CN103679036A - Internet-based implement method for building trust between mobile encryption devices - Google Patents
Internet-based implement method for building trust between mobile encryption devices Download PDFInfo
- Publication number
- CN103679036A CN103679036A CN201310571157.5A CN201310571157A CN103679036A CN 103679036 A CN103679036 A CN 103679036A CN 201310571157 A CN201310571157 A CN 201310571157A CN 103679036 A CN103679036 A CN 103679036A
- Authority
- CN
- China
- Prior art keywords
- usb
- mobile encrypted
- encrypted equipment
- trusted
- trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to an internet-based implement method for building trust between mobile encryption devices. A pair of asymmetrical secret keys are generated on each USB mobile encryption device and stored in an internal nonvolatile storage area, private keys cannot be exported, and public keys can be exported; a liquid crystal display panel and a plurality of buttons are arranged on the USB mobile encryption device; a user can check the MD5 value of the public key of the current encryption device; the income MD5 value of the public key of the encryption device to be trusted is checked, and trust operation and distrust operation are conducted; the MD5 value, stored in the current encryption device, of the public key of each trusted encryption device is checked. The internet-based implement method for building trust between mobile encryption devices has the advantages that the trust relation can be built between every two hardware encryption devices, encryption files can be shared by client terminals, and a hacker can be prevented from hostile attack and from building trust relation with the non-I encryption device in the process where the trust relation is built between the encryption devices.
Description
Technical field
The present invention relates to the technical field that mobile encrypted equipment room breaks the wall of mistrust, the implementation method that especially a kind of mobile encrypted equipment room based on internet breaks the wall of mistrust.
Background technology
In adding Miyun dish implementation procedure, user's scene and the problem that need to separate are: a user has many clients (PC or mobile device), is inserted with a hardware encipher equipment (USB or TF card interface form) in every client; Each encryption device is no initializtion state when consigning to user, needs user to complete its initialization.The file of encrypting in any client of a user can both be decrypted on need to other clients this user; If can break the wall of mistrust relation between each hardware encipher equipment, just can realize sharing of encrypt file between each client.The method of the relation that breaks the wall of mistrust has multiple, and wherein a kind of method is: current encryption device is saved in the PKI of being trusted encryption device own inner.In the process of the relation that breaks the wall of mistrust, need to prevent hacker's malicious attack between encryption device, and the relation that breaks the wall of mistrust between non-my encryption device.
Summary of the invention
The present invention will solve the shortcoming of above-mentioned prior art, the implementation method that provides a kind of mobile encrypted equipment room based on internet to break the wall of mistrust.
The present invention solves the technical scheme that its technical matters adopts: the implementation method that this mobile encrypted equipment room based on internet breaks the wall of mistrust, on the mobile encrypted equipment of each USB, after user's initialization operation, generate a pair of unsymmetrical key, be kept in inner non-volatile memory district, private key wherein cannot be exported, and PKI spoon can be exported; On the mobile encrypted equipment of USB, be provided with a LCDs and some buttons; User can, by checking liquid crystal display and operation push-button, check the MD5 value of current encryption device PKI; Check that the wait of importing into trusted the MD5 value of the PKI of encryption device, and carry out " trust " and " distrust " operation; Check that each of preserving current encryption device the inside trusted the MD5 value of encryption device PKI; The method comprises the steps:
1., the mobile encrypted equipment of each USB is in one of following three kinds of states:
1. no initializtion: the state while just dispatching from the factory;
2. do not trusted:, by user's initialization, produced unsymmetrical key pair, but also do not obtained the trust of the mobile encrypted equipment of other USB;
3. trusted: through user's confirmation, the mobile encrypted equipment of other USB has been trusted the mobile encrypted equipment of this USB;
2. the mobile encrypted equipment of USB that mobile encrypted device just of the USB not trusted will have been trusted by any one is confirmed to trust after operation, just becomes and is trusted the mobile encrypted equipment of USB;
3. the mobile encrypted equipment of each USB is used by client for the first time, and while signing in to cloud dish server, " sequence number " of the mobile encrypted equipment of USB+" MD5 of PKI " value can be uploaded to cloud dish server;
4. a user's the mobile encrypted equipment of first USB signs in to while adding Miyun dish for the first time by client, automatically becomes and is trusted the mobile encrypted equipment of USB;
5. the follow-up mobile encrypted equipment of other USB signs in to while adding Miyun dish by client, just " sequence number "+" MD5 of PKI " is uploaded to cloud dish server, and waits for that the mobile encrypted equipment of USB of having been trusted is confirmed to trust to it and operate; Before confirming that trust has operated, use the mobile encrypted equipment of this USB cannot access any encrypt file on cloud dish;
6. user uses the mobile encrypted device logs of USB of having been trusted to add after Miyun dish server, add Miyun dish client and can obtain from server " the encryption device list that wait acknowledge is trusted " if list the inside is meaningful, point out user, the mobile encrypted equipment of each USB in list is confirmed to trust operation;
7. adding Miyun dish client can write the mobile encrypted equipment of the current USB having been trusted by the PKI of the mobile encrypted equipment of USB of wait acknowledge trust, and points out user on " LCDs and the button accessory device " of the mobile encrypted equipment of USB, to confirm operation;
8. in LCDs, can show the PKI MD5 value of the mobile encrypted equipment of trust USB to be confirmed;
9. user can insert the mobile encrypted equipment of the USB of trust to be confirmed the USB mouth of computer or USB charger, the MD5 value of checking its PKI by LCDs and button;
10., if two MD5 values are in full accord, user can carry out confirmation letter and appoints operation on the LCDs of the mobile encrypted equipment of USB of having been trusted and button;
11. users use while being just believed to the mobile encrypted equipment of USB of appointing and adding Miyun dish client sign in to cloud dish server, can access the content adding in Miyun dish.
Further, the combination of described LCDs and button, as an individual components, is connected on the mobile encrypted equipment of USB by pluggable cable.
Further, the PKI of the mobile encrypted equipment of other USB operating by " trust " can be saved to the mobile encrypted equipment of current USB, or carries out key delivery processing.
Further, TF card encryption equipment, by a converter, is converted to the mobile encrypted equipment of USB that can confirm to trust operation, confirms to trust operation.
The effect that the present invention is useful is: the relation that can break the wall of mistrust between each hardware encipher equipment, just can realize sharing of encrypt file between each client.And can prevent hacker malicious attack in the process of the relation that breaks the wall of mistrust between encryption device, and the relation that breaks the wall of mistrust between non-my encryption device.
Embodiment
Below in conjunction with embodiment, the invention will be further described:
The implementation method that this mobile encrypted equipment room based on internet breaks the wall of mistrust, on each USB encryption device, after user's initialization operation, can generate a pair of unsymmetrical key, is kept in inner non-volatile memory district.Private key wherein cannot be exported, and PKI spoon is to be exported.On USB encryption unit, be attached with a LCDs and some buttons.The combination of LCDs and button can be used as an individual components, by pluggable cable, is connected on USB encryption unit.User can, by checking liquid crystal display and operation push-button, realize: the MD5 value of checking current encryption device PKI; Check that the wait of importing into trusted the MD5 value of the PKI of encryption device, and can carry out " trust " and " distrust " operation.The PKI of other encryption devices that operate by " trust " can be saved to current encryption device, or carries out key delivery processing.Check that each of preserving current encryption device the inside trusted the MD5 value of encryption device PKI; TF card encryption equipment can pass through a special converter, is converted to the USB encryption device that can confirm to trust operation, confirms to trust operation.
1. each encryption device is in one of following three kinds of states:
1. no initializtion: the state while just dispatching from the factory
2. do not trusted:, by user's initialization, produced unsymmetrical key pair, but also do not obtained the trust of other encryption device
3. trusted: through user's confirmation, other encryption devices have been trusted this encryption device
2. the encryption device that encryption device of not trusted only need to have been trusted by any one is confirmed to trust after operation, just becomes and is trusted encryption device
3. each encryption device is used by client for the first time, and while signing in to cloud dish server, " sequence number " of encryption device+" MD5 of PKI " value can be uploaded to cloud dish server.
4. first encryption device of a user signs in to while adding Miyun dish for the first time by client, automatically becomes and is trusted encryption device.
5. other follow-up encryption devices sign in to while adding Miyun dish by client, just " sequence number "+" MD5 of PKI " are uploaded to cloud dish server, and wait for that the encryption device of having been trusted is confirmed to trust to it and operate.Before confirming that trust has operated, use this encryption device cannot access any encrypt file on cloud dish.
6. user uses the encryption device login of having been trusted to add after Miyun dish server, add Miyun dish client software and can obtain from server " the encryption device list that wait acknowledge is trusted " if list the inside is meaningful, point out user, each encryption device in list is confirmed to trust operation.
7. adding Miyun dish client can write current encryption device of having been trusted by the PKI of the encryption device of wait acknowledge trust, and points out user on " LCDs and the button accessory device " of encryption device, to confirm operation.
8. in LCDs, can show the PKI MD5 value of trust encryption device to be confirmed.
9. user can insert the encryption device of trust to be confirmed the USB mouth of computer or USB charger, the MD5 value of checking its PKI by LCDs and button.This step operation also can be completed by user in advance, and records by effective mode.
10., if two MD5 values are in full accord, user can carry out confirmation letter and appoints operation on " LCDs and the button accessory device " of the encryption device of having been trusted.
11. users use while being just believed to the encryption device of appointing and adding Miyun dish client sign in to cloud dish server, can access the content adding in Miyun dish.
In addition to the implementation, the present invention can also have other embodiments.All employings are equal to the technical scheme of replacement or equivalent transformation formation, all drop on the protection domain of requirement of the present invention.
Claims (4)
1. the implementation method that the mobile encrypted equipment room based on internet breaks the wall of mistrust, it is characterized in that: on the mobile encrypted equipment of each USB, after user's initialization operation, generate a pair of unsymmetrical key, be kept in inner non-volatile memory district, private key wherein cannot be exported, and PKI spoon can be exported; On the mobile encrypted equipment of USB, be provided with a LCDs and some buttons; User can, by checking liquid crystal display and operation push-button, check the MD5 value of current encryption device PKI; Check that the wait of importing into trusted the MD5 value of the PKI of encryption device, and carry out " trust " and " distrust " operation; Check that each of preserving current encryption device the inside trusted the MD5 value of encryption device PKI; The method comprises the steps:
(1), the mobile encrypted equipment of each USB is in one of following three kinds of states:
1. no initializtion: the state while just dispatching from the factory;
2. do not trusted:, by user's initialization, produced unsymmetrical key pair, but also do not obtained the trust of the mobile encrypted equipment of other USB;
3. trusted: through user's confirmation, the mobile encrypted equipment of other USB has been trusted the mobile encrypted equipment of this USB;
The mobile encrypted equipment of USB that (2) mobile encrypted device just of the USB not trusted will have been trusted by any one is confirmed to trust after operation, just becomes and is trusted the mobile encrypted equipment of USB;
(3) the mobile encrypted equipment of each USB is used by client for the first time, and while signing in to cloud dish server, " sequence number " of the mobile encrypted equipment of USB+" MD5 of PKI " value can be uploaded to cloud dish server;
(4) users' the mobile encrypted equipment of first USB signs in to while adding Miyun dish for the first time by client, automatically becomes and is trusted the mobile encrypted equipment of USB;
(5) the follow-up mobile encrypted equipment of other USB signs in to while adding Miyun dish by client, just " sequence number "+" MD5 of PKI " is uploaded to cloud dish server, and waits for that the mobile encrypted equipment of USB of having been trusted is confirmed to trust to it and operate; Before confirming that trust has operated, use the mobile encrypted equipment of this USB cannot access any encrypt file on cloud dish;
(6) user uses the mobile encrypted device logs of USB of having been trusted to add after Miyun dish server, add Miyun dish client and can obtain from server " the encryption device list that wait acknowledge is trusted " if list the inside is meaningful, point out user, the mobile encrypted equipment of each USB in list is confirmed to trust operation;
(7) adding Miyun dish client can write the mobile encrypted equipment of the current USB having been trusted by the PKI of the mobile encrypted equipment of USB of wait acknowledge trust, and points out user on " LCDs and the button accessory device " of the mobile encrypted equipment of USB, to confirm operation;
(8) in LCDs, can show the PKI MD5 value of the mobile encrypted equipment of trust USB to be confirmed;
(9) user inserts the mobile encrypted equipment of the USB of trust to be confirmed the USB mouth of computer or USB charger, the MD5 value of checking its PKI by LCDs and button;
(10), if two MD5 values are in full accord, user carries out confirmation letter and appoints operation on the LCDs of the mobile encrypted equipment of USB of having been trusted and button;
(11) user uses while being just believed to the mobile encrypted equipment of USB of appointing and adding Miyun dish client sign in to cloud dish server, can access the content adding in Miyun dish.
2. the implementation method that the mobile encrypted equipment room based on internet according to claim 1 breaks the wall of mistrust, it is characterized in that: the combination of described LCDs and button, as an individual components, is connected on the mobile encrypted equipment of USB by pluggable cable.
3. the implementation method that the mobile encrypted equipment room based on internet according to claim 1 breaks the wall of mistrust, it is characterized in that: the PKI of the mobile encrypted equipment of other USB operating by " trust " can be saved to the mobile encrypted equipment of current USB, or carries out key delivery processing.
4. the implementation method that the mobile encrypted equipment room based on internet according to claim 1 breaks the wall of mistrust, it is characterized in that: TF card encryption equipment is by a converter, be converted to the mobile encrypted equipment of USB that can confirm to trust operation, confirm to trust operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310571157.5A CN103679036A (en) | 2013-11-13 | 2013-11-13 | Internet-based implement method for building trust between mobile encryption devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310571157.5A CN103679036A (en) | 2013-11-13 | 2013-11-13 | Internet-based implement method for building trust between mobile encryption devices |
Publications (1)
Publication Number | Publication Date |
---|---|
CN103679036A true CN103679036A (en) | 2014-03-26 |
Family
ID=50316546
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310571157.5A Pending CN103679036A (en) | 2013-11-13 | 2013-11-13 | Internet-based implement method for building trust between mobile encryption devices |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103679036A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1661959A (en) * | 2004-02-27 | 2005-08-31 | 微软公司 | Security associations for devices |
CN1294720C (en) * | 1999-10-27 | 2007-01-10 | 艾利森电话股份有限公司 | Method and arrangement in communication network |
CN101102180A (en) * | 2006-07-03 | 2008-01-09 | 联想(北京)有限公司 | Inter-system binding and platform integrity verification method based on hardware security unit |
US20090185685A1 (en) * | 2008-01-18 | 2009-07-23 | International Business Machines Corporation | Trust session management in host-based authentication |
CN101881997A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Trusted safe mobile storage device |
-
2013
- 2013-11-13 CN CN201310571157.5A patent/CN103679036A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1294720C (en) * | 1999-10-27 | 2007-01-10 | 艾利森电话股份有限公司 | Method and arrangement in communication network |
CN1661959A (en) * | 2004-02-27 | 2005-08-31 | 微软公司 | Security associations for devices |
CN101102180A (en) * | 2006-07-03 | 2008-01-09 | 联想(北京)有限公司 | Inter-system binding and platform integrity verification method based on hardware security unit |
US20090185685A1 (en) * | 2008-01-18 | 2009-07-23 | International Business Machines Corporation | Trust session management in host-based authentication |
CN101881997A (en) * | 2009-05-04 | 2010-11-10 | 同方股份有限公司 | Trusted safe mobile storage device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3605989B1 (en) | Information sending method, information receiving method, apparatus, and system | |
US10469469B1 (en) | Device-based PIN authentication process to protect encrypted data | |
US10142107B2 (en) | Token binding using trust module protected keys | |
EP3289723B1 (en) | Encryption system, encryption key wallet and method | |
KR101894232B1 (en) | Method and apparatus for cloud-assisted cryptography | |
EP2639997B1 (en) | Method and system for secure access of a first computer to a second computer | |
US8984295B2 (en) | Secure access to electronic devices | |
CN109587101B (en) | Digital certificate management method, device and storage medium | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
EP3082123B1 (en) | File storage system, file storage apparatus, and user terminal | |
CN102638568A (en) | Cloud storage system and data management method thereof | |
CN109756329A (en) | Anti- quantum calculation shared key machinery of consultation and system based on private key pond | |
CN110708291B (en) | Data authorization access method, device, medium and electronic equipment in distributed network | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
WO2023174038A1 (en) | Data transmission method and related device | |
CN115001841A (en) | Identity authentication method, identity authentication device and storage medium | |
WO2021098152A1 (en) | Blockchain-based data processing method, device, and computer apparatus | |
CN102999710A (en) | Method, equipment and system for safely sharing digital content | |
CN109510711B (en) | Network communication method, server, client and system | |
US9473471B2 (en) | Method, apparatus and system for performing proxy transformation | |
Shahzad | Safe haven in the cloud: Secure access controlled file encryption (safe) system | |
Pradeep et al. | Survey on the key management for securing the cloud | |
WO2020177109A1 (en) | Lot-drawing processing method, trusted chip, node, storage medium and electronic device | |
CN111181906A (en) | Data sharing method, device, equipment, system and storage medium | |
CN112400295B (en) | Managing central secret keys for multiple user devices associated with a single public key |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140326 |