithm identification string; Cover module 59 is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard;
In this case, analysis module 514 instructs the pairing signature operation instruction of signed data that the length of hash value equals predetermined length as key operation; For example: can be set to 16 or 20 (corresponding respectively hash algorithm SHA1 or MD5) by predetermined length, just need wait for user's input validation information when expression has only the SHA1 of employing or MD5 algorithm to sign like this; Adopt SSL3_SHAMD5 algorithm (corresponding length is 36) commonly used in the SSL traffic process then not need to wait for user's input validation information;
Three, described receiver module receives be host computer send data to be signed are carried out the hash computing and add the algorithm identification string after the hash value; As shown in phantom in Figure 5, this signature device also comprises: cover module 510 is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard;
In such cases, analysis module 514 can remove the algorithm identification string earlier, the pairing signature operation of signed data that the length of hash value is equaled predetermined length is as key operation then, and concrete predetermined length is set and can be adopted and top two kinds of same or analogous schemes of situation;
Four, the host computer that receives of receiver module send by data to be signed successively through the hash computing, add the algorithm identification string, carry out the hash value that cover obtains according to the public key cryptography standard;
In such cases, analysis module 514 can be earlier removes algorithm identification string and cover and obtains the hash value, the pairing signature operation of signed data that the length of hash value is equaled predetermined length is as key operation then, and concrete predetermined length is set and can be adopted and the same or analogous scheme of above-mentioned situation;
In four kinds of above situations, whether be key operation instruction (during signature key operation instruction be signature command), if current operational order is the key operation instruction, then need button to confirm if can also adopt and analyze current operational order by analysis module 514; Otherwise do not need to wait for user's input validation information.
No matter which kind of method in the employing said method, signature device has obtained carrying out hash value behind the cover according to the public key cryptography standard at last, after described judge module 53 judgements receive the confirmation signal, 54 pairs of Executive Modules carry out the RSA computing according to the hash value that the public key cryptography standard is carried out behind the cover, obtain the result that signs.
For what guarantee the input validation signal is the user, and as shown in Figure 5, the signature device that the embodiment of the invention provides also comprises authentication module 511, is used for before the user is by input module input validation signal described user being carried out authentication; Described judge module 53 carries out under the authentication case of successful described user, judges whether to receive the affirmation signal of user by the signature device input.
In order to control the time of input validation signal, the signature device that provides of the embodiment of the invention also comprises timer 512 and timing judge module 513; Wherein timer 512 is used for picking up counting at the operational order that receives the host computer transmission; Timing judge module 513 is used for when not receiving the affirmation signal of user's input, judges whether the time of timer surpasses the scheduled time; Described Executive Module 54 has surpassed the execution to the operational order that receives of cancellation under the situation of the scheduled time in the time of timer.
For reminding user's input validation signal, the signature device of the embodiment of the invention also comprises: video player or audio player (not shown) are used for prompting user input validation signal when described operational order is the key operation instruction.
If this signature device also needs to carry out operations such as the generation, deletion of key, then this signature device can also comprise key production module or key removing module or the like.
The embodiment of the invention mainly is used in the occasion of the contour demand for security of Web bank, carries out corresponding instruction and carries out, for example: the signature that carries out for data to be signed; Behind signature, Web bank can carry out the operation of account or fund legally.
Through the above description of the embodiments, the those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential common hardware, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium that can read, floppy disk as computer, hard disk or CD etc., comprise some instructions with so that a station terminal equipment (can be USB-Key, computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by described protection range with claim.
Claims (17)
1, a kind of method for executing operating instructions of signature device is characterized in that, comprising:
Receive the operational order that host computer sends;
Whether analyze described operational order is the key operation instruction;
If described operational order is the key operation instruction, then judge whether to receive the affirmation signal of user by the signature device input;
If receive the affirmation signal of user's input, then carry out described key operation instruction.
2, the method for executing operating instructions of signature device according to claim 1 is characterized in that, if described operational order is non-key operational order, then directly carries out described operational order.
3, the method for executing operating instructions of signature device according to claim 1 is characterized in that, whether the described operational order of described analysis is that the key operation instruction is specially:
With signature command, generate key instruction, the instruction of deletion key, read the key instruction and decryption instructions is instructed as key operation; Perhaps
To instruct as key operation to the instruction that key is operated.
4, the method for executing operating instructions of signature device according to claim 1, it is characterized in that described confirmation signal comprises: the affirmation signal of user by button input on the signature device, user voice confirmation signal or the biological characteristic confirmation signal of user by the signature device input by the signature device input.
5, the method for executing operating instructions of signature device according to claim 1 is characterized in that, before receiving the affirmation signal of user by the signature device input, this method also comprises:
Described user is carried out authentication;
Describedly judge whether to receive the affirmation signal of user by the signature device input and be: carry out under the authentication case of successful described user, judge whether to receive the affirmation signal of user by the signature device input.
6, the method for executing operating instructions of signature device according to claim 1 is characterized in that, when described operational order was the key operation instruction, this method also comprised:
Pick up counting after receiving the key operation instruction that host computer sends;
If do not receive the affirmation signal of user's input, judge whether the time that timing obtains surpasses the scheduled time;
If the time that timing obtains has surpassed the scheduled time, then cancel execution to the operational order that receives.
7, the method for executing operating instructions of signature device according to claim 1 is characterized in that, when described operational order was the key operation instruction, this method also comprised:
By video player or audio player prompting user input validation signal.
8, the method for executing operating instructions of signature device according to claim 1 is characterized in that, if described operational order is the signature command in the key operation instruction, before carrying out this signature command, this method also comprises:
Receive the data to be signed that host computer sends, described data to be signed are carried out the hash computing, for the hash value that described hash computing obtains is added the algorithm identification string, the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
What receive that host computer sends carries out hash value after the hash computing to data to be signed, for this hash value interpolation algorithm identification string, the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
Receive the hash value behind host computer sends data to be signed are carried out the hash computing and add the algorithm identification string, the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
Receive the passing through the hash computing successively, add the algorithm identification string, carry out the hash value that cover obtains of host computer transmission according to the public key cryptography standard by data to be signed;
Described execution signature command comprises: the hash value of carrying out according to the public key cryptography standard behind the cover is carried out the RSA computing.
9, the method for executing operating instructions of signature device according to claim 8 is characterized in that,
If signature device receives data to be signed that host computer sends and described data to be signed are carried out the hash computing, what receive perhaps that host computer sends carries out hash value after the hash computing to data to be signed; Whether the described operation of then described analysis is that key operation is specially: pairing signature operation was as key operation when the length of hash value was equaled predetermined length;
If signature device receives the hash value behind host computer sends data to be signed are carried out the hash computing and add the algorithm identification string, receive perhaps that host computer sends by data to be signed successively through hash computing, interpolation algorithm identification string, carry out the hash value that cover obtains according to the public key cryptography standard; Whether the described operation of then described analysis is that key operation is specially: the algorithm identification string is removed or algorithm identification string and cover is removed and obtain the hash value, and when the length of hash value equaled predetermined length pairing signature operation as key operation.
10, a kind of signature device is characterized in that, comprising:
Receiver module is used to receive the operational order that host computer sends;
Input module is used for for user's input validation signal;
Analysis module, whether be used to analyze described operational order is the key operation instruction;
Judge module is used for when described operational order is the key operation instruction, judges whether to receive the affirmation signal of user by the input module input of signature device;
Executive Module is used for carrying out described key operation instruction when receiving the affirmation signal of user's input.
11, signature device according to claim 10 is characterized in that, described analysis module with signature command, generate key instruction, the instruction of deletion key, read the key instruction and decryption instructions is instructed as key operation; Perhaps will instruct as key operation to the instruction that key is operated.
12, signature device according to claim 10 is characterized in that, described input module comprises: keyboard, voice inductor, fingerprint scanner, body temperature inductor, pressure inductor or photoelectric sensor.
13, signature device according to claim 10 is characterized in that, also comprises:
Authentication module is used for before the user is by input module input validation signal described user being carried out authentication;
Described judge module carries out under the authentication case of successful described user, judges whether to receive the affirmation signal of user by the signature device input.
14, signature device according to claim 10 is characterized in that, when described operational order is the key operation instruction, also comprises:
Timer is used for picking up counting in the key operation instruction that receives the host computer transmission;
The timing judge module is used for when not receiving the affirmation signal of user's input, judges whether the time of timer surpasses the scheduled time;
Described Executive Module also is used for having surpassed the execution to the key operation instruction that receives of cancellation under the situation of the scheduled time in the time of timer.
15, signature device according to claim 10 is characterized in that, also comprises: video player or audio player are used for prompting user input validation signal when described operational order is the key operation instruction.
16, signature device according to claim 10 is characterized in that, if described operational order is the signature command in the key operation instruction,
Described receiver module also is used to receive the data to be signed that host computer sends; This signature device also comprises: the Hash module is used for described data to be signed are carried out the hash computing; Add module, the hash value that is used to described hash computing to obtain is added the algorithm identification string; The cover module is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
Described receiver module is used to also to receive that host computer sends that data to be signed are carried out hash value after the hash computing; This signature device also comprises: add module, be used to described hash value to add the algorithm identification string; The cover module is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
Described receiver module also is used to receive the hash value behind host computer sends data to be signed are carried out the hash computing and add the algorithm identification string; This signature device also comprises: the cover module is used for the hash value behind the interpolation algorithm identification string is carried out cover according to the public key cryptography standard; Perhaps
Described receiver module also is used to receive being passed through the hash computing successively, add the algorithm identification string, carried out the hash value that cover obtains according to the public key cryptography standard by data to be signed of host computer transmission;
Described Executive Module carries out the RSA computing to the hash value of carrying out according to the public key cryptography standard behind the cover.
17, signature device according to claim 16 is characterized in that,
If described receiver module receives data to be signed that host computer sends and by the Hash module described data to be signed carried out the hash computing, what receive perhaps that host computer sends carries out hash value after the hash computing to data to be signed; Pairing signature operation instruction was instructed as key operation when then described analysis module equaled the length of hash value to predetermined length;
If described receiver module receives the hash value behind host computer sends data to be signed are carried out the hash computing and add the algorithm identification string, receive perhaps that host computer sends by data to be signed successively through hash computing, interpolation algorithm identification string, carry out the hash value that cover obtains according to the public key cryptography standard; Then described analysis module removes the algorithm identification string or algorithm identification string and cover is removed and obtains the hash value, and when the length of hash value equaled predetermined length pairing signature operation as key operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910089302XA CN101599835B (en) | 2009-07-14 | 2009-07-14 | Signature equipment and method for executing operating instructions thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910089302XA CN101599835B (en) | 2009-07-14 | 2009-07-14 | Signature equipment and method for executing operating instructions thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101599835A true CN101599835A (en) | 2009-12-09 |
| CN101599835B CN101599835B (en) | 2011-12-28 |
Family
ID=41421102
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910089302XA Active CN101599835B (en) | 2009-07-14 | 2009-07-14 | Signature equipment and method for executing operating instructions thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101599835B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102937938A (en) * | 2012-11-29 | 2013-02-20 | 北京天诚盛业科技有限公司 | Fingerprint processing device as well as control method and device thereof |
| CN103065079A (en) * | 2012-12-21 | 2013-04-24 | 飞天诚信科技股份有限公司 | Method for preventing fraudulent signing |
| CN103138937A (en) * | 2013-02-28 | 2013-06-05 | 飞天诚信科技股份有限公司 | Method and device for signature |
| CN103559013A (en) * | 2013-11-04 | 2014-02-05 | 北京旋极信息技术股份有限公司 | Electronic signature equipment and command processing method thereof |
| CN105376067A (en) * | 2015-12-18 | 2016-03-02 | 恒宝股份有限公司 | Method and system for digital signatures |
| CN107204849A (en) * | 2017-05-24 | 2017-09-26 | 大鹏高科(武汉)智能装备有限公司 | A kind of instruction executing method and device with interrogation function based on unmanned boat |
| TWI682656B (en) * | 2018-07-23 | 2020-01-11 | 陳明宗 | Communication system using two kinds of keys |
| CN111083134A (en) * | 2019-12-11 | 2020-04-28 | 哈尔滨安天科技集团股份有限公司 | Industrial control system communication encryption method and device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1588838A (en) * | 2004-08-17 | 2005-03-02 | 福州南南信息科技有限公司 | Network central back-up system |
| CN101394276A (en) * | 2007-09-21 | 2009-03-25 | 上海盛大网络发展有限公司 | Authentication system and method based on USB hardware token |
-
2009
- 2009-07-14 CN CN200910089302XA patent/CN101599835B/en active Active
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102937938A (en) * | 2012-11-29 | 2013-02-20 | 北京天诚盛业科技有限公司 | Fingerprint processing device as well as control method and device thereof |
| CN102937938B (en) * | 2012-11-29 | 2015-05-13 | 北京天诚盛业科技有限公司 | Fingerprint processing device as well as control method and device thereof |
| CN103065079A (en) * | 2012-12-21 | 2013-04-24 | 飞天诚信科技股份有限公司 | Method for preventing fraudulent signing |
| CN103065079B (en) * | 2012-12-21 | 2015-06-17 | 飞天诚信科技股份有限公司 | Method for preventing fraudulent signing |
| CN103138937A (en) * | 2013-02-28 | 2013-06-05 | 飞天诚信科技股份有限公司 | Method and device for signature |
| CN103138937B (en) * | 2013-02-28 | 2015-05-27 | 飞天诚信科技股份有限公司 | Method and device for signature |
| CN103559013A (en) * | 2013-11-04 | 2014-02-05 | 北京旋极信息技术股份有限公司 | Electronic signature equipment and command processing method thereof |
| CN105376067A (en) * | 2015-12-18 | 2016-03-02 | 恒宝股份有限公司 | Method and system for digital signatures |
| CN107204849A (en) * | 2017-05-24 | 2017-09-26 | 大鹏高科(武汉)智能装备有限公司 | A kind of instruction executing method and device with interrogation function based on unmanned boat |
| CN107204849B (en) * | 2017-05-24 | 2019-07-02 | 大鹏高科(武汉)智能装备有限公司 | A kind of instruction executing method and device with interrogation function based on unmanned boat |
| TWI682656B (en) * | 2018-07-23 | 2020-01-11 | 陳明宗 | Communication system using two kinds of keys |
| CN111083134A (en) * | 2019-12-11 | 2020-04-28 | 哈尔滨安天科技集团股份有限公司 | Industrial control system communication encryption method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101599835B (en) | 2011-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101599836B (en) | Signature method, signature equipment and system | |
| CN101599835B (en) | Signature equipment and method for executing operating instructions thereof | |
| CN108551443B (en) | Application login method and device, terminal equipment and storage medium | |
| US11736296B2 (en) | Biometric verification process using certification token | |
| KR101802682B1 (en) | Systems and methods for linking devices to user accounts | |
| JP6620168B2 (en) | Dynamic encryption method, terminal, and server | |
| US11882509B2 (en) | Virtual key binding method and system | |
| CN102045367B (en) | Registration method and authentication server of real-name authentication | |
| CN106487762B (en) | user identity recognition method, identity recognition application client and server | |
| US7028184B2 (en) | Technique for digitally notarizing a collection of data streams | |
| US20170300920A1 (en) | Method Of And Apparatus For Authenticating Fingerprint, Smart Terminal And Computer Storage Medium | |
| US20050240712A1 (en) | Remote USB security system and method | |
| CN1889419B (en) | Method and apparatus for realizing encrypting | |
| US9900148B1 (en) | System and method for encryption | |
| CN111971674A (en) | Cryptographic currency wallet and cryptographic currency account management | |
| CN101820346A (en) | Secure digital signature method | |
| US20230368194A1 (en) | Encryption method and decryption method for payment key, payment authentication method, and terminal device | |
| CN101540677B (en) | Method, apparatus and system for signiture | |
| CN108537532B (en) | Resource transfer method, device and system based on near field communication and electronic equipment | |
| CN103679975A (en) | Paying method and system for mobile terminal | |
| EP3410332B1 (en) | A system and method for transferring data to an authentication device | |
| CN115865360A (en) | Continuous electronic signature method and system of credible identity token based on security component | |
| CN106910059B (en) | Off-line payment method for visible light and bar code bidirectional public key system authentication | |
| CN102474498B (en) | Authentication method for user identification equipment | |
| CN1889420B (en) | Method for realizing encrypting |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| IP01 | Partial invalidation of patent right |
Commission number: 4W107440 Conclusion of examination: Claims 1-7 and 9-14 of patent right 200910089302. X are declared invalid, and the patent right shall continue to be valid on the basis of claims 8 and 15. Decision date of declaring invalidation: 20181130 Decision number of declaring invalidation: 38007 Denomination of invention: Signature device and its operation instruction execution method Granted publication date: 20111228 Patentee: Beijing Jianshi Chengxin Technologies Co.,Ltd. |
|
| IP01 | Partial invalidation of patent right |