CN102868521A - Method for enhancing secret key transmission of symmetrical secret key system - Google Patents
Method for enhancing secret key transmission of symmetrical secret key system Download PDFInfo
- Publication number
- CN102868521A CN102868521A CN2012103358457A CN201210335845A CN102868521A CN 102868521 A CN102868521 A CN 102868521A CN 2012103358457 A CN2012103358457 A CN 2012103358457A CN 201210335845 A CN201210335845 A CN 201210335845A CN 102868521 A CN102868521 A CN 102868521A
- Authority
- CN
- China
- Prior art keywords
- key
- cipher machine
- secret key
- card
- protective
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Lock And Its Accessories (AREA)
Abstract
The invention discloses a method for enhancing the secret key transmission of a symmetrical secret key system. The method comprises the following steps of: (1) connecting a secret key management system with a main cipher machine and a target cipher machine respectively by a network; (2) calling the main cipher machine by the secret key management system through the network to randomly generate a shared protective secret key; (3) writing the protective secret key into a protective secret key IC (integrated circuit) card by the main cipher machine through a card reader per se; and (4) guiding secret key data in the protective secret key IC card into the target cipher machine, so that the share of the protective secret key between the main cipher machine and the target cipher machine can be realized. The secret key transmission method has the beneficial effects that all the secret keys can be directly issued to the cipher machines by the secret key management system, so that the safety of a secret key transmission process (guiding-in and guiding-out) can be guaranteed. According to the technology, the serious consequence caused by the decline of the whole safety of the symmetrical secret key system since the sensitive information in the IC card is leaked due to the executing related operations by the local card reader, the IC card and a data line can be avoided.
Description
Technical field
The present invention relates to information security cryptographic technique field, especially a kind of cipher key transmission methods that strengthens the symmetric key system.
Background technology
Cryptographic technique is the basic technology of information security, and key then is the basis of cryptographic technique Secure Application and the core element of informatization security.Along with the high speed of the information-based industry of China is all-round developing, also enter the comprehensive construction period based on the key management system of symmetric key system, the cipher key transmitting process that relates in the system is faced with more and more stricter security requirement.
Traditional cipher key delivery adopts IC-card to import the mode of cipher machine usually, finishes IC-card to the cipher key transmitting process between the cipher machine.During work in key management system input relevant information and the needed parameter of configuration, such as: the information such as IC-card type, IC-card password, key management system utilize card reader to read sensitive data and encapsulation format in the IC-card, by Internet Transmission to cipher machine; Cipher machine receives instruction, sensitive data and configuration parameter resolve and carry out after, with " return " key" management system as a result, finish the cipher key delivery operation.
Key management system utilizes card reader that the sensitive data in the IC-card is read usually in this locality, there is security risk in this process.The sensitive data that key management system reads in this locality is intercepted and captured and is revealed by backdoor programs such as wooden horse, viruses easily, causes sensitive data to be tampered.Simultaneously, IC-card sheet individuality is less, very easily causes card to lose in the card transmittance process, has brought potential safety hazard for related management department.Unauthorized person cracks the card of losing and attacks and analyze, and very easily causes the leakage of sensitive data, thereby causes serious consequence.
Summary of the invention
The purpose of this invention is to provide a kind of cipher key transmission methods that strengthens the symmetric key system, the method is directly carried out key distribution operation to cipher machine, can solve the security risk that exists in the above-mentioned cipher key transmitting process, improves the fail safe of cipher key delivery.
In order to achieve the above object, the technical solution used in the present invention is: a kind of cipher key transmission methods that strengthens the symmetric key system may further comprise the steps:
(1) key management system is connected with the target cipher machine with main cipher machine respectively by network;
(2) key management system produces shared Protective Key at random by network call master cipher machine;
(3) main cipher machine utilize self card reader with in the Protective Key write protection key IC-card;
(4) key data in the Protective Key IC-card is imported in the target cipher machine, realize the shared of Protective Key between main cipher machine and the target cipher machine;
(5) utilize main cipher machine to produce key authorization control IC-card 1, the target cipher machine produces key authorization control IC-card 2;
(6) key management system utilizes the Protective Key of main cipher machine that the inner key data of distribution that needs of main cipher machine is encrypted and exports to key management system, and key derivation process is subject to the control of key authorization control IC-card 1;
(7) key management system will import to from the key that main cipher machine obtains the target cipher machine again, and the target cipher machine utilizes the Protective Key of self to be decrypted data, and the key importing process is subject to the control of key authorization control IC-card 2.
Preferred steps: the inside of main cipher machine and target cipher machine is carried out the key zone and is divided.
Preferred steps: it is a-quadrant, B zone and C zone that the inside of main cipher machine and target cipher machine all is divided into Three regions.
In sum, owing to adopted technique scheme, the invention has the beneficial effects as follows:
1. cipher key delivery adopts point-to-point mode to transmit, and transmission course is in close attitude all the time;
2. key plain does not go out cipher machine, only has cipher machine inside clear text key could occur;
3. key distribution both sides palpus share protect key strengthens the fail safe that key imports;
4. the key zone of cipher machine storage inside is divided, the key in the zones of different scope has different cryptographic key protection export functions, strengthens the fail safe that key is derived;
5. when key management system is issued cipher machine, must insert key authorization control IC-card in cipher machine, this card is finished the authorization control that key imports (distribution) operation, guarantees to finish the key importing process in legal authorization control scope;
6. this technology has simple, safe, efficient advantage, has obvious intrinsic advantage in the fail safe that strengthens cipher key transmitting process;
Adopt technical method of the present invention, not only can when practical application, thoroughly avoid because this locality operates the security risk that IC-card brings by card reader, and strengthen the safety of cipher key transmitting process, improved the general safety of symmetric key system.Simultaneously, key management system adopts the mode of operation of invitation to subscribe cipher machine, avoid causing because of the IC-card mismanagement potential safety hazard of sensitive information leakage, reduced the specification requirement the when user is actual to be used, the actual input costs such as user's manpower and facility have been reduced, simplify the difficulty of cipher machine secret key distribution operation, greatly promoted the efficient of user's operation and maintenance.
Description of drawings
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is traditional cipher key delivery mode schematic diagram;
Fig. 2 is cipher key delivery mode schematic diagram of the present invention.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or the process except mutually exclusive feature and/or step, all can make up by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing) is unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or the similar characteristics.
Fig. 1 is current traditional cipher key delivery mode (IC-card importing cipher machine), and key management system reads sensitive information in the IC-card in this locality by card reader, and by network mode sensitive information is imported in the cipher machine and to store.This process is not carried out cryptographic key protection, key is not carried out partition management, does not have perfect authorization control mechanism, therefore has larger potential safety hazard.
Fig. 2 adopts the inventive method to strengthen the schematic diagram of cipher key delivery fail safe.Key management system and cipher machine share protect key; key after key management system will be protected utilizes network to import in the cipher machine; cipher machine utilizes the Protective Key decruption key data of self; obtain real key data; and be stored in the cipher machine, strengthened the safety of cipher key transmitting process.In the key importing process, be subject to the control of authority of strict key authorization card, guarantee the legitimacy of key import operation.
Cipher machine inside is carried out the key zone and is divided realization key partition management, the safety of assurance cryptographic key protection derivation process.Cipher machine internal condition cipher key index scope (0--999) is carried out the key zone and is divided (for example: A district (0--300), B district (301--600), C district (601--999)), and concrete regional division numbers can define according to the applicable cases of reality.Cipher machine imports the key of different attribute respectively or stores in the different key zones, and according to the rights of using of different key zone definitions, the scope of application of controlling key in the different keys zone (as: allows to import, allows to derive; Allow to import, forbid deriving; Allow to derive, forbid the performance constraints such as importing).Realized the security control of the cipher key delivery scope of application by key zone partition mechanism, guaranteed the use safety of cipher machine internal key, different attribute herein is self-defined, except being divided into Three regions, can also be divided into four zones, six zones, eight zones etc.
In addition, the inventive method has been removed local mode by card reader operation IC from, avoids causing because of IC-card misoperation or mismanagement the potential safety hazard of sensitive information leakage.
Each critical process is described in detail as follows:
(1) key management system is connected with the target cipher machine with main cipher machine respectively by network;
(2) key management system produces shared Protective Key at random by network call master cipher machine;
(3) main cipher machine utilize self card reader with in the Protective Key write protection key IC-card;
(4) key data in the Protective Key IC-card is imported in the target cipher machine, realize the shared of Protective Key between main cipher machine and the target cipher machine;
(5) utilize main cipher machine to produce key authorization control IC-card 1, the target cipher machine produces key authorization control IC-card 2;
(6) key management system utilizes the Protective Key of main cipher machine that the inner key data of distribution that needs of main cipher machine is encrypted and exports to key management system, and key derivation process is subject to the control of key authorization control IC-card 1;
(7) key management system will import to from the key that main cipher machine obtains the target cipher machine again, and the target cipher machine utilizes the Protective Key of self to be decrypted data, and the key importing process is subject to the control of key authorization control IC-card 2.
The key authorization control card is to be produced by cipher machine, is responsible for the cipher machine key and imports the authorization control operation.When key management system carries out the cipher key delivery operation to cipher machine, the key authorization control card need to be inserted in the cipher machine, carry out the control of authority of key import operation by the key authorization control card, the configuring cipher key management system is finished key distribution and the transmission between the cipher machine.
It is a-quadrant, B zone and C zone that the inside of main cipher machine and target cipher machine all is divided into Three regions.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.
Claims (3)
1. cipher key transmission methods that strengthens the symmetric key system is characterized in that: may further comprise the steps:
(1) key management system is connected with the target cipher machine with main cipher machine respectively by network;
(2) key management system produces shared Protective Key at random by network call master cipher machine;
(3) main cipher machine utilize self card reader with in the Protective Key write protection key IC-card;
(4) key data in the Protective Key IC-card is imported in the target cipher machine, realize the shared of Protective Key between main cipher machine and the target cipher machine;
(5) utilize main cipher machine to produce key authorization control IC-card 1, the target cipher machine produces key authorization control IC-card 2;
(6) key management system utilizes the Protective Key of main cipher machine that the inner key data of distribution that needs of main cipher machine is encrypted and exports to key management system, and key derivation process is subject to the control of key authorization control IC-card 1;
(7) key management system will import to from the key that main cipher machine obtains the target cipher machine again, and the target cipher machine utilizes the Protective Key of self to be decrypted data, and the key importing process is subject to the control of key authorization control IC-card 2.
2. a kind of cipher key transmission methods that strengthens the symmetric key system according to claim 1 is characterized in that: the inside of main cipher machine and target cipher machine is carried out the key zone and is divided.
3. a kind of cipher key transmission methods that strengthens the symmetric key system according to claim 1 and 2 is characterized in that: it is a-quadrant, B zone and C zone that the inside of main cipher machine and target cipher machine all is divided into Three regions.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210335845.7A CN102868521B (en) | 2012-09-12 | 2012-09-12 | Method for enhancing secret key transmission of symmetrical secret key system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210335845.7A CN102868521B (en) | 2012-09-12 | 2012-09-12 | Method for enhancing secret key transmission of symmetrical secret key system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102868521A true CN102868521A (en) | 2013-01-09 |
| CN102868521B CN102868521B (en) | 2015-03-04 |
Family
ID=47447128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210335845.7A Active CN102868521B (en) | 2012-09-12 | 2012-09-12 | Method for enhancing secret key transmission of symmetrical secret key system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102868521B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103729943A (en) * | 2013-03-15 | 2014-04-16 | 福建联迪商用设备有限公司 | Method and system for leading transmission secret key into KMS |
| CN104363090A (en) * | 2014-11-19 | 2015-02-18 | 成都卫士通信息产业股份有限公司 | Secret key distribution device and method for enhancing safety of banking terminal equipment |
| CN107070642A (en) * | 2016-12-26 | 2017-08-18 | 贵州银行股份有限公司 | Multi-brand cipher machine heterogeneous resource pond multiplexing technology |
| CN112115514A (en) * | 2020-09-27 | 2020-12-22 | 浪潮云信息技术股份公司 | Online request validity verification method for financial IC card |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101281585A (en) * | 2008-05-07 | 2008-10-08 | 北京知安信科技有限公司 | Intelligent cipher key and method for managing management password of intelligent IC card |
| CN101945099A (en) * | 2010-07-27 | 2011-01-12 | 公安部第三研究所 | Smart card external authentication method |
-
2012
- 2012-09-12 CN CN201210335845.7A patent/CN102868521B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101281585A (en) * | 2008-05-07 | 2008-10-08 | 北京知安信科技有限公司 | Intelligent cipher key and method for managing management password of intelligent IC card |
| CN101945099A (en) * | 2010-07-27 | 2011-01-12 | 公安部第三研究所 | Smart card external authentication method |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103729943A (en) * | 2013-03-15 | 2014-04-16 | 福建联迪商用设备有限公司 | Method and system for leading transmission secret key into KMS |
| CN103729943B (en) * | 2013-03-15 | 2015-12-30 | 福建联迪商用设备有限公司 | A kind of method and system transmission security key being imported KMS system |
| CN104363090A (en) * | 2014-11-19 | 2015-02-18 | 成都卫士通信息产业股份有限公司 | Secret key distribution device and method for enhancing safety of banking terminal equipment |
| CN107070642A (en) * | 2016-12-26 | 2017-08-18 | 贵州银行股份有限公司 | Multi-brand cipher machine heterogeneous resource pond multiplexing technology |
| CN107070642B (en) * | 2016-12-26 | 2020-07-21 | 贵州银行股份有限公司 | Heterogeneous resource pool multiplexing technology for multi-brand cipher machine |
| CN112115514A (en) * | 2020-09-27 | 2020-12-22 | 浪潮云信息技术股份公司 | Online request validity verification method for financial IC card |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102868521B (en) | 2015-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105871558B (en) | A kind of digital control system right management method based on USB flash disk physical serial numbers | |
| CN101815291A (en) | Method and system for logging on client automatically | |
| CN101894235B (en) | Smart card security session system | |
| CN106452764A (en) | Method for automatically updating identification private key and password system | |
| CN104463016B (en) | Data safety storing method suitable for IC cards and two-dimension codes | |
| CN103077467A (en) | Method and system for verifying product authenticity | |
| CN103093365A (en) | Method and system for verifying authenticity of product | |
| WO2014149490A4 (en) | Secure end-to-end permitting system for device operations | |
| CN102932140A (en) | Key backup method for enhancing safety of cipher machine | |
| CN111768523B (en) | CTID-based NFC intelligent door lock unlocking method, system, equipment and medium | |
| CN107784207A (en) | Display methods, device, equipment and the storage medium at financial APP interfaces | |
| CN102868521B (en) | Method for enhancing secret key transmission of symmetrical secret key system | |
| CN104376631A (en) | Commercial cipher algorithm based security access control system and implementation method thereof | |
| CN103152425A (en) | Safety management system for mobile device based on cloud technology | |
| CN105608775B (en) | A kind of method of authentication, terminal, access card and SAM card | |
| CN116662957A (en) | Identity authentication method, identity authentication device, computer readable storage medium and computer equipment | |
| CN203276284U (en) | Key control system | |
| CN102831335A (en) | Safety protecting method and safety protecting system of Windows operating system | |
| CN102983969B (en) | Security login system and security login method for operating system | |
| CN105516210A (en) | System and method for terminal security access authentication | |
| CN102651079A (en) | IC (integrated circuit) card management method occupying memory space for a short time and IC card management system | |
| CN102801743B (en) | Based on the SAP security sensitive information system of multi-party authorization and dynamic password | |
| CN101369891A (en) | Dynamic cipher authentication method and double-matrix dynamic password card | |
| CN101266639A (en) | Computer-aided design data encrypted protecting method based on hardware environment | |
| CN102315944A (en) | Seed key multi-time injection dynamic token, dynamic password authentication system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: 610041, No. 8, pioneering Road, hi tech Zone, Sichuan, Chengdu Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP03 | Change of name, title or address |