CN103929306A

CN103929306A - Intelligent secret key device and information management method of intelligent secret key device

Info

Publication number: CN103929306A
Application number: CN201410132192.1A
Authority: CN
Inventors: 李东声
Original assignee: Tendyron Technology Co Ltd
Current assignee: Tendyron Technology Co Ltd
Priority date: 2014-04-02
Filing date: 2014-04-02
Publication date: 2014-07-16
Anticipated expiration: 2034-04-02
Also published as: CN103929306B

Abstract

The invention provides an intelligent secret key device and an information management method of the intelligent secret key device. The intelligent secret key device comprises a first storage module, a second storage module, a receiving and transmitting module, an access control module and a security chip, wherein the first storage module is used for storing a private key and a digital certificate of the intelligent secret key device, the second storage module is used for storing user data, the receiving and transmitting module is used for receiving an operation order input by the user and user data to be stored, the access control module is used for verifying the identity of the user, giving the user the write permission of the second storage module after the user passes the authentication and writing the user data to be stored into the second storage module, and the security chip is used for carrying out digital signature generation and authentication, encryption and decryption. According to the intelligent secret key device, the user does not need to manually input the log-in account number and the password when using the intelligent secret key device to carry out logging-in, great convenience is brought to the user, and especially for the user with a plurality of account numbers, memorizing difficulty of the user is greatly lowered.

Description

The approaches to IM of intelligent cipher key equipment and intelligent cipher key equipment

Technical field

The present invention relates to network information security technology field, relate in particular to the approaches to IM of a kind of intelligent cipher key equipment and intelligent cipher key equipment.

Background technology

Password technology is one of safety the most conventional in current network information system and secrecy provision, and for example, user needs first to arrange corresponding login account and password when logging in to online banks, third party's payment platform, the social class of various shopping website.Along with the fast development of networked information era, user's activity is on the net also increased.At present, USB Key technology can solve the problem to authenticating user identification, USB Key is a kind of hardware device of USB interface, its built-in single-chip microcomputer or intelligent card chip, and in USB Key, there is certain memory space, can store user's private key and digital certificate, utilize the built-in public key algorithm of USB Key to realize the authentication to user.Therefore, utilize USB Key technology can solve a difficult problem of in network security, user being carried out authentication, and be widely used in the payment technical field such as Web bank or third party's payment platform.

In realizing process of the present invention, inventor finds that prior art at least exists following problem: although USB Key has the characteristic of high safety, guaranteed the safety of user's private key and digital certificate, but user still needs manually to input login account and password when using USB Key logging in to online banks or third party's payment platform, user operates very inconvenient, and experience is also bad.

Furthermore; for having a plurality of banks, third party's payment platform or the user of the accounts such as social class website of doing shopping; a lot of users select the combination of identical or similar characteristics as login account and password for the ease of memory; although it is but also dangerous to be convenient to user's memory; because once the login account of certain account and password are cracked; by directly threatening the safety of other accounts, the safeguard protection of user profile has been brought to great hidden danger.If user arranges respectively corresponding login account and password for a plurality of accounts, although fail safe better needs user accurately to remember login account and the password of each account, will inevitably increase the difficulty that user remembers.

Summary of the invention

The present invention is intended to solve at least to a certain extent one of technical problem in correlation technique.

For this reason, first object of the present invention is to propose a kind of intelligent cipher key equipment, this intelligent cipher key equipment make user when using intelligent cipher key equipment logging in to online banks or third party's payment platform without manually input login account and password, the difficulty that has reduced user's memory, has promoted user's experience.

Second object of the present invention is to propose a kind of approaches to IM of intelligent cipher key equipment.

For reaching above-mentioned purpose, first aspect present invention embodiment has proposed a kind of intelligent cipher key equipment, comprising: the first memory module, for storing private key and the digital certificate of described intelligent cipher key equipment; The second memory module, for storing user data; Transceiver module, for receiving the operational order of user's input and user data to be stored; Access control module, for described user is carried out to authentication, and after described user is by authentication, the write permission opening of described the second memory module, to described user, and is write to described the second memory module by described user data to be stored; And safety chip, for carrying out generation and the authentication of digital signature, and encryption and decryption.

In one embodiment of the invention, described access control module carries out authentication according to the individual recognition code PIN code of described intelligent cipher key equipment to described user.

In one embodiment of the invention, described intelligent cipher key equipment also comprises active control module, described active control module is for receiving the active coding that described user inputs on intelligent cipher key equipment, and described active coding is activated to checking, and after being verified, activation activates described access control module, or receive the active coding that activation request that described user sends by client and described user input by described client, and described active coding is activated to checking, and after being verified, activation activates described access control module.

In one embodiment of the invention, described intelligent cipher key equipment also comprises opening module, the open command that described opening module is inputted for receiving described user, and enable described access control module according to described open command.

In one embodiment of the invention, the operation interface that described transceiver module provides by described intelligent cipher key equipment and control button receive described operational order and described user data to be stored; Or described transceiver module receives by communication interface described operational order and the described user data to be stored that external equipment sends.

In one embodiment of the invention, described transceiver module receives checking request and the random number to described intelligent cipher key equipment that described user sends by client, described safety chip is encrypted described random number according to the private key of described intelligent cipher key equipment, and described transceiver module is sent to described client according to described checking request by the random number after the digital certificate of described intelligent cipher key equipment and encryption; Wherein, described client verifies the digital certificate of described intelligent cipher key equipment according to root certificate, and the random number after to described encryption is decrypted according to the PKI of described intelligent cipher key equipment, and the random number after deciphering is verified.

In one embodiment of the invention, described transceiver module receives the user data ciphertext that client sends, described safety chip according to the private key of described intelligent cipher key equipment to described user data decrypt ciphertext to obtain described user data to be stored, wherein, described client according to the PKI of described intelligent cipher key equipment to described ciphering user data to be stored to generate described user data ciphertext, or described transceiver module receives session key ciphertext and user data ciphertext that client sends, described safety chip according to the private key of described intelligent cipher key equipment to described session key decrypt ciphertext to obtain session key, and according to described session key to described user data decrypt ciphertext to obtain described user data to be stored, wherein, the random session key generation of described client, and according to the PKI of described intelligent cipher key equipment to described session key to generate described session key ciphertext, and according to described session key to described ciphering user data to be stored to generate described user data ciphertext.

In one embodiment of the invention, described intelligent cipher key equipment also comprises display module, described display module is for after receiving the user data to be stored of described user's input at described transceiver module, show described operational order and user data to be stored, and described access control module described transceiver module receive described user to the confirmation instruction of the user data described to be stored demonstrating after, described user data to be stored is write to described the second memory module.

The intelligent cipher key equipment of the embodiment of the present invention, utilize intelligent cipher key equipment self can store data and possess the feature of high security, in intelligent cipher key equipment, increase new functional module, and when user need to use this functional module, user is carried out to authentication, in subscriber authentication, by rear, by newly-increased functional module, provide the store and management function of personal information for user.Make thus user when using intelligent cipher key equipment logging in to online banks or third party's payment platform without manually input login account and password; in protection user's login account and cryptosecurity, also bring great advantage to the user; especially for the user who has a plurality of accounts; utilize intelligent cipher key equipment to preserve account and password; the difficulty that has greatly reduced user's memory, has promoted user's experience.

In one embodiment of the present of invention, described transceiver module, the dynamic password generation request also sending for receiving client; Described access control module, also for obtaining the user data of described intelligent cipher key equipment the second memory module storage; Described display module, also for showing described user data, wherein, described user data comprises account and corresponding password; Described safety chip, the user data of also choosing for obtaining user, and the user data of choosing according to described user generation dynamic password, wherein, the authentication when user data that described dynamic password is used described user to choose for described user in described client is logined.

Wherein, described safety chip, specifically for user data that described user is chosen as seed key, according to described seed key and factor information, calculate described dynamic password, wherein, described factor information comprises time factor and/or the event factor, and described user data comprises digital information and the nonnumerical information that can be exchanged into digital information, and described nonnumerical information comprises one or more in letter, oeprator and punctuation mark.

The intelligent cipher key equipment of the embodiment of the present invention, in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords after, can also realize and utilize the user data of these storages to generate dynamic password.

In one embodiment of the present of invention, described transceiver module, the password output request also sending for receiving client; Described display module, also, for according to described password output request, shows the item list corresponding with user data pre-stored in described intelligent cipher key equipment, and wherein, described user data comprises accounts information and corresponding password; Described intelligent cipher key equipment also comprises: the accounts information of determination module for determining that user selects at described item list, and determine first password according to the accounts information of described user's selection, wherein, described first password is the password for login authentication; Described transceiver module, also for described first password is sent to described client, so that described client is inputted described first password.

Wherein, the accounts information of described determination module specifically for selecting according to described user obtains password corresponding to accounts information of selecting with described user from described; The described password obtaining is defined as to described first password, or the described password obtaining is encrypted, obtain described first password; Or the accounts information of described determination module specifically for selecting according to described user obtains one or more in information corresponding to the accounts information that described user selects and the accounts information of selecting with described user from described storage information; Adopt dynamic password computational algorithm, the described information of obtaining is calculated to dynamic password, described dynamic password is defined as to described first password.

The intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, that can also realize from intelligent cipher key equipment safety reads the user data such as account, password, and uses this user data to carry out the login of client.

In one embodiment of the present of invention, described access control module, also obtains data to be backed up for the second memory module from described intelligent cipher key equipment; Described transceiver module, also for being sent to described Intelligent target key devices by described data to be backed up; Wherein, described Intelligent target key devices receives described data to be backed up; And in described Intelligent target key devices, show described data to be backed up, for described user, confirm; And after the confirmation instruction that receives described user, described Intelligent target key devices is preserved described data to be backed up.

The intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, can also realize the described user data backup of preserving in intelligent cipher key equipment in other intelligent cipher key equipment, with the problem that prevents that intelligent cipher key equipment loss from causing user cipher to lose.

For reaching above-mentioned purpose, second aspect present invention embodiment has proposed a kind of approaches to IM of intelligent cipher key equipment, comprising: receive the operational order of user's input and user data to be stored; Described user is carried out to authentication, and after described user is by authentication, by the write permission opening of described intelligent cipher key equipment to described user; And described user data to be stored is write to described intelligent cipher key equipment.

In one embodiment of the invention, describedly user is carried out to authentication specifically comprise according to the individual recognition code PIN code of described intelligent cipher key equipment described user is carried out to authentication.

In one embodiment of the invention, before the operational order of inputting described reception user and user data to be stored, also comprise and receive the active coding that described user inputs on intelligent cipher key equipment, and described active coding is activated to checking, and the information storage function that activates described intelligent cipher key equipment after activation is verified, or receive the active coding that activation request that described user sends by client and described user input by described client, and described active coding is activated to checking, and the information storage function that activates described intelligent cipher key equipment after activation is verified, wherein, described information storage function writes to described intelligent cipher key equipment for realizing by described user data to be stored.

In one embodiment of the invention, before the operational order of inputting described reception user and user data to be stored, also comprise the open command that receives described user's input, and according to described open command, enable the information storage function of described intelligent cipher key equipment.

In one embodiment of the invention, operational order and the user data to be stored of described reception user input specifically comprise that the operation interface and the control button that by described intelligent cipher key equipment, provide receive described operational order and described user data to be stored; Or receive by communication interface described operational order and the described user data to be stored that external equipment sends.

In one embodiment of the invention, described user data to be stored is write to described intelligent cipher key equipment before, also comprise and receive checking request and the random number to described intelligent cipher key equipment that described user sends by client, and according to the private key of described intelligent cipher key equipment, described random number is encrypted, and the random number by the digital certificate of described intelligent cipher key equipment and after encrypting is sent to described client according to described checking request; And described client verifies the digital certificate of described intelligent cipher key equipment according to root certificate, and the random number after to described encryption is decrypted according to the PKI of described intelligent cipher key equipment, and the random number after deciphering is verified.

In one embodiment of the invention, operational order and the user data to be stored of described reception user input specifically comprise the user data ciphertext that receives client transmission, and according to the private key of described intelligent cipher key equipment to described user data decrypt ciphertext to obtain described user data to be stored, wherein, described client according to the PKI of described intelligent cipher key equipment to described ciphering user data to be stored to generate described user data ciphertext, or session key ciphertext and the user data ciphertext of the transmission of reception client, and according to the private key of described intelligent cipher key equipment to described session key decrypt ciphertext to obtain session key, and according to described session key to described user data decrypt ciphertext to obtain described user data to be stored, wherein, the random session key generation of described client, and according to the PKI of described intelligent cipher key equipment to described session key to generate described session key ciphertext, and according to described session key to described ciphering user data to be stored to generate described user data ciphertext.

In one embodiment of the invention, described user data to be stored is write to described intelligent cipher key equipment before, also comprise and show described user data to be stored, describedly user data to be stored write to described intelligent cipher key equipment be specially: receive described user to the confirmation instruction of the user data described to be stored demonstrating after, described user data to be stored is write to described intelligent cipher key equipment.

The approaches to IM of the intelligent cipher key equipment of the embodiment of the present invention, utilize intelligent cipher key equipment self can store data and possess the feature of high security, in intelligent cipher key equipment, increase new functional module, and when user need to use this functional module, user is carried out to authentication, in subscriber authentication, by rear, by newly-increased functional module, provide the store and management function of personal information for user.Make thus user when using intelligent cipher key equipment logging in to online banks or third party's payment platform without manually input login account and password; in protection user's login account and cryptosecurity, also bring great advantage to the user; especially for the user who has a plurality of accounts; utilize intelligent cipher key equipment to preserve account and password; the difficulty that has greatly reduced user's memory, has promoted user's experience.

In one embodiment of the present of invention, described user data to be stored is write to described intelligent cipher key equipment after, also comprise: described intelligent cipher key equipment receives the dynamic password that client sends and generates request; Described intelligent cipher key equipment obtains the user data of the second memory module storage in described intelligent cipher key equipment; Described intelligent cipher key equipment is at user data described in demonstration screen display, and wherein, described user data comprises account and corresponding password; Described intelligent cipher key equipment obtains the user data that user chooses, and the user data of choosing according to described user generates dynamic password, the authentication when user data that wherein, described dynamic password is used described user to choose for described user in described client is logined.

Wherein, described intelligent cipher key equipment obtains the user data that user chooses, and the user data of choosing according to described user generation dynamic password comprises: the user data that described user is chosen is as seed key, according to described seed key and factor information, calculate described dynamic password, wherein, described factor information comprises time factor and/or the event factor, described user data comprises digital information and the nonnumerical information that can be exchanged into digital information, and described nonnumerical information comprises one or more in letter, oeprator and punctuation mark.

In one embodiment of the present of invention, described user data to be stored is write to described intelligent cipher key equipment after, also comprise: described intelligent cipher key equipment receives the password output request that client sends; Described intelligent cipher key equipment, according to described password output request, shows the item list corresponding with user data pre-stored in described intelligent cipher key equipment, and wherein, described user data comprises accounts information and corresponding password; Described intelligent cipher key equipment is determined the accounts information that user selects in described item list, and determines first password according to the accounts information of described user's selection, and wherein, described first password is the password for login authentication; Described intelligent cipher key equipment sends to described client by described first password, so that described client is inputted described first password.

Wherein, described intelligent cipher key equipment is determined the accounts information that user selects in described item list, and the accounts information of selecting according to described user determines that first password comprises: the accounts information of selecting according to described user obtains password corresponding to accounts information of selecting with described user from described; The described password obtaining is defined as to described first password, or the described password obtaining is encrypted, obtain described first password; Or the accounts information of selecting according to described user obtains one or more in information corresponding to the accounts information that described user selects and the accounts information of selecting with described user from described storage information; Adopt dynamic password computational algorithm, the described information of obtaining is calculated to dynamic password, described dynamic password is defined as to described first password.

In one embodiment of the present of invention, also comprise: described intelligent cipher key equipment obtains data to be backed up from the memory module of described intelligent cipher key equipment; Described intelligent cipher key equipment is sent to described Intelligent target key devices by described data to be backed up; Wherein, described Intelligent target key devices receives described data to be backed up; And in described Intelligent target key devices, show described data to be backed up, for described user, confirm; And after the confirmation instruction that receives described user, described Intelligent target key devices is preserved described data to be backed up.

The aspect that the present invention is additional and advantage in the following description part provide, and part will become obviously from the following description, or recognize by practice of the present invention.

Accompanying drawing explanation

Above-mentioned and/or the additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments and obviously and easily understand, wherein:

Fig. 1 is the structural representation of the intelligent cipher key equipment of one embodiment of the invention;

Fig. 2 is the structural representation of the intelligent cipher key equipment of a specific embodiment of the present invention;

Fig. 3 is the flow chart of the clearing access control module of one embodiment of the invention;

Fig. 4 is the structural representation of the intelligent cipher key equipment of another specific embodiment of the present invention;

Fig. 5 is the workflow diagram of the intelligent cipher key equipment of one embodiment of the invention;

Fig. 6 is the workflow diagram of the intelligent cipher key equipment of another embodiment of the present invention;

Fig. 7 is the flow chart of the approaches to IM of intelligent cipher key equipment according to an embodiment of the invention;

Fig. 8 is the flow chart of the approaches to IM of the intelligent cipher key equipment of a specific embodiment according to the present invention; And

Fig. 9 is the flow chart of the approaches to IM of the intelligent cipher key equipment of another specific embodiment according to the present invention.

Embodiment

Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has the element of identical or similar functions from start to finish.Below by the embodiment being described with reference to the drawings, be exemplary, be intended to for explaining the present invention, and can not be interpreted as limitation of the present invention.

In addition, term " first ", " second " be only for describing object, and can not be interpreted as indication or hint relative importance or the implicit quantity that indicates indicated technical characterictic.Thus, one or more these features can be expressed or impliedly be comprised to the feature that is limited with " first ", " second ".In description of the invention, the implication of " a plurality of " is two or more, unless otherwise expressly limited specifically.

In flow chart or any process of otherwise describing at this or method describe and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of the step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.

Fig. 1 is the structural representation of the intelligent cipher key equipment of one embodiment of the invention.

As shown in Figure 1, intelligent cipher key equipment comprises the first memory module 100, the second memory module 200, transceiver module 300, access control module 400 and safety chip 500.

Particularly, the first memory module 100 is for storing private key and the digital certificate of intelligent cipher key equipment.In an embodiment of the present invention, intelligent cipher key equipment can be USB Key, audio frequency Key, bluetooth Key etc., wherein, USB Key can be by carrying out transfer of data between USB interface and client, audio frequency Key can be by tone code mode and client between carry out transfer of data, and between the mode that bluetooth Key can connect by bluetooth and client, carry out transfer of data.

The second memory module 200 is for storing user data.Particularly, when user data can comprise user bank concludes the business or pays on third party's payment platform on the net, login account and the password of logging in to online banks or third party's payment platform.In addition, user data can also be user's bank card number and password, or can also be the private data message such as the login account of the daily conventional website of user and password.

Transceiver module 300 is for receiving the operational order of user's input and user data to be stored.Particularly, the operational order of user input can be that user adds the instruction of new user data in the second memory module 200, or to the user data of having stored in the second memory module 200 edit, revise, the instruction such as deletion.

In an embodiment of the present invention, the operation interface that transceiver module 300 can provide by intelligent cipher key equipment and control button receive operational order and user data to be stored.Particularly, the keyboard that user can provide by intelligent cipher key equipment (for example, physical keyboard or dummy keyboard) enters the operating instructions with user data to be stored to transceiver module 300.

Should be understood that, except aforesaid way, intelligent cipher key equipment can be user provides different modes operational order and user data to be stored to be inputed to the transceiver module 300 of intelligent cipher key equipment.In an embodiment of the present invention, transceiver module 300 also can receive the operational order of external equipment transmission and user data to be stored by communication interface.Particularly, user can be connected to client by intelligent cipher key equipment, corresponding management application program is installed in client, in the operation interface of management application program, by equipment such as mouse, keyboard, touch-screens, enter the operating instructions and user data to be stored, then the communication interface by client is sent to transceiver module 300 by operational order and user data to be stored.Wherein, in an embodiment of the present invention, client can be personal computer PC, notebook computer, panel computer etc.

Access control module 400 is for user is carried out to authentication, and after user is by authentication, and the write permission opening of the second memory module 200, to user, and is write to the second memory module 200 by the user data to be stored of user's input.

In an embodiment of the present invention, access control module 400 carries out authentication according to the individual recognition code PIN code of intelligent cipher key equipment to user.Particularly, after the operational order of inputting transceiver module 300 reception users and user data to be stored, the password that access control module 400 can point out user to input intelligent cipher key equipment, the i.e. PIN code of intelligent cipher key equipment.After user inputs PIN code, access control module 400 can be verified user's identity according to the PIN code of user's input.For example, access control module 400 can be user two kinds of different approach input PIN code is provided:

(1) keyboard that, user can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) input PIN code.Particularly, access control module 400 can point out user to input PIN code, and receive by the equipment such as keyboard of intelligent cipher key equipment the PIN code that user inputs, then judge that whether the PIN code that user inputs is consistent with the PIN code prestoring in intelligent cipher key equipment, if consistent, by user's authentication.

(2), user can be connected to client by intelligent cipher key equipment, by equipment input PIN code such as the keyboard in client or touch-screens, then the communication interface by client is sent to access control module 400 by PIN code and verifies.Particularly, after intelligent cipher key equipment is connected to client, 400 pairs of clients of access control module send the checking request of identifying user identity, user can be by client keyboard or the equipment input PIN code such as touch-screen, client is sent to access control module 400 by the PIN code of user's input.Whether the PIN code that access control module 400 judgements receive is consistent with the PIN code prestoring in intelligent cipher key equipment, if consistent, by user's authentication.

Furthermore, when access control module 400 authenticates user's identity according to the PIN code receiving, client also should be verified intelligent cipher key equipment, thereby guarantee that the intelligent cipher key equipment of these reception client transmissions data is also legal.

In an embodiment of the present invention, transceiver module 300 receives checking request and the random number to intelligent cipher key equipment that user sends by client, safety chip 500 is encrypted random number according to the private key of intelligent cipher key equipment, and transceiver module 300 is sent to client according to checking request by the random number after the digital certificate of intelligent cipher key equipment and encryption, wherein, client is verified the digital certificate of intelligent cipher key equipment according to root certificate, and according to the PKI of intelligent cipher key equipment, the random number after encrypting is decrypted, and the random number after deciphering is verified.Particularly, client can generate a random number, and this random number is stored in the buffer memory of client, and then client can be sent to this random number and the request of reading the digital certificate of intelligent cipher key equipment the transceiver module 300 of intelligent cipher key equipment in the lump.Transceiver module 300 is after receiving random number, this random number is stored in the buffer memory of intelligent cipher key equipment, safety chip 500 is encrypted this random number by the private key of intelligent cipher key equipment, and then transceiver module 300 is sent to client in the lump by the random number after encrypting and the digital certificate of intelligent cipher key equipment.After the random number of client after receiving the digital certificate of intelligent cipher key equipment and encrypting, according to the root certificate in client, this digital certificate is verified.

That is to say, client can be used the legitimacy of the digital certificate of root certification authentication electronic signature, root certificate is the public key certificate of ca authentication center (Certificate Authority), the PKI that the digital certificate of intelligent cipher key equipment comprises user's information, user and the ca authentication center signature to information in this digital certificate.Verify the true and false (verifying that whether ca authentication center is effective to the signature of the information of this digital certificate) of the digital certificate of intelligent cipher key equipment, need to verify by the PKI at ca authentication center.Client, when the digital certificate of checking intelligent cipher key equipment, can be read the user profile in the digital certificate of intelligent cipher key equipment, user's PKI by the CA root certificate of client inside, thus the legitimacy of the digital certificate of checking intelligent cipher key equipment.

If client is by the checking to the digital certificate of intelligent cipher key equipment, client is also decrypted the random number after encrypting by the PKI of intelligent cipher key equipment, then with client-cache in random number contrast, thereby further intelligent cipher key equipment is verified.

In an embodiment of the present invention, after access control module 400 is also greater than preset times for the errors number in user's input, locking intelligent cipher key equipment.Particularly, if user inputs the PIN code mistake of intelligent cipher key equipment, the number of times that access control module 400 can counting user input error.When the number of times of input error is greater than after preset times, i.e., when the number of times of user's input error surpasses predetermined threshold value, for example, 5 times, access control module 400 locking intelligent cipher key equipments, have further guaranteed the fail safe of intelligent cipher key equipment thus.

In an embodiment of the present invention, access control module 400, after user is by authentication, to user, and writes to the second memory module 200 by the user data to be stored of user input by the write permission opening of the second memory module 200.That is to say, obtain the second memory module 200 write authority after, user can input new user data to memory module 200, or the user data of having stored in the second memory module 200 is modified.Particularly, when user inputs new user data, can in intelligent cipher key equipment, select default project, or the self-defining project that can manually input by user.In other words, the user data of the second memory module 200 storages can be divided into two classes: a class is default project, can directly select for user, for example, bank's card number, Web bank's login name, password, network address, name etc.The project of predeterminable a plurality of subordinates also under each project for example, can arrange middle row, industrial and commercial bank, agricultural bank etc. under bank's card number.In addition, another kind of is that blank Gong User Defined is inputted, when user need to store user data, can a newly-built entry, and wherein, this entry can comprise a plurality of projects, for example, the kind of bank card, account, password etc.

Should be understood that, user inputs new user data to memory module 200, or when the user data of having stored in the second memory module 200 is modified, the keyboard that can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) is inputted or retouching operation; Or also can be by the client being connected with intelligent cipher key equipment, utilize the management application program of installing in client to input or retouching operation by equipment such as keyboard or touch-screens, then the communication interface by client is sent to transceiver module 300 by user's data to be stored.

In an embodiment of the present invention, when client and intelligent cipher key equipment carry out transfer of data, can adopt the mode of ciphertext transmission, by the key in intelligent cipher key equipment internal memory, the data of transmission be carried out to encryption and decryption.Particularly, client can be encrypted to obtain user data ciphertext to the user data to be stored of user's input by the PKI of intelligent cipher key equipment, and this user data ciphertext is sent to transceiver module 300.Safety chip 500 can be decrypted user data ciphertext by the private key of intelligent cipher key equipment, thereby obtains the user data of user's input.

In addition, between client and intelligent cipher key equipment also through consultation the mode of session key carry out transfer of data.Particularly, client can generate a random number, using this random number as session key, and the PKI by intelligent cipher key equipment obtains session key ciphertext after this session key is encrypted, then by this session key, the user data to be stored of user's input is encrypted to obtain user data ciphertext, then client is sent to transceiver module 300 in the lump by session key ciphertext and user data ciphertext.Safety chip 500 can be decrypted and obtain session key session key ciphertext by the private key of intelligent cipher key equipment, and by session key, user data ciphertext is decrypted, thereby obtains the user data of user's input.

Safety chip 500 is for carrying out generation and the authentication of digital signature, and encryption and decryption.

Fig. 2 is the structural representation of the intelligent cipher key equipment of a specific embodiment of the present invention.

As shown in Figure 2, intelligent cipher key equipment comprises the first memory module 100, the second memory module 200, transceiver module 300, access control module 400, safety chip 500, active control module 600 and opening module 700.

Be different from above-described embodiment, intelligent cipher key equipment also comprises active control module 600 and opening module 700 in the present embodiment.The active coding that active control module 600 is inputted on intelligent cipher key equipment for receiving user, and active coding is activated to checking, and after activation is verified clearing access control module 400, or the active coding that the activation request that reception user sends by client and user input by client, and active coding is activated to checking, and after activation is verified clearing access control module 400.Particularly, whether user can arrange clearing access control module 400 by active control module 600.In other words, user can arrange intelligent cipher key equipment by active control module 600 and whether have information storage function, and user is after passing through active control module 600 clearing access control modules 400, and intelligent cipher key equipment just possesses the memory function to information.Furthermore, user can be by following two kinds of mode clearing access control modules 400:

(1), in an embodiment of the present invention, active control module 600 receives the active coding that users input on intelligent cipher key equipment, and active coding is activated to checking, and after activation is verified clearing access control module 400.Particularly, the keyboard that user can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) is directly inputted active coding to active control module 600;

(2), in an embodiment of the present invention, the active coding that the activation request that active control module 600 reception users send by client and user input by client, and active coding is activated to checking, and after activation is verified clearing access control module 400.Particularly, as shown in Figure 3, user can be connected to intelligent cipher key equipment on the interface of client, in the management application program of installing in client, be provided with the function choosing-item of clearing access control module 400, user can pass through the equipment such as mouse, keyboard and to active control module 600, send activation request by management application program.Active control module 600 is after receiving activation request, send the instruction of input active coding to the management application program of client, the equipment input active codings such as the keyboard that now user provides by client or touch-screen, then the communication interface by client is sent to active control module 600 by active coding.600 pairs of active codings that receive of active control module verify, and after being verified clearing access control module 400.In addition, the open command that opening module 700 is inputted for receiving user, and enable access control module 400 according to open command.Particularly, user, pass through after active control module 700 clearing access control modules 400, if user need to, by the storage of subscriber data to be stored of user's input in the second memory module 200, also need to open access control module 400 by opening module 700.In other words, after intelligent cipher key equipment possesses the memory function of information, if user need to use this memory function, also need user to enable the operation of memory function.That is to say, the operation of enabling memory function is on intelligent cipher key equipment has possessed the basis of the memory function of information, is used for opening this memory function.

Furthermore, intelligent cipher key equipment is being dispatched from the factory to when configuration, information storage function that can intelligent cipher key equipment is set to directly available or be set to optional two states.If the information storage function of intelligent cipher key equipment is set to directly available, the memory function that intelligent cipher key equipment possesses information is namely set, also just without activating by 700 pairs of clearing access control modules 400 of active control module, directly by opening module 700, enable access control module 400; If it is optional that the information storage function of intelligent cipher key equipment is set to, namely by user, select to arrange the memory function whether intelligent cipher key equipment possesses information, now just need user first by 700 pairs of clearing access control modules 400 of active control module, to activate, then enable access control module 400 by opening module 700.

The intelligent cipher key equipment of the embodiment of the present invention, user can select direct unlatching/or user select to open the functional module newly increasing in intelligent cipher key equipment, and during the functional module newly increasing in user selects to select opening intelligent cipher key equipment by user, first the mechanism by active coding activates the functional module newly increasing in intelligent cipher key equipment, thereby user can be controlled the functional module newly increasing in intelligent cipher key equipment according to the demand of oneself, further promoted user's experience.

Fig. 4 is the structural representation of the intelligent cipher key equipment of another specific embodiment of the present invention.

As shown in Figure 4, intelligent cipher key equipment comprises the first memory module 100, the second memory module 200, transceiver module 300, access control module 400, safety chip 500, active control module 600, opening module 700 and display module 800.

What be different from above-described embodiment is, intelligent cipher key equipment also comprises display module 800 in the present embodiment, display module 800, for receive the operational order and user data to be stored of user input at transceiver module 300 after, shows user data to be stored.Transceiver module 300 receive user to the confirmation instruction of the user data to be stored demonstrating after, user data to be stored is write to the second memory module 200.Particularly, on intelligent cipher key equipment, can have display screen, the information such as user data to be stored of user's input that display module 800 can receive intelligent cipher key equipment are presented on this display screen.In addition, user also can confirm the information of demonstration screen display, if confirm that user data to be stored is correct, can confirm by " acknowledgement key " that provide on intelligent cipher key equipment is provided, confirmation instruction is sent to transceiver module 300, thereby access control module 400 writes to the user data of user's input in the second memory module 200.

The intelligent cipher key equipment of the embodiment of the present invention, by the information that intelligent cipher key equipment is received, being shown to user confirms, can avoid thus the danger being maliciously tampered the process of data from client transmissions to intelligent cipher key equipment, further improve the fail safe of intelligent cipher key equipment, promoted user's experience.

Below in conjunction with Fig. 5 and Fig. 6, elaborate the workflow of the intelligent cipher key equipment in the embodiment of the present invention.According to one embodiment of present invention, this workflow can be divided into user directly at the enterprising line operate of intelligent cipher key equipment, and user operates intelligent cipher key equipment by the management application program of installing in client in client.

According to one embodiment of present invention, as shown in Figure 5, user directly at the enterprising line operate of intelligent cipher key equipment in the situation that, when user uses intelligent cipher key equipment, intelligent cipher key equipment judges whether self is activated, if intelligent cipher key equipment is activated, point out user to input the PIN code of intelligent cipher key equipment.After the keyboard input PIN code that user provides by intelligent cipher key equipment, the PIN code that intelligent cipher key equipment receives by checking is with the identity of authentication of users.If the identity of authentication of users is passed through, the user data of the keyboard input pre-stored that user can provide by intelligent cipher key equipment, now, intelligent cipher key equipment can show screen display user data.If user confirms that the user data showing is correct, user by " acknowledgement key " clicking intelligent cipher key equipment and provide with by storage of subscriber data in intelligent cipher key equipment.

According to one embodiment of present invention, as shown in Figure 6, user in the situation that the management application program of installing on by client in client intelligent cipher key equipment is operated, when user uses intelligent cipher key equipment, user sends the request of enabling intelligent cipher key equipment memory function by client.Intelligent cipher key equipment judges whether self is activated, if intelligent cipher key equipment is activated, and the signal that customer in response end intelligent cipher key equipment has activated.Client, after this signal, generates a random number and this random number is stored in buffer memory, then this random number and the request of reading the digital certificate of intelligent cipher key equipment is sent to intelligent cipher key equipment.Intelligent cipher key equipment receives after the request of client transmission, sends the password authentification request of intelligent cipher key equipment to client.Client-Prompt user inputs the PIN code of intelligent cipher key equipment, and this PIN code is sent to intelligent cipher key equipment.Whether intelligent cipher key equipment checking PIN code is correct, if the verification passes, the digital certificate of intelligent cipher key equipment is sent to client.Whether client validation intelligent cipher key equipment is legal, if the verification passes, and the user data of pointing out user to input pre-stored, and this user data is encrypted, then the user data ciphertext after encrypting is sent to intelligent cipher key equipment.Intelligent cipher key equipment is decrypted user data ciphertext by private key, and the user data after deciphering is presented on display screen.If user confirms that the user data showing is correct, user by " acknowledgement key " clicking intelligent cipher key equipment and provide with by storage of subscriber data in intelligent cipher key equipment.

According to mode illustrated in above-described embodiment, user can be safely by storage of subscriber data such as login account and passwords in intelligent cipher key equipment.If other people want to crack user cipher; first to obtain the physical equipment of user's intelligent cipher key equipment; secondly also to obtain the PIN code of intelligent cipher key equipment; and intelligent cipher key equipment itself has safety protection function; the intelligent cipher key equipment that will be automatically locked when the PIN code mistake of user input surpasses maximum times, thus the fail safe of user's user data guaranteed.

Exemplary, in one embodiment of the present of invention, transceiver module 300, the dynamic password generation request also sending for receiving client; Access control module 400, also for obtaining the user data of intelligent cipher key equipment the second memory module 200 storages; Display module 800, also for showing user data, wherein, user data comprises account and corresponding password; Safety chip 500, the user data of also choosing for obtaining user, and the user data of choosing according to user generation dynamic password, wherein, the authentication when user data that dynamic password is chosen client user for user is logined.

Wherein, safety chip 500, specifically for user data that user is chosen as seed key, according to seed key and factor information, calculate dynamic password, wherein, factor information comprises time factor and/or the event factor, and user data comprises digital information and the nonnumerical information that can be exchanged into digital information, and nonnumerical information comprises one or more in letter, oeprator and punctuation mark.

In this embodiment, factor information comprises time factor and/or the event factor.Wherein, time factor is relevant with the time, every Preset Time section, can produce the dynamic password of a default figure place.The event factor is relevant with driving event, according to driving event, can produce dynamic password, intelligent cipher key equipment for example USB key support time type or event mode OTP function.

Above-mentioned user data can comprise account information, password, mailbox message, site information and user-defined information etc.These information generally comprise Chinese character, letter, numbers and symbols, and wherein, what can be used as seed key is numeral.Therefore, as seed key be digital information in user data and the nonnumerical information that can be exchanged into digital information, nonnumerical information can include but not limited to one or more in English alphabet, oeprator and punctuation mark.For example, can pass through ASCII(American Standard Code for Information Interchange, ASCII) English, punctuation mark and oeprator in the user data that the code table of comparisons is chosen user are changed to numeral, as seed key; Or the password of the user data that user is chosen is as seed key, if there is nonnumerical information in password, after can nonnumerical information being converted to numeral by the ASCII character table of comparisons, as seed key.Certainly, also can during user data, by the nonnumeric numeral that is converted in whole user data, and store in storage, to use during follow-up generation dynamic password.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, in the second storage device 200 at intelligent cipher key equipment by storage of subscriber data such as user account, passwords after, can also realize and utilize the user data of these storages to generate dynamic password.

Exemplary, in one embodiment of the present of invention, transceiver module 300, the password output request also sending for receiving client; Display module 800, also, for according to password output request, shows the item list corresponding with user data pre-stored in intelligent cipher key equipment, and wherein, user data comprises accounts information and corresponding password; Intelligent cipher key equipment also comprises: the accounts information of determination module for determining that user selects at item list, and determine first password according to the accounts information of user's selection, wherein, first password is the password for login authentication; Transceiver module 300, also for first password is sent to client, so that client input first password.

Wherein, the accounts information of determination module specifically for selecting according to user, therefrom obtains password corresponding to accounts information of selecting with user; The password obtaining is defined as to first password, or the password obtaining is encrypted, obtain first password; Or the accounts information of determination module specifically for selecting according to user obtains one or more in information corresponding to the accounts information that user selects and the accounts information of selecting with user from storage information; Adopt dynamic password computational algorithm, the information of obtaining is calculated to dynamic password, dynamic password is defined as to first password.

For example, when client is after first password, just can be at the Position input first password of input password, for example, user is when using Net silver, and client can be input to first password Password Input position.Afterwards, client can adopt the first password of this input to carry out login authentication, and for example, when authentication, client sends to bank backstage by the first password of Password Input position, by bank backstage, carries out login authentication, to allow or to refuse user's login.Concrete, if first password is that expressly backstage directly authenticates; If first password is ciphertext, backstage is decrypted and obtains clear-text passwords it, then authenticates; If first password is dynamic password, backstage adopts the dynamic password algorithm identical with intelligent cipher key equipment to calculate being stored in the information on backstage, result of calculation and first password is compared, to authenticate.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device 200 at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, that can also realize from intelligent cipher key equipment safety reads the user data such as account, password, and uses this user data to carry out the login of client.

Exemplary, in one embodiment of the present of invention, access control module 400, also obtains data to be backed up for the second memory module 200 from intelligent cipher key equipment; Transceiver module 300, also for being sent to Intelligent target key devices by data to be backed up; Wherein, Intelligent target key devices receives data to be backed up; And in Intelligent target key devices, show data to be backed up, for user, confirm; And after the confirmation instruction that receives user, Intelligent target key devices is preserved data to be backed up.

During concrete application, in the time of in the user data in an intelligent cipher key equipment A is imported to other intelligent cipher key equipments B, in order to guarantee the fail safe of data to be backed up, before executing data backup operation, can also increase intelligent cipher key equipment to the device authentication between user's authentication and intelligent cipher key equipment, be specially:

First, to the implementation of user's authentication, be: the first intelligent cipher key equipment carries out the first authentication by individual recognition code PIN code to user; When user is by after the first authentication, the first intelligent cipher key equipment sends and enables backup request to the second intelligent cipher key equipment; The second intelligent cipher key equipment carries out the second authentication by PIN code to user; And when user is by after the second authentication, the second intelligent cipher key equipment sends and is verified message to the first intelligent cipher key equipment;

Secondly, the device authentication implementation between intelligent cipher key equipment is: the first intelligent cipher key equipment generates random number; And the digital certificate of random number, the first intelligent cipher key equipment is sent to the second intelligent cipher key equipment; The second intelligent cipher key equipment is verified the digital certificate of the first intelligent cipher key equipment according to root certificate; And random number is signed to generate signature value, and the digital certificate of the second intelligent cipher key equipment and signature value are sent to the first intelligent cipher key equipment; The first intelligent cipher key equipment carries out certification authentication according to root certificate to the digital certificate of the second intelligent cipher key equipment, and according to the digital certificate of the second intelligent cipher key equipment, signature value is carried out to signature verification.

Finally, after certification authentication and signature verification success, from the default memory module of the first intelligent cipher key equipment, obtain data to be backed up; The first intelligent cipher key equipment is sent to the second intelligent cipher key equipment by being stored in data to be backed up in the first intelligent cipher key equipment.

Further, the first intelligent cipher key equipment, by being stored in data to be backed up in the first intelligent cipher key equipment while being sent to the second intelligent cipher key equipment, can also be treated Backup Data and be encrypted, further to guarantee the fail safe of data in Backup Data process.Treat the specific implementation that Backup Data is encrypted as follows:

The first intelligent cipher key equipment session key generation, and according to session key, data to be backed up are encrypted with generating ciphertext; According to the PKI in the digital certificate of the second intelligent cipher key equipment, session key is encrypted with generating digital envelope; According to data to be backed up, generate message digest, and by the private key of the first intelligent cipher key equipment, message digest is signed and signed with generating digital; And first intelligent cipher key equipment be sent to the second intelligent cipher key equipment after ciphertext, digital envelope and digital signature are packed; Or

The first intelligent cipher key equipment splits to obtain a plurality of subdatas to data to be backed up; According to the PKI in the digital certificate of the second intelligent cipher key equipment, a plurality of subdatas are encrypted respectively; And a plurality of subdatas after encrypting are sent to the second intelligent cipher key equipment.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device 200 at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, can also realize by the secure user data of preserving in intelligent cipher key equipment backup in other intelligent cipher key equipment, to prevent that intelligent cipher key equipment from losing the problem cause user cipher to lose.

In order to realize above-described embodiment, the present invention also proposes a kind of approaches to IM of intelligent cipher key equipment.

Fig. 7 is the flow chart of the approaches to IM of intelligent cipher key equipment according to an embodiment of the invention.

As shown in Figure 7, the approaches to IM of this intelligent cipher key equipment comprises:

S101, receives the operational order of user's input and user data to be stored.

In an embodiment of the present invention, intelligent cipher key equipment can be USB Key, audio frequency Key, bluetooth Key etc., wherein, USB Key can be by carrying out transfer of data between USB interface and client, audio frequency Key can be by tone code mode and client between carry out transfer of data, and between the mode that bluetooth Key can connect by bluetooth and client, carry out transfer of data.

Particularly, the operational order of user input can be the instruction that user adds new user data in intelligent cipher key equipment, or to the user data of having stored in intelligent cipher key equipment edit, revise, the instruction such as deletion.When user data to be stored can comprise user bank concludes the business or pays on third party's payment platform on the net, login account and the password of logging in to online banks or third party's payment platform.In addition, user data to be stored can also be user's bank card number and password, or can also be the login account of the daily conventional website of user and password etc.

In an embodiment of the present invention, the operation interface that intelligent cipher key equipment can provide by intelligent cipher key equipment and control button receive operational order and user data to be stored.Particularly, the keyboard that user can provide by intelligent cipher key equipment (for example, physical keyboard or dummy keyboard) enters the operating instructions with user data to be stored to intelligent cipher key equipment.

Should be understood that, except aforesaid way, intelligent cipher key equipment can be user provides different modes that operational order and user data to be stored are inputed to intelligent cipher key equipment.In an embodiment of the present invention, intelligent cipher key equipment also can receive the operational order of external equipment transmission and user data to be stored by communication interface.Particularly, user can be connected to client by intelligent cipher key equipment, corresponding management application program is installed in client, in the operation interface of management application program, by equipment such as mouse, keyboard, touch-screens, enter the operating instructions and user data to be stored, then the communication interface by client is sent to intelligent cipher key equipment.Wherein, in an embodiment of the present invention, client can be personal computer PC, notebook computer, panel computer etc.

S102, carries out authentication to user, and after user is by authentication, by the write permission opening of intelligent cipher key equipment to user.

In an embodiment of the present invention, intelligent cipher key equipment carries out authentication according to the individual recognition code PIN code of intelligent cipher key equipment to user.Particularly, after the operational order of inputting intelligent cipher key equipment reception user and user data to be stored, the password that intelligent cipher key equipment can point out user to input intelligent cipher key equipment, the i.e. PIN code of intelligent cipher key equipment.After user inputs PIN code, intelligent cipher key equipment can be verified user's identity according to the PIN code of user's input.For example, intelligent cipher key equipment can be user two kinds of different approach input PIN code is provided:

(1) keyboard that, user can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) input PIN code.Particularly, intelligent cipher key equipment can point out user to input PIN code, and receive by the equipment such as keyboard of intelligent cipher key equipment the PIN code that user inputs, then judge that whether the PIN code that user inputs is consistent with the PIN code prestoring in intelligent cipher key equipment, if consistent, by user's authentication.

(2), user can be connected to client by intelligent cipher key equipment, by equipment input PIN code such as the keyboard in client or touch-screens, then the communication interface by client is sent to intelligent cipher key equipment by PIN code and verifies.Particularly, after intelligent cipher key equipment is connected to client, intelligent cipher key equipment sends the checking request of identifying user identity to client, the equipment input PIN code such as the keyboard that user can be by client or touch-screen, and client is sent to intelligent cipher key equipment by the PIN code of user's input.Whether the PIN code that intelligent cipher key equipment judgement receives is consistent with the PIN code prestoring in intelligent cipher key equipment, if consistent, by user's authentication,

Furthermore, when intelligent cipher key equipment authenticates user's identity according to the PIN code receiving, client also should be verified intelligent cipher key equipment, thereby guarantee that the intelligent cipher key equipment of these reception client transmissions data is also legal.

In an embodiment of the present invention, intelligent cipher key equipment receives checking request and the random number to intelligent cipher key equipment that user sends by client, intelligent cipher key equipment is encrypted random number according to the private key of intelligent cipher key equipment, and the random number by the digital certificate of intelligent cipher key equipment and after encrypting is sent to client according to checking request, wherein, client is verified the digital certificate of intelligent cipher key equipment according to root certificate, and according to the PKI of intelligent cipher key equipment, the random number after encrypting is decrypted, and the random number after deciphering is verified.Particularly, client can generate a random number, and this random number is stored in the buffer memory of client, and then client can be sent to intelligent cipher key equipment in the lump by this random number and the request of reading the digital certificate of intelligent cipher key equipment.Intelligent cipher key equipment is after receiving random number, this random number is stored in the buffer memory of intelligent cipher key equipment, then the private key by intelligent cipher key equipment is encrypted this random number, then the random number after encrypting and the digital certificate of intelligent cipher key equipment is sent to client in the lump.After the random number of client after receiving the digital certificate of intelligent cipher key equipment and encrypting, according to the root certificate in client, this digital certificate is verified.

In an embodiment of the present invention, after intelligent cipher key equipment is also greater than preset times for the errors number in user's input, locking intelligent cipher key equipment.Particularly, if user inputs the PIN code mistake of intelligent cipher key equipment, the number of times that intelligent cipher key equipment can counting user input error.When the number of times of input error is greater than after preset times, i.e., when the number of times of user's input error surpasses predetermined threshold value, for example, 5 times, intelligent cipher key equipment locking intelligent cipher key equipment, has further guaranteed the fail safe of intelligent cipher key equipment thus.

S103, writes to intelligent cipher key equipment by user data to be stored.

Particularly, obtain intelligent cipher key equipment write authority after, user can input new user data to intelligent cipher key equipment, or the user data of having stored in intelligent cipher key equipment is modified.For example, when user inputs new user data, can in intelligent cipher key equipment, select default project, or the self-defining project that can manually input by user.In other words, the user data of intelligent cipher key equipment storage can be divided into two classes: a class is default project, can directly select for user, for example, bank's card number, Web bank's login name, password, network address, name etc.The project of predeterminable a plurality of subordinates also under each project for example, can arrange middle row, industrial and commercial bank, agricultural bank etc. under bank's card number.In addition, another kind of is that blank Gong User Defined is inputted, when user need to store user data, can a newly-built entry, and wherein, this entry can comprise a plurality of projects, for example, the kind of bank card, account, password etc.

Should be understood that, user inputs new user data to intelligent cipher key equipment, or when the user data of having stored in intelligent cipher key equipment is modified, the keyboard that can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) is inputted or retouching operation; Or also can be by the client being connected with intelligent cipher key equipment, utilize the management application program of installing in client to input or retouching operation by equipment such as keyboard or touch-screens, then the communication interface by client is sent to intelligent cipher key equipment by user's data to be stored.

In an embodiment of the present invention, when client and intelligent cipher key equipment carry out transfer of data, can adopt the mode of ciphertext transmission, by the key in intelligent cipher key equipment internal memory, the data of transmission be carried out to encryption and decryption.Particularly, client can be encrypted to obtain user data ciphertext to the user data to be stored of user's input by the PKI of intelligent cipher key equipment, and this user data ciphertext is sent to intelligent cipher key equipment.Intelligent cipher key equipment can be decrypted user data ciphertext by the private key of intelligent cipher key equipment, thereby obtains the user data of user's input.

In addition, between client and intelligent cipher key equipment also through consultation the mode of session key carry out transfer of data.Particularly, client can generate a random number, using this random number as session key, and the PKI by intelligent cipher key equipment obtains session key ciphertext after this session key is encrypted, then by this session key, the user data to be stored of user's input is encrypted to obtain user data ciphertext, then client is sent to intelligent cipher key equipment in the lump by session key ciphertext and user data ciphertext.Intelligent cipher key equipment can be decrypted and obtain session key session key ciphertext by the private key of intelligent cipher key equipment, and by session key, user data ciphertext is decrypted, thereby obtains the user data of user's input.

Fig. 8 is the flow chart of the approaches to IM of the intelligent cipher key equipment of a specific embodiment according to the present invention.

As shown in Figure 8, the approaches to IM of this intelligent cipher key equipment comprises:

S201, receives the active coding of user's input, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified.

In an embodiment of the present invention, receive the active coding that user inputs on intelligent cipher key equipment, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified, or the active coding that the activation request that reception user sends by client and user input by client, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified.Particularly, user can arrange the information storage function that whether activates intelligent cipher key equipment.In other words, user can arrange the memory function whether intelligent cipher key equipment has information, and user is after activating the information storage function of intelligent cipher key equipment, and intelligent cipher key equipment just possesses the memory function to information.Furthermore, user can activate by following two kinds of modes the memory function of intelligent cipher key equipment:

(1), in an embodiment of the present invention, intelligent cipher key equipment receives the active coding that user inputs on intelligent cipher key equipment, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified, wherein, information storage function writes to intelligent cipher key equipment for realizing by user data to be stored.Particularly, the keyboard that user can provide by intelligent cipher key equipment (physical keyboard or dummy keyboard) is directly inputted active coding to intelligent cipher key equipment;

(2), in an embodiment of the present invention, the active coding that the activation request that intelligent cipher key equipment reception user sends by client and user input by client, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified.Particularly, as shown in Figure 3, user can be connected to intelligent cipher key equipment on the interface of client, in the management application program of installing in client, be provided with the function choosing-item of the information storage function that activates intelligent cipher key equipment, user can send activation request by management application program to intelligent cipher key equipment by equipment such as mouse, keyboards.Intelligent cipher key equipment is after receiving activation request, send the instruction of input active coding to the management application program of client, the equipment input active codings such as the keyboard that now user provides by client or touch-screen, then the communication interface by client is sent to intelligent cipher key equipment by active coding.Intelligent cipher key equipment is verified the active coding receiving, and after being verified, is activated the information storage function of intelligent cipher key equipment.

S202, receives the open command of user's input, and according to open command, enables the information storage function of intelligent cipher key equipment.

Particularly, after user activates the information storage function of intelligent cipher key equipment, if user need to, by the storage of subscriber data to be stored of user's input in intelligent cipher key equipment, also need to open the information storage function of intelligent cipher key equipment.In other words, after intelligent cipher key equipment possesses the memory function of information, if user need to use this memory function, also need user to enable the operation of this information storage function.That is to say, the operation of enabling this information storage function is on intelligent cipher key equipment has possessed the basis of the memory function of information, is used for opening this memory function.

Furthermore, intelligent cipher key equipment is being dispatched from the factory to when configuration, information storage function that can intelligent cipher key equipment is set to directly available or be set to optional two states.If the information storage function of intelligent cipher key equipment is set to directly available, the memory function that intelligent cipher key equipment possesses information is namely set, also just without the information storage function to intelligent cipher key equipment, activate, directly enable the information storage function of intelligent cipher key equipment; If it is optional that the information storage function of intelligent cipher key equipment is set to, namely by user, select to arrange the memory function whether intelligent cipher key equipment possesses information, now just need user first the information storage function of intelligent cipher key equipment to be activated, then enable the information storage function of intelligent cipher key equipment.

S203, receives the operational order of user's input and user data to be stored.

S204, carries out authentication to user, and after user is by authentication, by the write permission opening of intelligent cipher key equipment to user.

S205, writes to intelligent cipher key equipment by user data to be stored.

The approaches to IM of the intelligent cipher key equipment of the embodiment of the present invention, user can select direct unlatching/or user select to open the functional module newly increasing in intelligent cipher key equipment, and during the functional module newly increasing in user selects to select opening intelligent cipher key equipment by user, first the mechanism by active coding activates the functional module newly increasing in intelligent cipher key equipment, thereby user can be controlled the functional module newly increasing in intelligent cipher key equipment according to the demand of oneself, further promoted user's experience.

As shown in Figure 9, the approaches to IM of this intelligent cipher key equipment comprises:

S301, receives the active coding of user's input, and active coding is activated to checking, and the information storage function that activates intelligent cipher key equipment after activation is verified.

S302, receives the open command of user's input, and according to open command, enables the information storage function of intelligent cipher key equipment.

S303, receives the operational order of user's input and user data to be stored.

S304, carries out authentication to user, and after user is by authentication, by the write permission opening of intelligent cipher key equipment to user.

S305, shows user data to be stored.

In an embodiment of the present invention, user data to be stored is write to intelligent cipher key equipment and specifically comprises, receive user to the confirmation instruction of the user data to be stored demonstrating after, user data to be stored is write to intelligent cipher key equipment.Particularly, on intelligent cipher key equipment, can have display screen, intelligent cipher key equipment can be presented at the information such as user data to be stored of the user's input receiving on this display screen.In addition, user also can confirm the information of demonstration screen display, if confirm that user data to be stored is correct, can confirm by " acknowledgement key " that provide on intelligent cipher key equipment is provided, confirmation instruction is sent to intelligent cipher key equipment, thereby the user data of user's input is write in intelligent cipher key equipment.

S306, writes to intelligent cipher key equipment by user data to be stored.

The approaches to IM of the intelligent cipher key equipment of the embodiment of the present invention, by the information that intelligent cipher key equipment is received, being shown to user confirms, can avoid thus the danger being maliciously tampered the process of data from client transmissions to intelligent cipher key equipment, further improve the fail safe of intelligent cipher key equipment, promoted user's experience.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords after, can also utilize the user data of these storages realize to generate dynamic password.

For example, when client is after first password, just can be at first password described in the Position input of input password, for example, user is when using Net silver, and client can be input to first password Password Input position.Afterwards, client can adopt the first password of this input to carry out login authentication, and for example, when authentication, client sends to bank backstage by the first password of Password Input position, by bank backstage, carries out login authentication, to allow or to refuse user's login.Concrete, if first password is that expressly backstage directly authenticates; If first password is ciphertext, backstage is decrypted and obtains clear-text passwords it, then authenticates; If first password is dynamic password, backstage adopts the dynamic password algorithm identical with intelligent cipher key equipment to calculate being stored in the information on backstage, result of calculation and first password is compared, to authenticate.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, that can also realize from intelligent cipher key equipment safety reads the user data such as account, password, and uses this user data to carry out the login of client.

First, to the implementation of user's authentication, be: described the first intelligent cipher key equipment carries out described the first authentication by individual recognition code PIN code to described user; After described user is by described the first authentication, described the first intelligent cipher key equipment sends and enables backup request to described the second intelligent cipher key equipment; Described the second intelligent cipher key equipment carries out described the second authentication by described PIN code to described user; And after described user is by described the second authentication, described the second intelligent cipher key equipment sends and is verified message to described the first intelligent cipher key equipment;

Secondly, the device authentication implementation between intelligent cipher key equipment is: described the first intelligent cipher key equipment generates random number; And the digital certificate of described random number, described the first intelligent cipher key equipment is sent to described the second intelligent cipher key equipment; Described the second intelligent cipher key equipment is verified the digital certificate of described the first intelligent cipher key equipment according to root certificate; And described random number is signed to generate signature value, and the digital certificate of described the second intelligent cipher key equipment and described signature value are sent to described the first intelligent cipher key equipment; Described the first intelligent cipher key equipment carries out certification authentication according to described certificate to the digital certificate of described the second intelligent cipher key equipment, and according to the digital certificate of described the second intelligent cipher key equipment, described signature value is carried out to signature verification.

Finally, after certification authentication and signature verification success, from the default memory module of described the first intelligent cipher key equipment, obtain data to be backed up; Described the first intelligent cipher key equipment is sent to described the second intelligent cipher key equipment by being stored in data to be backed up in described the first intelligent cipher key equipment.

Further, described the first intelligent cipher key equipment is when being stored in described the first intelligent cipher key equipment that data to be backed up are sent to described the second intelligent cipher key equipment, can also treat Backup Data and be encrypted, further to guarantee the fail safe of data in Backup Data process.Treat the specific implementation that Backup Data is encrypted as follows:

Described the first intelligent cipher key equipment session key generation, and according to described session key, described data to be backed up are encrypted with generating ciphertext; According to the PKI in the digital certificate of described the second intelligent cipher key equipment, described session key is encrypted with generating digital envelope; According to described data to be backed up, generate message digest, and by the private key of described the first intelligent cipher key equipment, described message digest is signed and signed with generating digital; And described the first intelligent cipher key equipment is sent to described the second intelligent cipher key equipment after described ciphertext, described digital envelope and described digital signature are packed; Or

Described the first intelligent cipher key equipment splits to obtain a plurality of subdatas to described data to be backed up; According to the PKI in the digital certificate of described the second intelligent cipher key equipment, described a plurality of subdatas are encrypted respectively; And the described a plurality of subdatas after encrypting are sent to described the second intelligent cipher key equipment.

Visible, the intelligent cipher key equipment of the embodiment of the present invention, after in the second storage device at intelligent cipher key equipment by storage of subscriber data such as user account, passwords, can also realize the described user data backup of preserving in intelligent cipher key equipment in other intelligent cipher key equipment, with the problem that prevents that intelligent cipher key equipment loss from causing user cipher to lose.

Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, a plurality of steps or method can realize with being stored in memory and by software or the firmware of suitable instruction execution system execution.For example, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: have for data-signal being realized to the discrete logic of the logic gates of logic function, the application-specific integrated circuit (ASIC) with suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.

In the description of this specification, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, to the schematic statement of above-mentioned term not must for be identical embodiment or example.And, the specific features of description, structure, material or feature can one or more embodiment in office or example in suitable mode combination.In addition,, not conflicting in the situation that, those skilled in the art can carry out combination and combination by the feature of the different embodiment that describe in this specification or example and different embodiment or example.

Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, modification, replacement and modification.

Claims

1. an intelligent cipher key equipment, is characterized in that, comprising:

The first memory module, for storing private key and the digital certificate of described intelligent cipher key equipment;

The second memory module, for storing user data;

Transceiver module, for receiving the operational order of user's input and user data to be stored;

Access control module, carries out authentication for the individual recognition code PIN code according to described intelligent cipher key equipment to described user, and after described user is by authentication, by the write permission opening of described the second memory module to described user;

Display module, for receive the operational order and user data to be stored of described user input at described transceiver module after, shows described user data to be stored, and

Described access control module, also, for receiving described user at described transceiver module to after the confirmation instruction of the user data described to be stored demonstrating, writes described the second memory module by described user data to be stored;

Safety chip, for carrying out generation and the authentication of digital signature, and encryption and decryption.

2. intelligent cipher key equipment as claimed in claim 1, is characterized in that, also comprises:

Active control module, for receiving the active coding that described user inputs on intelligent cipher key equipment, and described active coding is activated to checking, and after being verified, activation activates described access control module, or the active coding of inputting by described client for receiving activation request that described user sends by client and described user, and described active coding is activated to checking, and after being verified, activation activates described access control module;

Opening module, for receiving the open command of described user's input, and enables described access control module according to described open command.

3. intelligent cipher key equipment as claimed in claim 1, is characterized in that, the operation interface that described transceiver module provides by described intelligent cipher key equipment and control button receive described operational order and described user data to be stored; Or

Described transceiver module receives by communication interface described operational order and the described user data to be stored that external equipment sends.

4. intelligent cipher key equipment as claimed in claim 1, it is characterized in that, described transceiver module receives checking request and the random number to described intelligent cipher key equipment that described user sends by client, described safety chip is encrypted described random number according to the private key of described intelligent cipher key equipment, and described transceiver module is sent to described client according to described checking request by the random number after the digital certificate of described intelligent cipher key equipment and encryption; Wherein, described client verifies the digital certificate of described intelligent cipher key equipment according to root certificate, and the random number after to described encryption is decrypted according to the PKI of described intelligent cipher key equipment, and the random number after deciphering is verified.

5. intelligent cipher key equipment as claimed in claim 1, it is characterized in that, described transceiver module receives the user data ciphertext that client sends, described safety chip according to the private key of described intelligent cipher key equipment to described user data decrypt ciphertext to obtain described user data to be stored, wherein, described client according to the PKI of described intelligent cipher key equipment to described ciphering user data to be stored to generate described user data ciphertext, or

Described transceiver module receives session key ciphertext and the user data ciphertext that client sends, described safety chip according to the private key of described intelligent cipher key equipment to described session key decrypt ciphertext to obtain session key, and according to described session key to described user data decrypt ciphertext to obtain described user data to be stored, wherein, the random session key generation of described client, and according to the PKI of described intelligent cipher key equipment to described session key to generate described session key ciphertext, and according to described session key to described ciphering user data to be stored to generate described user data ciphertext.

6. the intelligent cipher key equipment as described in claim 1-5 any one, is characterized in that,

Described transceiver module, the dynamic password generation request also sending for receiving client;

Described access control module, also for obtaining the user data of described intelligent cipher key equipment the second memory module storage;

Described display module, also for showing described user data, wherein, described user data comprises account and corresponding password;

Described safety chip, the user data of also choosing for obtaining user, and the user data of choosing according to described user generation dynamic password, wherein, the authentication when user data that described dynamic password is used described user to choose for described user in described client is logined.

7. intelligent cipher key equipment according to claim 6, it is characterized in that, described safety chip, specifically for user data that described user is chosen as seed key, according to described seed key and factor information, calculate described dynamic password, wherein, described factor information comprises time factor and/or the event factor, described user data comprises digital information and the nonnumerical information that can be exchanged into digital information, and described nonnumerical information comprises one or more in letter, oeprator and punctuation mark.

8. the intelligent cipher key equipment as described in claim 1-5 any one, is characterized in that,

Described transceiver module, the password output request also sending for receiving client;

Described display module, also, for according to described password output request, shows the item list corresponding with user data pre-stored in described intelligent cipher key equipment, and wherein, described user data comprises accounts information and corresponding password;

Described intelligent cipher key equipment also comprises: the accounts information of determination module for determining that user selects at described item list, and determine first password according to the accounts information of described user's selection, wherein, described first password is the password for login authentication;

Described transceiver module, also for described first password is sent to described client, so that described client is inputted described first password.

9. intelligent cipher key equipment according to claim 8, is characterized in that, the accounts information of described determination module specifically for selecting according to described user obtains password corresponding to accounts information of selecting with described user from described; The described password obtaining is defined as to described first password, or the described password obtaining is encrypted, obtain described first password;

Or,

The accounts information of described determination module specifically for selecting according to described user obtains one or more in information corresponding to the accounts information that described user selects and the accounts information of selecting with described user from described storage information; Adopt dynamic password computational algorithm, the described information of obtaining is calculated to dynamic password, described dynamic password is defined as to described first password.

10. the intelligent cipher key equipment as described in claim 1-5 any one, is characterized in that,

Described access control module, also obtains data to be backed up for the second memory module from described intelligent cipher key equipment;

Described transceiver module, also for being sent to described Intelligent target key devices by described data to be backed up; Wherein, described Intelligent target key devices receives described data to be backed up; And in described Intelligent target key devices, show described data to be backed up, for described user, confirm; And after the confirmation instruction that receives described user, described Intelligent target key devices is preserved described data to be backed up.

The approaches to IM of 11. 1 kinds of intelligent cipher key equipments, is characterized in that, comprising:

Receive the operational order of user's input and user data to be stored;

According to the individual recognition code PIN code of described intelligent cipher key equipment, described user is carried out to authentication, and after described user is by authentication, by the write permission opening of described intelligent cipher key equipment to described user;

Show described user data to be stored;

Receive described user to the confirmation instruction of the user data described to be stored demonstrating after, described user data to be stored is write to described intelligent cipher key equipment.

The approaches to IM of 12. intelligent cipher key equipments as claimed in claim 11, is characterized in that, before the operational order of inputting and user data to be stored, also comprises described reception user:

Receive the active coding that described user inputs on intelligent cipher key equipment, and described active coding is activated to checking, and the information storage function that activates described intelligent cipher key equipment after activation is verified, or receive the active coding that activation request that described user sends by client and described user input by described client, and described active coding is activated to checking, and the information storage function that activates described intelligent cipher key equipment after activation is verified, wherein, described information storage function writes to described intelligent cipher key equipment for realizing by described user data to be stored,

Receive the open command of described user's input, and according to described open command, enable the information storage function of described intelligent cipher key equipment.

The approaches to IM of 13. intelligent cipher key equipments as claimed in claim 11, is characterized in that, the operational order of described reception user input and user data to be stored specifically comprise:

The operation interface providing by described intelligent cipher key equipment and control button receive described operational order and described user data to be stored; Or

By communication interface, receive described operational order and the described user data to be stored that external equipment sends.

The approaches to IM of 14. intelligent cipher key equipments as claimed in claim 11, is characterized in that, described user data to be stored is write to described intelligent cipher key equipment before, also comprise:

Receive checking request and random number to described intelligent cipher key equipment that described user sends by client, and according to the private key of described intelligent cipher key equipment, described random number is encrypted, and the random number by the digital certificate of described intelligent cipher key equipment and after encrypting is sent to described client according to described checking request; And

Described client verifies the digital certificate of described intelligent cipher key equipment according to root certificate, and the random number after to described encryption is decrypted according to the PKI of described intelligent cipher key equipment, and the random number after deciphering is verified.

The approaches to IM of 15. intelligent cipher key equipments as claimed in claim 11, is characterized in that, the operational order of described reception user input and user data to be stored specifically comprise:

Receive the user data ciphertext that client sends, and according to the private key of described intelligent cipher key equipment to described user data decrypt ciphertext to obtain described user data to be stored, wherein, described client according to the PKI of described intelligent cipher key equipment to described ciphering user data to be stored to generate described user data ciphertext, or

Receive session key ciphertext and user data ciphertext that client sends, and according to the private key of described intelligent cipher key equipment to described session key decrypt ciphertext to obtain session key, and according to described session key to described user data decrypt ciphertext to obtain described user data to be stored, wherein, the random session key generation of described client, and according to the PKI of described intelligent cipher key equipment to described session key to generate described session key ciphertext, and according to described session key to described ciphering user data to be stored to generate described user data ciphertext.

The approaches to IM of 16. intelligent cipher key equipments as described in claim 11-15 any one, is characterized in that, described user data to be stored is write to described intelligent cipher key equipment after, also comprise:

Described intelligent cipher key equipment receives the dynamic password generation request that client sends;

Described intelligent cipher key equipment obtains the user data of the second memory module storage in described intelligent cipher key equipment;

Described intelligent cipher key equipment is at user data described in demonstration screen display, and wherein, described user data comprises account and corresponding password;

Described intelligent cipher key equipment obtains the user data that user chooses, and the user data of choosing according to described user generates dynamic password, the authentication when user data that wherein, described dynamic password is used described user to choose for described user in described client is logined.

17. methods according to claim 16, is characterized in that, described intelligent cipher key equipment obtains the user data that user chooses, and the user data of choosing according to described user generation dynamic password comprises:

The user data that described user is chosen is as seed key, according to described seed key and factor information, calculate described dynamic password, wherein, described factor information comprises time factor and/or the event factor, described user data comprises digital information and the nonnumerical information that can be exchanged into digital information, and described nonnumerical information comprises one or more in letter, oeprator and punctuation mark.

18. methods as described in claim 11-15 any one, is characterized in that, described user data to be stored is write to described intelligent cipher key equipment after, also comprise:

Described intelligent cipher key equipment receives the password output request that client sends;

Described intelligent cipher key equipment, according to described password output request, shows the item list corresponding with user data pre-stored in described intelligent cipher key equipment, and wherein, described user data comprises accounts information and corresponding password;

Described intelligent cipher key equipment is determined the accounts information that user selects in described item list, and determines first password according to the accounts information of described user's selection, and wherein, described first password is the password for login authentication;

Described intelligent cipher key equipment sends to described client by described first password, so that described client is inputted described first password.

19. methods according to claim 18, is characterized in that, described intelligent cipher key equipment is determined the accounts information that user selects in described item list, and the accounts information of selecting according to described user determines that first password comprises:

The accounts information of selecting according to described user obtains password corresponding to accounts information of selecting with described user from described; The described password obtaining is defined as to described first password, or the described password obtaining is encrypted, obtain described first password; Or,

The accounts information of selecting according to described user obtains one or more in information corresponding to the accounts information that described user selects and the accounts information of selecting with described user from described storage information; Adopt dynamic password computational algorithm, the described information of obtaining is calculated to dynamic password, described dynamic password is defined as to described first password.

20. methods as described in claim 11-15 any one, is characterized in that, also comprise:

Described intelligent cipher key equipment obtains data to be backed up from the memory module of described intelligent cipher key equipment;

Described intelligent cipher key equipment is sent to described Intelligent target key devices by described data to be backed up; Wherein, described Intelligent target key devices receives described data to be backed up; And in described Intelligent target key devices, show described data to be backed up, for described user, confirm; And after the confirmation instruction that receives described user, described Intelligent target key devices is preserved described data to be backed up.