CN103414564A - Secrete key card, secrete key device and method for protecting private key - Google Patents

Secrete key card, secrete key device and method for protecting private key Download PDF

Info

Publication number
CN103414564A
CN103414564A CN2013103412738A CN201310341273A CN103414564A CN 103414564 A CN103414564 A CN 103414564A CN 2013103412738 A CN2013103412738 A CN 2013103412738A CN 201310341273 A CN201310341273 A CN 201310341273A CN 103414564 A CN103414564 A CN 103414564A
Authority
CN
China
Prior art keywords
key
encryption
card
key card
serial ports
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2013103412738A
Other languages
Chinese (zh)
Inventor
周海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN2013103412738A priority Critical patent/CN103414564A/en
Publication of CN103414564A publication Critical patent/CN103414564A/en
Pending legal-status Critical Current

Links

Abstract

The invention discloses a secrete key card, a secrete key device and a method for protecting a private key. The secrete key card comprises a power source and a safety chip, a safe storage area used for storing the private key is arranged in the safety chip, a safety code module is integrated in the safety chip, the safety code module is provided with a true random number generator, and the secrete key card is further provided with at least one serial port. The code device of the secrete key card is used, the code device comprises a mainboard which is provided with a serial port, the serial port of the mainboard is connected with the serial port of the secrete key card, the secrete key card is controlled to generate a male key/ female key pair and conduct encryption/decryption, and the private key is stored in the safe storage area. The secrete key card, the secrete key device and the method for protecting the private key enables the fact that the private key is stolen by logging in the device and a system illegally or by stealing a nonvolatile storage to be impossible. The code device can operate the secrete key card to carry out orders conveniently through the serial ports, and the overall safety of the code device is improved.

Description

A kind of method of key card, key devices and protection private key thereof
Technical field
The present invention is applicable to cryptographic communication system, is specifically related to a kind of method of key card, encryption device and protection private key thereof.
Background technology
PKI(Public Key Infrastructure) namely " PKIX " technology is the core of information security technology, is also key and the basic technology of ecommerce.The basic technology of PKI comprises encryption, digital signature, data integrity mechanism, digital envelope, dual digital signature etc.
Digital signature technology based on public-key cryptosystem is by the encrypted private key of summary info with the sender, sends the recipient to together with original text, and the recipient only has with sender's PKI could decipher encrypted summary info.
Digital envelope is a public-key cryptosystem application in practice, is to guarantee to only have the specific receiver of regulation could read the content of communicating by letter by encryption technology.In digital envelope, information sender adopts symmetric key to carry out encrypted content information, then this symmetric key is encrypted to (this part claims digital envelope) afterwards with recipient's public-key cryptography, by it and the information after encrypting send to together the recipient, the recipient first opens digital envelope with corresponding private cipher key, obtain symmetric key, then use symmetric key to untie enciphered message.
If the user has lost the key for data decryption, data can't be decrypted, and this will cause legal loss of data.For avoiding this situation, the PKI application system provides the mechanism of backup and recovery key to guarantee the safety of PKI; And be the uniqueness of guaranteeing signature private key, it is not backed up.
The private key of general encryption device is stored in nonvolatile memory, there is no safeguard measure, has the risk of illegally being stolen.If nonvolatile memory is stolen private key by unauthorized theft or by illegal logging device system, the safety of information will be had a strong impact on.If while using digital signature technology, sender's private key is stolen, the stealer can palm off the information sender transmission and have destructive signing messages, and the recipient can think that information is from transmit leg by mistake, and sender's non repudiation is by destroyed; If while using digital envelope, private key is stolen, the stealer can use this private key to open digital envelope, obtains symmetric key, then uses symmetric key to untie enciphered message.
Summary of the invention
For addressing the above problem, the invention provides a kind of method of key card, encryption device and protection private key thereof.
A kind of key card, comprise power supply, safety chip, in described safety chip, be provided be used to storing the secure storage areas of private key, integrated security password module in described safety chip, described security password module is provided with real random number generator, and described key card also is provided with at least one serial ports.Described safety chip model is AC3192.
Use the encryption device of the above key card, comprise the mainboard that machine is provided with serial ports, the serial ports of described mainboard is connected with the serial ports of key card.
The method of above-mentioned encryption device protection private key comprises following steps:
Step 1: the encryption device mainboard sends command information by serial ports to key card;
Step 2: key card judgement command type, and make respective reaction:
If the generation cipher key command, carry out step 3.1~4.1, for:
Step 3.1: key card generates public/private keys pair;
Step 4.1: private key deposits secure storage areas in, and PKI turns back to the encryption device mainboard by serial ports, carries out and finishes;
If the enciphering/deciphering order, the step 3.2 of carrying out~4.2 are:
Step 3.2: key card calls respective algorithms and private key carries out the enciphering/deciphering processing;
Step 4.2: key card returns to the data message after enciphering/deciphering by serial ports, carries out and finishes.
Key card of the present invention is secure storage areas of special division on safety chip, private key produces and deposits in secure storage areas by the key card hardware module, makes and wants that to steal private key be all impossible by stealing nonvolatile memory or illegal logging device system.And because safety chip self contains battery, even the power down private key can not lost yet.Adopt the encryption device of this key card can operate very easily the key card fill order by serial ports, improved the fail safe of encryption device integral body.
The accompanying drawing explanation
Fig. 1 is key card hardware module and encryption device mainboard connection diagram;
Fig. 2 protects the method flow diagram of private key for the encryption device that uses key card.
Embodiment
The present invention is described in further detail below in conjunction with accompanying drawing.
Below to the structure of key card and be elaborated with the annexation of encryption device.
Described key card contains safety chip, and model is AC3192.Integrated security password module in described safety chip, and in safety chip, be designed with secure storage areas.
Described security password module can generate public and private key.This module contains the real random number generator in physical noise source, and can realize the SM2 algorithm, so just can in the key card hardware module, generate public/private keys to and the enciphering/deciphering that carries out data.
The private key information that described secure storage areas generates for the storage security crypto module.And do not allow private key information to be removed, because safety chip self has battery, even if the key card power down can not lost private key information yet.
Described key card also designs a serial ports, and miscellaneous equipment (as the encryption device of the present embodiment) can carry out exchanges data by this serial ports and key card hardware module.
The described encryption device that contains this key card is: key card is built in encryption device, and be connected with the encryption device mainboard by serial ports, be that the command information of key card reception or the PKI that key card sends or encryption and decryption data information all will be by this serial ports transmitting-receivings.
Below in conjunction with Fig. 2, protect the workflow of private key to describe to the encryption device that uses above-mentioned use key card.
S1: the encryption device mainboard sends command information by serial ports to key card;
S2: key card determines whether to generate cipher key command, and makes corresponding reflection.
If for generating cipher key command, subsequent step is:
S3: key card generates public/private keys pair.
Be specially: the security password module is by calling related algorithm and, in conjunction with the real random number generator of physics noise source, generating public/private keys pair.
S4: private key deposits secure storage areas in, and PKI turns back to the encryption device mainboard by serial ports.
If for generating cipher key command, subsequent step is not:
S3: key card determines whether the enciphering/deciphering order.
As be encrypted command, subsequent step is
S4: key card generates public/private keys pair, and private key deposits secure storage areas in, and PKI returns to encryption device by serial ports;
S5: encryption device, by PKI encapsulation Generate Certificate request, is signed and issued device certificate and is sent it to the opposite end encryption device by certificate center (CA);
S6: encryption device sends encrypted command toward key card, and key card calls respective algorithms and private key is encrypted (signature) processing, and the data message that finally will encrypt after (signature) sends to encryption device by serial ports;
S7: encryption device will be encrypted (signature) data message and send to opposite equip.
As be decryption command, subsequent step is
S4: key card calls respective algorithms and private key is decrypted processing.
S5: the data message after key card will be deciphered returns to the encryption device mainboard by serial ports.
If receiving, cipher card judgement institute orders neither neither the generation cipher key command neither the enciphering/deciphering order, key card will be ignored this command information.
Key card data enciphering/deciphering carries out in the security password module.
Adopt the present invention, only need in existing encryption device, add a cipher card, cost is low, and volume is little, and adopts cipher card of the present invention, encryption device can ensure to greatest extent the fail safe of private key.
Key card of the present invention is secure storage areas of special division on safety chip, private key produces and deposits in secure storage areas by the key card hardware module, makes and wants that to steal private key be all impossible by stealing nonvolatile memory or illegal logging device system.And because safety chip self contains battery, even the power down private key can not lost yet.Adopt the encryption device of this key card can operate very easily the key card fill order by serial ports, improved the fail safe of encryption device integral body.
Key card of the present invention is not only applicable to encryption device, also is adapted to other and need uses private key to carry out the equipment of encryption and decryption, as vpn equipment, firewall box, UTM equipment etc., has the safety means of cryptographic function.
Above are only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.

Claims (9)

1. key card, it is characterized in that, comprise power supply, safety chip, in described safety chip, be provided be used to storing the secure storage areas of private key, integrated security password module in described safety chip, described security password module is provided with real random number generator, and described key card also is provided with at least one serial ports.
2. a kind of key card as claimed in claim 1, is characterized in that, described safety chip model is AC3192.
3. use the encryption device of key card as claimed in claim 1, comprise the mainboard that is provided with serial ports, it is characterized in that, the serial ports of described mainboard is connected with the serial ports of key card.
4. the method for encryption device protection private key as claimed in claim 3, is characterized in that, comprises following steps:
Step 1: the encryption device mainboard sends command information by serial ports to key card;
Step 2: key card judgement command type, and make respective reaction:
If the generation cipher key command, carry out step 3.1~4.1, for:
Step 3.1: key card generates public/private keys pair;
Step 4.1: private key deposits secure storage areas in, and PKI turns back to the encryption device mainboard by serial ports, carries out and finishes;
If the enciphering/deciphering order, carry out step 3.2~4.2, for:
Step 3.2: key card calls respective algorithms and private key carries out the enciphering/deciphering processing;
Step 4.2: key card returns to the data message after enciphering/deciphering by serial ports, carries out and finishes.
5. the method for encryption device as claimed in claim 4 protection private key, is characterized in that, the security password module is by calling related algorithm and, in conjunction with the real random number generator of physics noise source, generating public/private keys pair.
6. the method for as described as claim 4 or 5 encryption device protection private key, is characterized in that, command type is if encrypted command, and step 3.2~4.2 are specially the following step:
S1: key card generates public/private keys pair, and private key deposits secure storage areas in, and PKI returns to encryption device by serial ports;
S2: encryption device, by PKI encapsulation Generate Certificate request, is signed and issued device certificate and is sent it to the opposite end encryption device by certificate center;
S3: encryption device sends encrypted command toward key card, and key card calls the private key that generates in respective algorithms and step 1 and is encrypted, and the data message after finally encrypting sends to the encryption device mainboard by serial ports;
S4: encryption device sends to opposite equip. by ciphered data information.
7. the method for encryption device as claimed in claim 4 protection private key, is characterized in that, orders neither the generation cipher key command neither the enciphering/deciphering order if the cipher card judgement receives, and key card will be ignored this command information.
8. the method for encryption device protection private key as claimed in claim 4, is characterized in that, key card data enciphering/deciphering carries out in the security password module.
9. the method for encryption device as claimed in claim 4 protection private key, is characterized in that, when needs use public-key while carrying out the certificate request operation, external equipment can take out the processing that PKI carries out next step by serial ports.
CN2013103412738A 2013-08-07 2013-08-07 Secrete key card, secrete key device and method for protecting private key Pending CN103414564A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2013103412738A CN103414564A (en) 2013-08-07 2013-08-07 Secrete key card, secrete key device and method for protecting private key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2013103412738A CN103414564A (en) 2013-08-07 2013-08-07 Secrete key card, secrete key device and method for protecting private key

Publications (1)

Publication Number Publication Date
CN103414564A true CN103414564A (en) 2013-11-27

Family

ID=49607550

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2013103412738A Pending CN103414564A (en) 2013-08-07 2013-08-07 Secrete key card, secrete key device and method for protecting private key

Country Status (1)

Country Link
CN (1) CN103414564A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954139A (en) * 2015-06-19 2015-09-30 南方电网科学研究院有限责任公司 Cipher machine
CN107070657A (en) * 2016-01-21 2017-08-18 三星电子株式会社 Safety chip and application processor and its operating method
CN108805537A (en) * 2018-05-21 2018-11-13 郑州云海信息技术有限公司 It is a kind of using TPM as the method and system of bit coin client stochastic source
US10154037B2 (en) 2017-03-22 2018-12-11 Oracle International Corporation Techniques for implementing a data storage device as a security device for managing access to resources

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN101110113A (en) * 2007-08-10 2008-01-23 魏恺言 Multi-use safety device for computing electronic payment code and its generating method
US7325121B2 (en) * 2003-09-12 2008-01-29 Broadcom Corporation System and method of utilizing off-chip memory
CN102648475A (en) * 2009-09-18 2012-08-22 韩国建设交通技术评价院 Key card for compatible transportation card and operating method of key card for transportation card
CN102968854A (en) * 2012-11-29 2013-03-13 长城信息产业股份有限公司 Uncovered data self-destruction device for safety payment terminal and method
CN202854866U (en) * 2012-09-24 2013-04-03 河北联合大学 NFC secret key card with USB interface

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7325121B2 (en) * 2003-09-12 2008-01-29 Broadcom Corporation System and method of utilizing off-chip memory
CN1832403A (en) * 2006-04-24 2006-09-13 北京易恒信认证科技有限公司 CPK credibility authorization system
CN101110113A (en) * 2007-08-10 2008-01-23 魏恺言 Multi-use safety device for computing electronic payment code and its generating method
CN102648475A (en) * 2009-09-18 2012-08-22 韩国建设交通技术评价院 Key card for compatible transportation card and operating method of key card for transportation card
CN202854866U (en) * 2012-09-24 2013-04-03 河北联合大学 NFC secret key card with USB interface
CN102968854A (en) * 2012-11-29 2013-03-13 长城信息产业股份有限公司 Uncovered data self-destruction device for safety payment terminal and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
徐敏: "抗物理攻击安全芯片关键技术研究", 《万方学位论文》, 31 July 2013 (2013-07-31) *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954139A (en) * 2015-06-19 2015-09-30 南方电网科学研究院有限责任公司 Cipher machine
CN104954139B (en) * 2015-06-19 2019-02-15 南方电网科学研究院有限责任公司 Cipher machine
CN107070657A (en) * 2016-01-21 2017-08-18 三星电子株式会社 Safety chip and application processor and its operating method
US10154037B2 (en) 2017-03-22 2018-12-11 Oracle International Corporation Techniques for implementing a data storage device as a security device for managing access to resources
US10462142B2 (en) 2017-03-22 2019-10-29 Oracle International Corporation Techniques for implementing a data storage device as a security device for managing access to resources
CN108805537A (en) * 2018-05-21 2018-11-13 郑州云海信息技术有限公司 It is a kind of using TPM as the method and system of bit coin client stochastic source

Similar Documents

Publication Publication Date Title
KR101725847B1 (en) Master key encryption functions for transmitter-receiver pairing as a countermeasure to thwart key recovery attacks
CN103618607B (en) A kind of Security Data Transmission and key exchange method
US20130251152A1 (en) Key transport protocol
US10439811B2 (en) Method for securing a private key on a mobile device
CN105323070B (en) A kind of safety E-mail implementation method based on digital envelope
CN104253694A (en) Encrypting method for network data transmission
CN102394749B (en) Line protection method, system, information safety equipment and application equipment for data transmission
CN101800738B (en) Realization system and method for safely visiting and storing intranet data by mobile equipment
CN102082790B (en) Method and device for encryption/decryption of digital signature
US9166793B2 (en) Efficient authentication for mobile and pervasive computing
CN103678174A (en) Data safety method, storage device and data safety system
CN102833246A (en) Social video information security method and system
CN105656621A (en) Safety management method for cryptographic device
CN109543434B (en) Block chain information encryption method, decryption method, storage method and device
CN103414564A (en) Secrete key card, secrete key device and method for protecting private key
CN107896147B (en) Method and system for negotiating temporary session key based on national cryptographic algorithm
CN101001142A (en) Encipher-decipher method based on iterative random number generator
CN1607511B (en) Data protection method and system
CN104268447A (en) Encryption method of embedded software
CN102056156B (en) Computer Data Security is downloaded to the method and system of mobile terminal
KR20200037847A (en) NFC tag authentication to remote servers with applications to protect supply chain asset management
CN102811124B (en) Based on the system Authentication method of two card trigram technology
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
CN101964039B (en) Encryption protection method and system of copyright object
CN101296077A (en) Identity authentication system based on bus type topological structure

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20131127

RJ01 Rejection of invention patent application after publication