CN107017994A - A kind of data safety verifies device - Google Patents
A kind of data safety verifies device Download PDFInfo
- Publication number
- CN107017994A CN107017994A CN201710245367.3A CN201710245367A CN107017994A CN 107017994 A CN107017994 A CN 107017994A CN 201710245367 A CN201710245367 A CN 201710245367A CN 107017994 A CN107017994 A CN 107017994A
- Authority
- CN
- China
- Prior art keywords
- clock
- key
- data
- public key
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
- Small-Scale Networks (AREA)
Abstract
Verified the invention discloses a kind of data safety includes being used for including control public key inside the data transmission interface of input and the output of external data, device outside device, device, and by the clock unit and timestamp key of outside control private key encryption;Described clock unit includes clock information and clock allowable error information, the control public key, timestamp key, clock and clock allowable error are using renewable mechanism, the data for needing to update are signed by outside control private key, and are updated by control public key verifications signature;Described external data carries out safety verification by timestamp key and clock unit, and the result is exported by data transmission interface.The device can be used for Mobile payment terminal, the Information Security with height.
Description
Technical field
The present invention relates to data security arts, specifically a kind of data safety checking device.
Background technology
With the development in epoch, level of informatization more and more higher, the safety for data it is also proposed higher requirement, special
It is not in mobile terminal payment field.Mobile terminal needs very high data safety confidentiality, and its authentication secret needs to use
Renewable mode can ensure to be attacked by malicious modification.Current checking device is all the pattern using black box, internal number
According to non-readable and modification, application is relatively small.
The content of the invention
The present invention is directed to above-mentioned problem, it is proposed that a kind of data safety is verified to be included being used for outside device, device
Include control public key inside the data transmission interface of input and the output of external data, device, and by outside control private key encryption
Clock unit and timestamp key;Described clock unit includes clock information and clock allowable error information, the control
Public key, timestamp key, clock and clock allowable error are using renewable mechanism, the number updated by outside control private key to needs
It is updated according to being signed, and by control public key verifications signature;Described external data is by timestamp key and clock unit
Safety verification is carried out, the result is exported by data transmission interface.
Further, the described update mode for controlling public key is:The new control public key of input and former control private key are to new
The signature of control public key, it is new and old to control public key to be newly control public key after device controls authentication public key by the signature using original.
Further, described timestamp key updating mode is:Input unit controls public key to new timestamp key
The signature of encryption data and control private key pair encryption data, it is private with control after device is using authentication public key is controlled by the signature
Renewal time stamp key after key decryption.
Further, described clock update mode is:The new clock data of input and control private key are to new clock data
Signature, device using control authentication public key by the signature after, update the old times clock be new clock.
Further, described clock allowable error update mode is:Clock allowable error is divided on clock allowable error
Limit and clock allowable error lower limit, input the label of new clock allowable error information and control private key to new clock allowable error information
Name, after device authentication is using authentication public key is controlled by the signature, refresh clock allowable error information.
Further, described checking data include external time, disperse series, dispersion factor, checking data and checking
Value.
Further, described data safety authenticating step is:
S1, outside pass through data transmission interface input validation data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is jumped
Turn S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is jumped
Turn S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
The method have the advantages that:
1st, onboard clock unit and clock update mechanism are passed through, it is to avoid the risk that clock is maliciously altered, when improving system
The uniformity and accuracy of clock, reduce the difficulty of the system integration;
2nd, clock unit, key storage and key computing are all built in black box, improve the security of data verification;
3rd, timestamp key use device key pair and control key are loaded and updated to realizing, improve timestamp key hair
The security of cloth;
4th, timestamp key uses symmetric key, and reduction is verified the performance requirement of method, apparatus;
5th, timestamp key supports Multistage dispersion, is adapted to multistage key code system, can control the application of data authentication;
6th, it is provided with time allowable error and allows adjustable, the applicability of raising system.
Brief description of the drawings
Fig. 1 is the structured flowchart of the embodiment of the present invention;
Fig. 2 is the data verification flow chart of the embodiment of the present invention;
Fig. 3 is the MAC computational methods figures of the embodiment of the present invention.
Embodiment
Embodiments of the invention are described in detail below in conjunction with accompanying drawing.
As shown in figure 1, a kind of data safety checking device, the device designs for black box, data are included outside the device and are passed
Defeated interface, inside includes clock unit, control public key and timestamp key, and described clock unit includes clock information and clock
Allowable error information.
After device is initialized, device internal pair production unsymmetrical key pair, control private key is passed by data transmission interface
Defeated to retain control public key inside device to outside, control private key can be updated to internal data.Further, described control
The update mode of public key processed is:The new control public key of input and former control private key are to the signature of new control public key, and device uses former
It is new and old to control public key to be new control public key after authentication public key is controlled by the signature;Described timestamp key updating mode
For:Input unit controls public key to the encryption data of new timestamp key and controls the signature of private key pair encryption data, and device makes
After authentication public key is controlled by the signature, key is stabbed with renewal time after control private key decryption;Described clock update mode
For:The new clock data of input and control private key are to the signature of new clock data, and device, which is used, controls authentication public key to pass through the label
After name, it is new clock to update old times clock;Described clock allowable error update mode is:Clock allowable error is divided into clock permission
The error upper limit and clock allowable error lower limit, input new clock allowable error information and control private key is believed new clock allowable error
The signature of breath, after device authentication is using authentication public key is controlled by the signature, refresh clock allowable error information.
As shown in Fig. 2 external data is inputted by data transmission interface, external data includes external time, disperse series,
Dispersion factor, checking data and validation value, export after device checking and are proved to be successful or authentication failed, idiographic flow is as follows:
S1, outside pass through data transmission interface input validation data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is jumped
Turn S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is jumped
Turn S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
In a preferred embodiment, timestamp key use 16 bytes 3DES keys, timestamp sub-key by original when
Between stamp key 8 byte disperse series and calculate what is obtained after 3des plus 8 byte dispersion factor inverted values.MAC calculation procedures are as follows:
1st, it is initial value to take 8 16 system numbers 00,00,00,00,00,00,00,00;
2nd, the checking data for calculating MAC will be needed to be divided into the data block that 8 bytes are unit, marked as D1, D2..Dn.Finally
Data block Dn be probably 1-8 byte;
If the 3, last data block length is 8, behind plus 16 system numbers 80,00,00,00,00,00,00,00;
If last data block length is equal to 7, behind plus 16 system numbers 80;If last data block is less than 7, behind
16 system numbers 80 are added, 16 system numbers 00 of addition are repeated, until reaching 8 bytes;
4th, checking data are encrypted using corresponding secret key, calculating process is as shown in figure 3, by the initial value and D of 8 bytes1Number
XOR is carried out according to block and obtains 8 byte datas, recycles 16 byte key left-half DES (being all 8 bytes) to 8 byte numbers
According to being encrypted;The obtained byte data of encryption 8 and D2Data block carries out XOR, obtains new 8 byte data, recycles 16
8 new byte datas are encrypted byte key left-half DES;By that analogy until with DnData block XOR, most
8 byte datas obtained eventually are with 16 byte left-half des encryptions;8 byte datas after encryption are with 16 byte right half part DES
What (being all 8 bytes) was decrypted arrives ciphertext data (8 byte);16 byte key left-half DES are recycled to ciphertext data
It is encrypted, obtains the encryption data of 8 bytes, takes preceding four bytes of encryption data as a result;Resulting result will be with
Validation value compares, and unanimously then represents to be proved to be successful, otherwise authentication failed.
The foregoing is only a preferred embodiment of the present invention, but protection scope of the present invention be not limited thereto,
Any modifications, equivalent substitutions and improvements made within the spirit and principles of the invention etc., should be included in the present invention's
Within protection domain.
Claims (7)
1. a kind of data safety verifies device, it is characterised in that include the input and output for external data outside device
Include control public key inside data transmission interface, device, and by the clock unit and timestamp key of outside control private key encryption;
Described clock unit include clock information and clock allowable error information, the control public key, timestamp key, clock and when
Clock allowable error is signed using renewable mechanism by outside control private key to the data for needing to update, and by control public key
Checking signature is updated;Described external data carries out safety verification by timestamp key and clock unit, the result by
Data transmission interface is exported.
2. a kind of data safety checking device according to claim 1, it is characterised in that the renewal of described control public key
Mode is:The new control public key of input and former control private key use former control authentication public key to the signature of new control public key, device
It is new and old to control public key to be new control public key after the signature.
3. a kind of data safety checking device according to claim 1, it is characterised in that described timestamp key updating
Mode is:Input unit controls public key to the signature of the encryption data of new timestamp key and control private key pair encryption data, dress
After putting using authentication public key is controlled by the signature, key is stabbed with renewal time after control private key decryption.
4. a kind of data safety checking device according to claim 1, it is characterised in that described clock update mode
For:The new clock data of input and control private key are to the signature of new clock data, and device, which is used, controls authentication public key to pass through the label
After name, it is new clock to update old times clock.
5. a kind of data safety checking device according to claim 1, it is characterised in that described clock allowable error is more
New paragon is:Clock allowable error is divided into the clock allowable error upper limit and clock allowable error lower limit, and inputting new clock allows to miss
Poor information and control private key are to the signature of new clock allowable error information, and device authentication, which is used, controls authentication public key to pass through the signature
Afterwards, refresh clock allowable error information.
6. a kind of data safety checking device according to claim 1, it is characterised in that described external data includes outer
Portion's time, disperse series, dispersion factor, checking data and validation value.
7. a kind of data safety checking device according to claim 1 or 6, it is characterised in that described data safety is recognized
Demonstrate,proving step is:
S1, outside pass through data transmission interface incoming external data;
S2, acquisition device clock unit clock information, obtain successfully progress next step S3, obtain failure and then redirect S9;
Whether S3, the external time of checking input are less than clock allowable error lower limit, and "No" carries out next step S4, and "Yes" is redirected
S9;
Whether S4, the external time of checking input are more than the clock allowable error upper limit, and "No" carries out next step S5, and "Yes" is redirected
S9;
S5, timestamp key are disperseed according to scattered sum of series dispersion factor, generation time stamp key;
S6, timestamp sub-key calculate MAC to checking data;
Whether S7, checking MAC are consistent with the validation value of input, and "Yes" carries out next step S8, and "No" redirects S9;
S8, it is proved to be successful, device output result redirects S1 circulations to outside;
S9, authentication failed, device output result redirect S1 circulations to outside.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710245367.3A CN107017994B (en) | 2017-04-14 | 2017-04-14 | Data security verification device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710245367.3A CN107017994B (en) | 2017-04-14 | 2017-04-14 | Data security verification device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107017994A true CN107017994A (en) | 2017-08-04 |
CN107017994B CN107017994B (en) | 2020-05-05 |
Family
ID=59448269
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710245367.3A Active CN107017994B (en) | 2017-04-14 | 2017-04-14 | Data security verification device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107017994B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7581093B2 (en) * | 2003-12-22 | 2009-08-25 | Nortel Networks Limited | Hitless manual cryptographic key refresh in secure packet networks |
CN102325320A (en) * | 2011-09-14 | 2012-01-18 | 北京握奇数据系统有限公司 | A kind of wireless security communication means and system |
CN102651747A (en) * | 2012-05-24 | 2012-08-29 | 电子科技大学 | Forward secure digital signature method on basis of unbelievable updating environment |
CN102882858A (en) * | 2012-09-13 | 2013-01-16 | 江苏乐买到网络科技有限公司 | External data transmission method for cloud computing system |
CN103974248A (en) * | 2013-01-24 | 2014-08-06 | 中国移动通信集团公司 | Terminal security protection method, device and system in ability open system |
US20150089238A1 (en) * | 2013-09-20 | 2015-03-26 | Insyde Software Corp. | System and method for verifying changes to uefi authenticated variables |
CN104517257A (en) * | 2013-09-26 | 2015-04-15 | 上海中移通信技术工程有限公司 | Method for manufacturing and verifying anti-counterfeiting digital certificate |
-
2017
- 2017-04-14 CN CN201710245367.3A patent/CN107017994B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7581093B2 (en) * | 2003-12-22 | 2009-08-25 | Nortel Networks Limited | Hitless manual cryptographic key refresh in secure packet networks |
CN102325320A (en) * | 2011-09-14 | 2012-01-18 | 北京握奇数据系统有限公司 | A kind of wireless security communication means and system |
CN102651747A (en) * | 2012-05-24 | 2012-08-29 | 电子科技大学 | Forward secure digital signature method on basis of unbelievable updating environment |
CN102882858A (en) * | 2012-09-13 | 2013-01-16 | 江苏乐买到网络科技有限公司 | External data transmission method for cloud computing system |
CN103974248A (en) * | 2013-01-24 | 2014-08-06 | 中国移动通信集团公司 | Terminal security protection method, device and system in ability open system |
US20150089238A1 (en) * | 2013-09-20 | 2015-03-26 | Insyde Software Corp. | System and method for verifying changes to uefi authenticated variables |
CN104517257A (en) * | 2013-09-26 | 2015-04-15 | 上海中移通信技术工程有限公司 | Method for manufacturing and verifying anti-counterfeiting digital certificate |
Non-Patent Citations (1)
Title |
---|
张科伟,唐晓波,: ""带有时间戳的安全电子交易协议"", 《计算机应用研究》 * |
Also Published As
Publication number | Publication date |
---|---|
CN107017994B (en) | 2020-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105812570B (en) | Terminal firmware update method and device | |
JP5180678B2 (en) | IC card, IC card system and method thereof | |
US9479329B2 (en) | Motor vehicle control unit having a cryptographic device | |
CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
CN105162797B (en) | A kind of mutual authentication method based on video monitoring system | |
CN106067205B (en) | A kind of gate inhibition's method for authenticating and device | |
CN101251883B (en) | Method for performing safety controllable remote upgrade for software protecting device | |
CN106572106A (en) | Method of transmitting message between TBOX terminal and TSP platform | |
CN106357400A (en) | Method and system for establishing channel between TBOX terminal and TSP platform | |
CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
CN105612728B (en) | The safe data channel authentication of implicit shared key | |
CN107453880A (en) | A kind of cloud secure storage method of data and system | |
CN104751538A (en) | Implementation method for opening access controller, and access control system | |
CN106506149A (en) | Key generation method and system between a kind of TBOX terminals and TSP platforms | |
CN102868526A (en) | Method and system for protecting smart card or universal serial bus (USB) key | |
CN109218025A (en) | Method, safety device and security system | |
CN107784207A (en) | Display methods, device, equipment and the storage medium at financial APP interfaces | |
CN110351272A (en) | A kind of general anti-quantum two-way authentication cryptographic key negotiation method (LAKA) | |
CN114282189A (en) | Data security storage method, system, client and server | |
CN105307164B (en) | A kind of authentication method of wearable device | |
KR20190112959A (en) | Operating method for machine learning model using encrypted data and apparatus based on machine learning model | |
CN107342865B (en) | SM 4-based authentication encryption algorithm | |
CN105915345A (en) | Realization method for authorized production and reform in home gateway device production testing | |
CN107483187A (en) | A kind of data guard method and device based on credible password module |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |