CN107017994A - A kind of data safety verifies device - Google Patents

A kind of data safety verifies device Download PDF

Info

Publication number
CN107017994A
CN107017994A CN201710245367.3A CN201710245367A CN107017994A CN 107017994 A CN107017994 A CN 107017994A CN 201710245367 A CN201710245367 A CN 201710245367A CN 107017994 A CN107017994 A CN 107017994A
Authority
CN
China
Prior art keywords
clock
key
data
public key
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710245367.3A
Other languages
Chinese (zh)
Other versions
CN107017994B (en
Inventor
谢振东
苏浩伟
陈欢
温晓丽
袁勇
邹大毕
陈君
郭峰
宋秉麟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Yang Cheng Tong Co Ltd
Original Assignee
Guangzhou Yang Cheng Tong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Yang Cheng Tong Co Ltd filed Critical Guangzhou Yang Cheng Tong Co Ltd
Priority to CN201710245367.3A priority Critical patent/CN107017994B/en
Publication of CN107017994A publication Critical patent/CN107017994A/en
Application granted granted Critical
Publication of CN107017994B publication Critical patent/CN107017994B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Small-Scale Networks (AREA)

Abstract

Verified the invention discloses a kind of data safety includes being used for including control public key inside the data transmission interface of input and the output of external data, device outside device, device, and by the clock unit and timestamp key of outside control private key encryption;Described clock unit includes clock information and clock allowable error information, the control public key, timestamp key, clock and clock allowable error are using renewable mechanism, the data for needing to update are signed by outside control private key, and are updated by control public key verifications signature;Described external data carries out safety verification by timestamp key and clock unit, and the result is exported by data transmission interface.The device can be used for Mobile payment terminal, the Information Security with height.

Description

A kind of data safety verifies device
Technical field
The present invention relates to data security arts, specifically a kind of data safety checking device.
Background technology
With the development in epoch, level of informatization more and more higher, the safety for data it is also proposed higher requirement, special It is not in mobile terminal payment field.Mobile terminal needs very high data safety confidentiality, and its authentication secret needs to use Renewable mode can ensure to be attacked by malicious modification.Current checking device is all the pattern using black box, internal number According to non-readable and modification, application is relatively small.
The content of the invention
The present invention is directed to above-mentioned problem, it is proposed that a kind of data safety is verified to be included being used for outside device, device Include control public key inside the data transmission interface of input and the output of external data, device, and by outside control private key encryption Clock unit and timestamp key;Described clock unit includes clock information and clock allowable error information, the control Public key, timestamp key, clock and clock allowable error are using renewable mechanism, the number updated by outside control private key to needs It is updated according to being signed, and by control public key verifications signature;Described external data is by timestamp key and clock unit Safety verification is carried out, the result is exported by data transmission interface.
Further, the described update mode for controlling public key is:The new control public key of input and former control private key are to new The signature of control public key, it is new and old to control public key to be newly control public key after device controls authentication public key by the signature using original.
Further, described timestamp key updating mode is:Input unit controls public key to new timestamp key The signature of encryption data and control private key pair encryption data, it is private with control after device is using authentication public key is controlled by the signature Renewal time stamp key after key decryption.
Further, described clock update mode is:The new clock data of input and control private key are to new clock data Signature, device using control authentication public key by the signature after, update the old times clock be new clock.
Further, described clock allowable error update mode is:Clock allowable error is divided on clock allowable error Limit and clock allowable error lower limit, input the label of new clock allowable error information and control private key to new clock allowable error information Name, after device authentication is using authentication public key is controlled by the signature, refresh clock allowable error information.
Further, described checking data include external time, disperse series, dispersion factor, checking data and checking Value.
Further, described data safety authenticating step is:
S1, outside pass through data transmission interface input validation data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is jumped Turn S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is jumped Turn S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
The method have the advantages that:
1st, onboard clock unit and clock update mechanism are passed through, it is to avoid the risk that clock is maliciously altered, when improving system The uniformity and accuracy of clock, reduce the difficulty of the system integration;
2nd, clock unit, key storage and key computing are all built in black box, improve the security of data verification;
3rd, timestamp key use device key pair and control key are loaded and updated to realizing, improve timestamp key hair The security of cloth;
4th, timestamp key uses symmetric key, and reduction is verified the performance requirement of method, apparatus;
5th, timestamp key supports Multistage dispersion, is adapted to multistage key code system, can control the application of data authentication;
6th, it is provided with time allowable error and allows adjustable, the applicability of raising system.
Brief description of the drawings
Fig. 1 is the structured flowchart of the embodiment of the present invention;
Fig. 2 is the data verification flow chart of the embodiment of the present invention;
Fig. 3 is the MAC computational methods figures of the embodiment of the present invention.
Embodiment
Embodiments of the invention are described in detail below in conjunction with accompanying drawing.
As shown in figure 1, a kind of data safety checking device, the device designs for black box, data are included outside the device and are passed Defeated interface, inside includes clock unit, control public key and timestamp key, and described clock unit includes clock information and clock Allowable error information.
After device is initialized, device internal pair production unsymmetrical key pair, control private key is passed by data transmission interface Defeated to retain control public key inside device to outside, control private key can be updated to internal data.Further, described control The update mode of public key processed is:The new control public key of input and former control private key are to the signature of new control public key, and device uses former It is new and old to control public key to be new control public key after authentication public key is controlled by the signature;Described timestamp key updating mode For:Input unit controls public key to the encryption data of new timestamp key and controls the signature of private key pair encryption data, and device makes After authentication public key is controlled by the signature, key is stabbed with renewal time after control private key decryption;Described clock update mode For:The new clock data of input and control private key are to the signature of new clock data, and device, which is used, controls authentication public key to pass through the label After name, it is new clock to update old times clock;Described clock allowable error update mode is:Clock allowable error is divided into clock permission The error upper limit and clock allowable error lower limit, input new clock allowable error information and control private key is believed new clock allowable error The signature of breath, after device authentication is using authentication public key is controlled by the signature, refresh clock allowable error information.
As shown in Fig. 2 external data is inputted by data transmission interface, external data includes external time, disperse series, Dispersion factor, checking data and validation value, export after device checking and are proved to be successful or authentication failed, idiographic flow is as follows:
S1, outside pass through data transmission interface input validation data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is jumped Turn S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is jumped Turn S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
In a preferred embodiment, timestamp key use 16 bytes 3DES keys, timestamp sub-key by original when Between stamp key 8 byte disperse series and calculate what is obtained after 3des plus 8 byte dispersion factor inverted values.MAC calculation procedures are as follows:
1st, it is initial value to take 8 16 system numbers 00,00,00,00,00,00,00,00;
2nd, the checking data for calculating MAC will be needed to be divided into the data block that 8 bytes are unit, marked as D1, D2..Dn.Finally Data block Dn be probably 1-8 byte;
If the 3, last data block length is 8, behind plus 16 system numbers 80,00,00,00,00,00,00,00; If last data block length is equal to 7, behind plus 16 system numbers 80;If last data block is less than 7, behind 16 system numbers 80 are added, 16 system numbers 00 of addition are repeated, until reaching 8 bytes;
4th, checking data are encrypted using corresponding secret key, calculating process is as shown in figure 3, by the initial value and D of 8 bytes1Number XOR is carried out according to block and obtains 8 byte datas, recycles 16 byte key left-half DES (being all 8 bytes) to 8 byte numbers According to being encrypted;The obtained byte data of encryption 8 and D2Data block carries out XOR, obtains new 8 byte data, recycles 16 8 new byte datas are encrypted byte key left-half DES;By that analogy until with DnData block XOR, most 8 byte datas obtained eventually are with 16 byte left-half des encryptions;8 byte datas after encryption are with 16 byte right half part DES What (being all 8 bytes) was decrypted arrives ciphertext data (8 byte);16 byte key left-half DES are recycled to ciphertext data It is encrypted, obtains the encryption data of 8 bytes, takes preceding four bytes of encryption data as a result;Resulting result will be with Validation value compares, and unanimously then represents to be proved to be successful, otherwise authentication failed.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto, Any modifications, equivalent substitutions and improvements made within the spirit and principles of the invention etc., should be included in the present invention's Within protection domain.

Claims (7)

1. a kind of data safety verifies device, it is characterised in that include the input and output for external data outside device Include control public key inside data transmission interface, device, and by the clock unit and timestamp key of outside control private key encryption; Described clock unit include clock information and clock allowable error information, the control public key, timestamp key, clock and when Clock allowable error is signed using renewable mechanism by outside control private key to the data for needing to update, and by control public key Checking signature is updated;Described external data carries out safety verification by timestamp key and clock unit, the result by Data transmission interface is exported.
2. a kind of data safety checking device according to claim 1, it is characterised in that the renewal of described control public key Mode is:The new control public key of input and former control private key use former control authentication public key to the signature of new control public key, device It is new and old to control public key to be new control public key after the signature.
3. a kind of data safety checking device according to claim 1, it is characterised in that described timestamp key updating Mode is:Input unit controls public key to the signature of the encryption data of new timestamp key and control private key pair encryption data, dress After putting using authentication public key is controlled by the signature, key is stabbed with renewal time after control private key decryption.
4. a kind of data safety checking device according to claim 1, it is characterised in that described clock update mode For:The new clock data of input and control private key are to the signature of new clock data, and device, which is used, controls authentication public key to pass through the label After name, it is new clock to update old times clock.
5. a kind of data safety checking device according to claim 1, it is characterised in that described clock allowable error is more New paragon is:Clock allowable error is divided into the clock allowable error upper limit and clock allowable error lower limit, and inputting new clock allows to miss Poor information and control private key are to the signature of new clock allowable error information, and device authentication, which is used, controls authentication public key to pass through the signature Afterwards, refresh clock allowable error information.
6. a kind of data safety checking device according to claim 1, it is characterised in that described external data includes outer Portion's time, disperse series, dispersion factor, checking data and validation value.
7. a kind of data safety checking device according to claim 1 or 6, it is characterised in that described data safety is recognized Demonstrate,proving step is:
S1, outside pass through data transmission interface incoming external data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is redirected S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is redirected S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
CN201710245367.3A 2017-04-14 2017-04-14 Data security verification device Active CN107017994B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710245367.3A CN107017994B (en) 2017-04-14 2017-04-14 Data security verification device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710245367.3A CN107017994B (en) 2017-04-14 2017-04-14 Data security verification device

Publications (2)

Publication Number Publication Date
CN107017994A true CN107017994A (en) 2017-08-04
CN107017994B CN107017994B (en) 2020-05-05

Family

ID=59448269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710245367.3A Active CN107017994B (en) 2017-04-14 2017-04-14 Data security verification device

Country Status (1)

Country Link
CN (1) CN107017994B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581093B2 (en) * 2003-12-22 2009-08-25 Nortel Networks Limited Hitless manual cryptographic key refresh in secure packet networks
CN102325320A (en) * 2011-09-14 2012-01-18 北京握奇数据系统有限公司 A kind of wireless security communication means and system
CN102651747A (en) * 2012-05-24 2012-08-29 电子科技大学 Forward secure digital signature method on basis of unbelievable updating environment
CN102882858A (en) * 2012-09-13 2013-01-16 江苏乐买到网络科技有限公司 External data transmission method for cloud computing system
CN103974248A (en) * 2013-01-24 2014-08-06 中国移动通信集团公司 Terminal security protection method, device and system in ability open system
US20150089238A1 (en) * 2013-09-20 2015-03-26 Insyde Software Corp. System and method for verifying changes to uefi authenticated variables
CN104517257A (en) * 2013-09-26 2015-04-15 上海中移通信技术工程有限公司 Method for manufacturing and verifying anti-counterfeiting digital certificate

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581093B2 (en) * 2003-12-22 2009-08-25 Nortel Networks Limited Hitless manual cryptographic key refresh in secure packet networks
CN102325320A (en) * 2011-09-14 2012-01-18 北京握奇数据系统有限公司 A kind of wireless security communication means and system
CN102651747A (en) * 2012-05-24 2012-08-29 电子科技大学 Forward secure digital signature method on basis of unbelievable updating environment
CN102882858A (en) * 2012-09-13 2013-01-16 江苏乐买到网络科技有限公司 External data transmission method for cloud computing system
CN103974248A (en) * 2013-01-24 2014-08-06 中国移动通信集团公司 Terminal security protection method, device and system in ability open system
US20150089238A1 (en) * 2013-09-20 2015-03-26 Insyde Software Corp. System and method for verifying changes to uefi authenticated variables
CN104517257A (en) * 2013-09-26 2015-04-15 上海中移通信技术工程有限公司 Method for manufacturing and verifying anti-counterfeiting digital certificate

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张科伟,唐晓波,: ""带有时间戳的安全电子交易协议"", 《计算机应用研究》 *

Also Published As

Publication number Publication date
CN107017994B (en) 2020-05-05

Similar Documents

Publication Publication Date Title
CN105812570B (en) Terminal firmware update method and device
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
JP5180678B2 (en) IC card, IC card system and method thereof
US9479329B2 (en) Motor vehicle control unit having a cryptographic device
CN105162797B (en) A kind of mutual authentication method based on video monitoring system
CN108494551A (en) Processing method, system, computer equipment and storage medium based on collaboration key
CN106067205B (en) A kind of gate inhibition's method for authenticating and device
CN101251883B (en) Method for performing safety controllable remote upgrade for software protecting device
CN106357400A (en) Method and system for establishing channel between TBOX terminal and TSP platform
CN106572106A (en) Method of transmitting message between TBOX terminal and TSP platform
CN108471352A (en) Processing method, system, computer equipment based on distributed private key and storage medium
CN105612728B (en) The safe data channel authentication of implicit shared key
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN107453880A (en) A kind of cloud secure storage method of data and system
CN104751538A (en) Implementation method for opening access controller, and access control system
CN102868526A (en) Method and system for protecting smart card or universal serial bus (USB) key
CN106506149A (en) Key generation method and system between a kind of TBOX terminals and TSP platforms
CN110351272A (en) A kind of general anti-quantum two-way authentication cryptographic key negotiation method (LAKA)
CN109218025A (en) Method, safety device and security system
CN105307164B (en) A kind of authentication method of wearable device
CN106953731A (en) The authentication method and system of a kind of terminal management person
CN105933117A (en) Data encryption and decryption device and method based on TPM (Trusted Platform Module) key security storage
CN107342865B (en) SM 4-based authentication encryption algorithm
CN105915345A (en) Realization method for authorized production and reform in home gateway device production testing
KR20190112959A (en) Operating method for machine learning model using encrypted data and apparatus based on machine learning model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant