Summary of the invention
Based on this, the purpose of the present invention is to provide a kind of cipher machine, which can verify that whether its whereabouts really may be used
Letter.
In order to achieve the above objectives, the embodiment of the present invention uses following technical scheme:
A kind of cipher machine, including password mainboard, the signature memory module being connect with the password mainboard, the signature
Memory module storage whereabouts verifying private key signs to the whereabouts that user service information is digitally signed, the customer service
Information includes the purposes of cipher machine, and the password mainboard receives user instructions, and the whereabouts is signed and is referred to the user
The sender of order sends.
According to scheme present invention as described above, the signature memory module storage whereabouts verifying private key is to customer service
The whereabouts signature that information is digitally signed, the user service information includes the purposes of cipher machine, and password mainboard connects
User instruction is received, the whereabouts that signature memory module is stored is read according to the user instruction and is signed, and the whereabouts is signed
It is sent to the sender of the user instruction, the sender of the user instruction can sign to the whereabouts after receiving whereabouts signature
The user service information after signature verification is verified, verifying are carried out using with the matched whereabouts verification public key of whereabouts verifying private key
User service information afterwards includes the purposes of cipher machine, and the user service information after user service information and verifying is carried out pair
Than if the inconsistent whereabouts signature for illustrating the cipher machine has been tampered, the whereabouts of cipher machine is insincere;Illustrate password if consistent
The whereabouts of machine is credible.Therefore the solution of the present invention is able to verify that whether the whereabouts of cipher machine is genuine and believable.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.
Fig. 1 shows the structural schematic diagram of cipher machine of the invention, as shown in Figure 1, the cipher machine in the present embodiment includes:
Password mainboard 110, the signature memory module 120 connecting with the password mainboard 110, the signature memory module 120 are deposited
Storage whereabouts verifying private key signs to the whereabouts that user service information is digitally signed, and the user service information includes close
The purposes of ink recorder, the password mainboard receive user instructions, and the whereabouts is signed the sender to the user instruction
It sends.
In the particular embodiment, whereabouts verifying private key and whereabouts verification public key are different two groups of characters, by with
Family generates and keeping, the user service information can be indicated by English character.Password mainboard 110 has cryptographic service net
Three mouth, management service network interface, management service serial ports external interactive interfaces, password mainboard 110 be able to carry out information encryption and
Decryption, externally provides cryptographic service by cryptographic service network interface.
In the present embodiment, password mainboard 110 is received user instructions, and reads signature memory module according to the user instruction
The 120 whereabouts signatures stored, and the whereabouts is signed, certificate server is sent to by management service network interface, the authentication service
Device carries out the user service information after signature verification is verified, certification to the whereabouts signature received using whereabouts verification public key
Server memory contains user service information, and certificate server carries out the user service information after user service information and verifying
Comparison illustrates that the whereabouts verification public key use when signature verification and whereabouts verifying private key are if result is consistent
Match, and whereabouts signature, without passing through any modification, the purposes information of cipher machine is genuine and believable at this time;If result
Inconsistent, then whereabouts verification public key used by illustrating and whereabouts verifying private key mismatch or whereabouts signature are
It is tampered, the purposes information of cipher machine is incredible at this time, therefore the solution of the present invention is able to verify that the whereabouts of cipher machine is
It is no genuine and believable.
In another embodiment, the user service information further includes the use unit for having cipher machine, using whereabouts
Verifying private key is digitally signed to the purposes for including cipher machine and using the user service information of unit to obtain the whereabouts
Signature.At this point, the user service information after user service information and verifying is carried out consistency comparison by certificate server, it may be verified that
Whether whether the whereabouts of the cipher machine is genuine and believable and usurped by other unit.
In another embodiment, the user service information further includes the sequence number for having cipher machine, the whereabouts label
Name is digitally signed to obtain by whereabouts verifying private key to user service information, and the user service information includes cipher machine
Purposes and cipher machine sequence number or include the purposes of cipher machine, cipher machine the sequence number using unit and cipher machine.
Since the sequence number of cipher machine has just been set when leaving the factory, change is invalid, and the sequence of obtained whereabouts signature and cipher machine
It number is mutually matched, therefore can prevent the whereabouts of cipher machine from signing and be tampered and forge.
Fig. 2 shows the structural schematic diagram of the cipher machine in another embodiment, it is different from embodiment shown in FIG. 1 it
It is in further including the factory secret storage module being connect with the password mainboard, cryptographic algorithm module, be able to verify that password
Whether the source of machine is true and reliable.
As shown in Fig. 2, the cipher machine in the present embodiment includes: password mainboard 210, connect with password mainboard 210
Signature memory module 220, factory secret storage module 230, cryptographic algorithm module 240;The storage of signature memory module 220 is gone
It signs to verifying private key to the whereabouts that user service information is digitally signed, the user service information includes cipher machine
Purposes, the factory secret storage module 230 stores cipher machine producer and dispatches from the factory private key;
The password mainboard 210 receives user instructions, and the whereabouts is signed the sender to the user instruction
It sends;
The password mainboard 210 receives the encrypted cipher text using cipher machine producer factory public key encryption, controls described close
Code algoritic module 240 is decrypted the encrypted cipher text to obtain decrypted plaintext using cipher machine producer factory private key, and
The decrypted plaintext is sent to the sender of the encrypted cipher text.
In the particular embodiment, factory secret storage module 230 can be realized using readable not writeable memory, be prevented
Only its cipher machine producer stored factory private key is modified, such as using ROM (Read Only Memory, read-only memory) etc.
Memory is realized, factory private key can also be stored in factory secret storage module 230 using underground instruction by cipher machine producer
In.Cipher machine producer factory private key is written to factory secret storage module 230 when cipher machine dispatches from the factory in cipher machine producer, described to add
Ciphertext with factory private key matched cipher machine producer of cipher machine producer factory public key by encrypt to a certain data
It arrives, which can be the character string with certain length being randomly generated.The cipher machine producer factory private key is fixed value,
In cipher machine factory by cipher machine factory settings, cannot change.Password mainboard 210 has cryptographic service network interface, management clothes
Business three network interface, management service serial ports external interactive interfaces, cipher machine producer pass through management service serial ports when cipher machine dispatches from the factory
Cipher machine producer factory private key is written in factory secret storage module 230 into cipher machine;Gone out receiving using cipher machine producer
The encrypted cipher text of factory's public key encryption and by the decrypted plaintext to the sender of the encrypted cipher text send when, using management service
Network interface carries out.Password mainboard 210 is able to carry out information encryption and decryption, externally provides password clothes by cryptographic service network interface
Business.
According to the scheme of the present embodiment as described above, the signature memory module 220 store whereabouts verifying private key to
The whereabouts signature that family business information is digitally signed, the user service information includes the purposes of cipher machine, cipher machine
Mainboard 210 receives user instructions, and reads the whereabouts that signature memory module 220 is stored according to the user instruction and signs, and will
The whereabouts is signed to be sent to the sender of the user instruction, and the sender of the user instruction can after receiving whereabouts signature
The user after signature verification is verified is carried out using with whereabouts verifying private key matched whereabouts verification public key to whereabouts signature
Business information, the user service information after verifying include the purposes of cipher machine, by the user after user service information and verifying
Business information compares, if the inconsistent whereabouts signature for illustrating the cipher machine has been tampered, the whereabouts of cipher machine is insincere;If
It is consistent then illustrate that the whereabouts of cipher machine is credible.The encryption that password mainboard 210 receives cipher machine producer factory public key encryption is close
Wen Hou reads the cipher machine producer factory private key of storage from factory secret storage module 230, then controls cryptographic algorithm module
240 are decrypted the encrypted cipher text using cipher machine producer factory private key, obtain decrypted plaintext.At this point, by encrypted cipher text
Corresponding data before encrypting are compared with decrypted plaintext, since the factory private key of cipher machine is matched with its source, work as decryption
When inconsistent with data before encrypting in plain text, illustrate to be tampered from the cipher machine producer factory private key in cipher machine, cipher machine
Source it is insincere;Illustrate that the source of cipher machine is credible if consistent.Therefore the scheme of the present embodiment can not only verify password
Whether the whereabouts of machine is genuine and believable, and whether the source that can verify cipher machine is genuine and believable.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.