CN105117658B - A kind of cryptosecurity management method and equipment based on finger print identifying - Google Patents
A kind of cryptosecurity management method and equipment based on finger print identifying Download PDFInfo
- Publication number
- CN105117658B CN105117658B CN201510449242.3A CN201510449242A CN105117658B CN 105117658 B CN105117658 B CN 105117658B CN 201510449242 A CN201510449242 A CN 201510449242A CN 105117658 B CN105117658 B CN 105117658B
- Authority
- CN
- China
- Prior art keywords
- key
- user
- management equipment
- module
- password management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
Abstract
The present invention relates to a kind of cryptosecurity management method and equipment based on finger print identifying.The equipment includes central processing module, finger print acquisition module, bluetooth module and encryption and secure storage module.Central processing module is respectively connected with finger print acquisition module, bluetooth module and encryption with secure storage module.User fingerprints are used for key production protection private data by the present invention, so that fingerprint is not only acted as the effect of authentication, are more played the role of encryption data.Key is made using fingerprint, than the violence cryptographic attack that can preferably resist hacker using password derivative key.User identifier is used for key production by the present invention; and user and equipment is made to participate in key production jointly; substantially increase security performance; make all other men in addition to the user that can not all decrypt protected data; even if it is helpless to manufacture commercial city, unless providing user identifier and fingerprint in person by user.
Description
Technical field
The invention belongs to internet information security fields, and in particular to a kind of cryptosecurity manager based on finger print identifying
Method and equipment.
Background technique
There are mainly of two types for existing cipher management method:Cloud backup storage-type, local browser caching type.Cloud
Backup storage-type refers to that user backups while inputting user name password in server end, in subsequent use by product
Plug-in unit automatically enters username and password.Local browser caching type refers to when user inputs password and user name, by browsing
Whether device prompting caches password, and when user selects to cache, password is stored in local temporary file by browser.Work as user
It is filled automatically when reusing password by browser plug-in.
Cloud backup storage-type cipher management method the problem is that:It is backed up using cloud by the privacy of user service of passing to
Device not only is easy to divulge a secret inside cloud server, and is easy to be stolen by hacker.Local browser caching type cipher management method
The problem is that:Password is stored in local temporary file, does not take any encipherment protection measure, the safety of password
Property not can guarantee at all.
Application No. is in CN201220033844.2, entitled " a kind of finger-print cipher management system based on cloud computing "
State's utility model patent discloses a kind of finger-print cipher management system.The system data is stored in cloud server memory module
In, it is easy to be stolen by hacker.And the finger-print cipher guard method provided is also relatively simple, and safety is not high.
Summary of the invention
For the above-mentioned problems in the prior art, the present invention proposes a kind of cryptosecurity management based on finger print identifying
Method and apparatus can be effectively prevented hacker and steal or password pipe by user password encrypting storing in Password Management equipment
Li Qi manufacturer divulges a secret.
To achieve the goals above, the present invention adopts the following technical scheme that.
A kind of cryptosecurity management method based on finger print identifying, is realized by Password Management equipment, is included the following steps:
Step 1, user submits new password, if user uses for the first time, user provides customized mark UI;
Step 2, application APP end derives the value UN that can participate in crypto-operation according to user identifier UI, and by institute
It states UN and passes to Password Management equipment;
Step 3, key K3 is calculated using key derivation algorithm 2;
Step 4, a fingerprint F1 is chosen, fingerprint template FP1 is generated;
Step 5, the fingerprint template FP1 is encrypted using the key K3 obtain fingerprint template FP2;
Step 6, it is participated in jointly by user and Password Management equipment, key K1 is calculated using key derivation algorithm 1;
Step 7, ciphertext D1 is obtained to password record D encryption using key K1;
Step 8, ciphertext D1 is encrypted using built-in key K2, obtains D2;D2 is saved inside Password Management equipment, and is provided
Export backup interface.
Further, the method for deriving UN by UI is expressed as:
UN=PBKDF2 (UI, count)
In formula, the value of count meets the requirement for the processor that calculating speed is second grade, for the speed by reducing exhaustion
Degree prevents exhaustive UN.PBKDF2 is a general cryptographic algorithm, and the input of algorithm is a string of character strings and operand parameter, defeated
UN out has irreversibility, i.e., UI can not be obtained from UN, output data can be used as key.
Further, the method that key K3 is calculated using key derivation algorithm 2 is expressed as follows:
K3=HASH (UN, Salt, K4)
In formula, HASH is general cryptographic hash algorithmic function SHA1.Salt is a random number, with described UI, F1 mono-
One is corresponding, implements attack for preventing hacker from constructing rainbow table.K4 is a fixed key inside the Password Management equipment,
As long as hacker cannot get K4, K3 is unable to get there are other data.
Further, the method that key K1 is calculated using key derivation algorithm 1 is expressed as follows:
K1=HASH (UN, FP1, Salt, K4)
In formula, HASH is general cryptographic hash algorithmic function SHA1.Salt is a random number, with described UI, F1 mono-
One is corresponding.K4 is a fixed key inside the Password Management equipment.
A kind of Password Management equipment for realizing the above method, including central processing module, finger print acquisition module, bluetooth mould
Block, encryption and secure storage module.The central processing module and the finger print acquisition module, bluetooth module and encryption and safety
Memory module is respectively connected with.
Further, the central processing module is that the control of the Password Management equipment calculates center, completes fingerprint letter
Number processing function, and coordinate the work of modules.
Further, the finger print acquisition module acquires user fingerprints using capacitive fingerprint sensing device, and will collect
User fingerprint image be sent into the central processing module.
Further, the bluetooth module uses 4.0 chip of bluetooth, for the Password Management equipment and external equipment
Data transmission.
Further, the encryption carried out the storage-type of hardware encryption with secure storage module using storage region
Safety chip completes encryption, decryption behaviour for storing the account and cipher table of user under central processing module control
Make.
Compared with prior art, the invention has the advantages that:
(1) user fingerprints are used for key production by the present invention, for protecting private data, so that fingerprint is not only acted as identity and are recognized
The effect of card, more plays the role of encryption data.Key is made using fingerprint, than can preferably support using password derivative key
The violence cryptographic attack of imperial hacker.
(2) user identifier UI is used for key production by the present invention, solve all other men in addition to the user all can not
Close protected data, even if manufacture commercial city is helpless, unless providing user identifier and fingerprint in person by user.
(3) Password Management equipment of the present invention uses storage-type safety chip in terms of encrypting storage, improves close
The safety of code management;Communication aspects use bluetooth 4.0, support mobile internet access, and have the advantages that super long standby time;
Finger print acquisition module uses capacitor push type sensor, compared with optical sensor, has moisture-resistant finger, can identify living body finger print
The advantages of.
Detailed description of the invention
Fig. 1 is the composition block diagram of Password Management equipment of the present invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawings and examples.
A kind of cryptosecurity management method based on finger print identifying, includes the following steps:
Step 1:User submits new password to record D, and D={ password, user name, URL } can be corresponded in practical applications
The user name of one mailbox, password.
Step 2:If user uses for the first time, user provides its customized mark UI.
Step 3:Application APP end derives UN according to user identifier UI, and passes to Password Management equipment.
It is expressed as follows by the method that user identifier UI derives UN:
UN=PBKDF2 (UI, count)
In formula, the value of count meets the requirement calculated on the poor processor of performance by second grade, for preventing hacker
Exhaustive UN reduces the speed of exhaustion.PBKDF2 is a general cryptographic algorithm, and the input of the algorithm is a string of character strings and fortune
Calculation amount parameter, output data may be used as key.
Following steps are completed inside Password Management equipment:
Step 4:Key K3 is obtained by key derivation algorithm 2.
The step can be expressed as follows for generating a new key:
K3=HASH (UN, Salt, K4)
In formula, HASH function is general cryptographic hash algorithmic function SHA1.UN comes from user identifier UI, defeated by user
Enter, the purpose that UN is arranged is to prevent device manufacturer from knowing key in advance, so as to random decrypted user data.K4 is password
A fixed key inside management equipment does not break through the core in equipment as hacker for the protection of device manufacturer side
When piece obtains K4, K3 is unable to get there are other data.Salt is a random number, corresponds, is used for UI, F1
It prevents hacker from constructing rainbow table and implements attack.The F1 is the fingerprint that step 5 is chosen, and step 4 can be held parallel with step 5
Row.
It generates in the method for key K3 and has been related to the UN derived from by user UI, random number Salt and fixed key K4 tri-
Element greatly increases confidentiality.
Step 5:A fingerprint F1 is chosen, fingerprint template FP1 is generated.
Step 6:FP2 is obtained using K3 encryption FP1.
Step 7:Key K1 is obtained by key derivation algorithm 1.
This method is participated in jointly by user and Password Management equipment, provides the common of four elements UN, FP1, Salt and K4
Effect, makes confidentiality be further enhanced.The method for generating key K1 is expressed as follows:
K1=HASH (UN, FP1, Salt, K4)
In formula, HASH function is general cryptographic hash algorithmic function SHA1.
Step 8:With K1 to password record D encryption, ciphertext D1 is obtained.
The step is that the first layer of data encrypts, this layer of encryption is produced by the fingerprint F1 and user identifier UI of user
Key K1 encrypt initial data.
Step 9:D1 is encrypted with built-in key K2, obtains D2.The step is that the second layer of data encrypts.Added using bilayer
Close purpose is to provide double layer encryption protection:User carries out first layer encryption, and device manufacturer carries out second layer encryption.It is this to add
Even if close benefit is hacker by having stolen user fingerprints and mark UI, led if can not still be decrypted without the key in equipment
Data out.
Step 10:Protection terminates.D2 is saved inside Password Management equipment, and export backup interface is provided, and when backup needs
Export { FP2, D2, Salt } simultaneously.User's is all before these three elements are fed again into Password Management equipment can restoring
Password.
A kind of Password Management equipment for realizing the above method, including central processing module, finger print acquisition module, bluetooth mould
Block, encryption and secure storage module.The central processing module and the finger print acquisition module, bluetooth module and encryption and safety
Memory module is respectively connected with.Wherein,
The central processing module is that the control of the Password Management equipment calculates center, completes fingerprint signal data processing
Function, and coordinate the work of modules.The fingerprint signal data processing mainly includes that the fingerprint image signal that will be simulated turns
It the processing such as changes digital signal into, and carries out image enhancement, binaryzation, thinning and optimizing and feature extraction, finally realize fingerprint characteristic
Matching.
The finger print acquisition module is used to acquire the fingerprint of user, and collected user fingerprint image is sent into the center
Processing module.The finger print acquisition module uses capacitive fingerprint sensing device, passes through between the sensor and central processing unit
SPI interface transmits image.Compared with optical fingerprint sensor, capacitive fingerprint sensing device has moisture-resistant finger, can identify living body
The advantages of fingerprint.
The bluetooth module is transmitted for the Password Management equipment and the data of external system (such as mobile phone, computer).Example
Such as, user is in manipulator's generator terminal or the end PC software some websites to be logged in, and needs on the finger print acquisition module by fingerprint,
It is read after fingerprint matching success by the central processing module and decrypts corresponding account and password, and fed back to by bluetooth module
Mobile phone terminal or the software at the end PC.The bluetooth module uses 4.0 chip of bluetooth, supports mobile internet access, and has super
Long stand-by time.
The encryption and secure storage module are used under the central processing module control storage account of user and close
Code table completes encryption, decryption oprerations.The secure storage module and central processing module pass through transfering data by serial communication.It deposits
The data of storage on that module all live through the safe handling of method described in the utility model, and the module is using storage
Type safety chip, such as ST23ZL48, storage region itself also go through hardware based encryption, usually by built-in
Fixed key wrapping hardware, rambus are obscured, bus encryption, strong symmetric cryptographic algorithm are realized to the region flash, the region rom
With the encryption in the region ram.There are ST, Infineon, national technology etc. in similar chip supplier.
The present invention is not limited to the above embodiments, made any to above embodiment aobvious of those skilled in the art and
The improvement or change being clear to, all protection scope without departing from design of the invention and appended claims.
Claims (5)
1. a kind of cryptosecurity management method based on finger print identifying, is realized by Password Management equipment, it is characterised in that including with
Lower step:
Step 1, user submits new password, if user uses for the first time, user provides customized mark UI;
Step 2, application APP end derives the value UN that can participate in crypto-operation according to user identifier UI, and by the UN
Pass to Password Management equipment;
Step 3, key K3 is calculated using key derivation algorithm 2;
The method that key K3 is calculated using key derivation algorithm 2 is expressed as follows:
K3=HASH (UN, Salt, K4)
In formula, HASH is general cryptographic hash algorithmic function SHA1;Salt is a random number, a pair of with described UI, F1 mono-
It answers, implements attack for preventing hacker from constructing rainbow table;K4 is a fixed key inside the Password Management equipment, as long as
Hacker cannot get K4, be unable to get K3 having other data;
Step 4, a fingerprint F1 is chosen, fingerprint template FP1 is generated;
Step 5, the fingerprint template FP1 is encrypted using the key K3 obtain fingerprint template FP2;
Step 6, it is participated in jointly by user and Password Management equipment, key K1 is calculated using key derivation algorithm 1;
The method that key K1 is calculated using key derivation algorithm 1 is expressed as follows:
K1=HASH (UN, FP1, Salt, K4)
In formula, HASH is general cryptographic hash algorithmic function SHA1;Salt is a random number, a pair of with described UI, F1 mono-
It answers;K4 is a fixed key inside the Password Management equipment;
Step 7, ciphertext D1 is obtained to password record D encryption using key K1;
Step 8, ciphertext D1 is encrypted using built-in key K2, obtains D2;D2 is saved inside Password Management equipment, and export is provided
Backup interface;
Wherein, it is expressed as described in step 2 by the method that UI derives UN:
UN=PBKDF2 (UI, count)
In formula, the value of count meets the requirement for the processor that calculating speed is second grade, anti-for the speed by reducing exhaustion
Only exhaustion UN;PBKDF2 is a general cryptographic algorithm, and the input of algorithm is a string of character strings and operand parameter, output
UN has irreversibility, i.e., UI can not be obtained from UN, output data can be used as key.
2. a kind of Password Management equipment for realizing claim 1 the method, which is characterized in that the Password Management equipment includes
Central processing module, finger print acquisition module, bluetooth module, encryption and secure storage module;The central processing module with it is described
Finger print acquisition module, bluetooth module and encryption are respectively connected with secure storage module;
Wherein, the central processing module is that the control of the Password Management equipment calculates center, is completed at fingerprint signal data
Function is managed, and coordinates the work of modules.
3. Password Management equipment according to claim 2, which is characterized in that the finger print acquisition module is referred to using condenser type
Line sensor acquires user fingerprints, and collected user fingerprint image is sent into the central processing module.
4. Password Management equipment according to claim 2, which is characterized in that the bluetooth module uses 4.0 chip of bluetooth,
It is transmitted for the Password Management equipment and the data of external equipment.
5. according to Password Management equipment described in claim 2~4 any one, which is characterized in that the encryption is deposited with safety
The storage-type safety chip that module carries out hardware encryption using storage region is stored up, for controlling in the central processing module
Under, the account and cipher table of user are stored, encryption, decryption oprerations are completed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510449242.3A CN105117658B (en) | 2015-07-28 | 2015-07-28 | A kind of cryptosecurity management method and equipment based on finger print identifying |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510449242.3A CN105117658B (en) | 2015-07-28 | 2015-07-28 | A kind of cryptosecurity management method and equipment based on finger print identifying |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105117658A CN105117658A (en) | 2015-12-02 |
CN105117658B true CN105117658B (en) | 2018-11-30 |
Family
ID=54665642
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510449242.3A Active CN105117658B (en) | 2015-07-28 | 2015-07-28 | A kind of cryptosecurity management method and equipment based on finger print identifying |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105117658B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106127013A (en) * | 2016-08-26 | 2016-11-16 | 广东欧珀移动通信有限公司 | Encryption and decryption method, device and mobile terminal |
CN106548054A (en) * | 2016-10-13 | 2017-03-29 | 北京握奇智能科技有限公司 | It is a kind of towards PC and mobile terminal without driving personal identification number management method and equipment |
CN108334789B (en) * | 2018-01-16 | 2020-09-01 | 维沃移动通信有限公司 | Data transmission method and terminal |
CN108494775B (en) * | 2018-03-26 | 2020-12-15 | 四川长虹电器股份有限公司 | Method for preventing network attack by using legal data or tampering legal data |
CN111064559B (en) * | 2018-10-17 | 2023-09-29 | 中兴通讯股份有限公司 | Key protection method and device |
CN109981285B (en) * | 2019-03-11 | 2020-10-09 | 北京纬百科技有限公司 | Password protection method, password verification method and system |
CN112866996A (en) * | 2020-12-30 | 2021-05-28 | 广东电网有限责任公司 | Electricity card and electric power data transmission system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101282222A (en) * | 2008-05-28 | 2008-10-08 | 胡祥义 | Digital signature method based on CSK |
CN101674299A (en) * | 2009-10-16 | 2010-03-17 | 西安电子科技大学 | Method for generating key based on amalgamation of multiple features in encryption area |
CN102761410A (en) * | 2011-04-25 | 2012-10-31 | 中国移动通信集团安徽有限公司 | Charging call bill collection and processing method and device |
CN103490901A (en) * | 2013-09-30 | 2014-01-01 | 广东南方信息安全产业基地有限公司 | Secret key generating and releasing method based on combined secrete key system |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8925075B2 (en) * | 2011-11-07 | 2014-12-30 | Parallels IP Holdings GmbH | Method for protecting data used in cloud computing with homomorphic encryption |
-
2015
- 2015-07-28 CN CN201510449242.3A patent/CN105117658B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101282222A (en) * | 2008-05-28 | 2008-10-08 | 胡祥义 | Digital signature method based on CSK |
CN101674299A (en) * | 2009-10-16 | 2010-03-17 | 西安电子科技大学 | Method for generating key based on amalgamation of multiple features in encryption area |
CN102761410A (en) * | 2011-04-25 | 2012-10-31 | 中国移动通信集团安徽有限公司 | Charging call bill collection and processing method and device |
CN103490901A (en) * | 2013-09-30 | 2014-01-01 | 广东南方信息安全产业基地有限公司 | Secret key generating and releasing method based on combined secrete key system |
Also Published As
Publication number | Publication date |
---|---|
CN105117658A (en) | 2015-12-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105117658B (en) | A kind of cryptosecurity management method and equipment based on finger print identifying | |
CN100464549C (en) | Method for realizing data safety storing business | |
US7805615B2 (en) | Asymmetric cryptography with user authentication | |
CN105960775B (en) | Method and apparatus for migrating keys | |
CN105429761B (en) | A kind of key generation method and device | |
CN106953724A (en) | The method of dynamic encryption formula fingerprint sensor and dynamic encryption finger print data | |
CN104702604B (en) | Mutual authentication method based on simple logic encryption and timestamp | |
CN203746071U (en) | Security computer based on encrypted hard disc | |
CN103455744B (en) | A kind of data security protection method based on vein identification technology and system | |
CN103561034A (en) | Secure file sharing system | |
CN103281194B (en) | A kind of safety and lightweight RFID ownership transfer method based on Bilinear map | |
CN104361267A (en) | Software authorization and protection device and method based on asymmetric cryptographic algorithm | |
CN104915584A (en) | Intelligent mobile terminal random encryption and decryption system based on fingerprint characteristics | |
US10027639B2 (en) | IC chip performing access control based on encrypted ID | |
CN107683582A (en) | Certification instruction pen equipment | |
TW202036343A (en) | Key management method, security chip, service server and information system | |
CN105450419A (en) | Method, device and system | |
CN102255727B (en) | Improved anti-attacking intelligent card authentication method based on user defined algorithm environment | |
TWI476629B (en) | Data security and security systems and methods | |
CN109087102A (en) | Transaction protection robot system based on block chain | |
CN109961542A (en) | A kind of entrance guard device, verifying device, verifying system and its verification method | |
CN111628864A (en) | Method for carrying out secret key safety recovery by using SIM card | |
US11463251B2 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
CN202711243U (en) | Encryption type movable storage device based on fingerprint authentication | |
CN110492992A (en) | A kind of data encryption and transmission method based on radio RF recognition technology |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220106 Address after: 314500 02, No. 4, South Zaoqiang street, No. 1, Nanmen Gongnong Road, Chongfu Town, Tongxiang City, Jiaxing City, Zhejiang Province Patentee after: Jiaxing Zhixu Information Technology Co.,Ltd. Address before: 2b-2258, building 2, dongbeiwangzhongguancun Software Park, Haidian District, Beijing 100094 Patentee before: BEIJING HOUYI TECHNOLOGY Co.,Ltd. |