CN107769927B - Method and device for operating intelligent key equipment in MacOSX system - Google Patents

Method and device for operating intelligent key equipment in MacOSX system Download PDF

Info

Publication number
CN107769927B
CN107769927B CN201710940478.6A CN201710940478A CN107769927B CN 107769927 B CN107769927 B CN 107769927B CN 201710940478 A CN201710940478 A CN 201710940478A CN 107769927 B CN107769927 B CN 107769927B
Authority
CN
China
Prior art keywords
module
signature
access device
key
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710940478.6A
Other languages
Chinese (zh)
Other versions
CN107769927A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201710940478.6A priority Critical patent/CN107769927B/en
Publication of CN107769927A publication Critical patent/CN107769927A/en
Application granted granted Critical
Publication of CN107769927B publication Critical patent/CN107769927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for operating intelligent secret key equipment in a Mac OS X system, and relates to the field of computers. The method comprises the following steps: a security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds a corresponding access device according to the type of the intelligent key equipment, and if not, the security service daemon device continues to wait; when the read data interface is called, the access device reads and packages the certificate and the key information in the intelligent key equipment, and returns the packaged certificate and the packaged key information to the system; when the password checking interface is called, the access device receives a signature certificate and a password transmitted by the system and then verifies whether the password is correct, if so, the access device acquires and stores a signature key according to the signature certificate, otherwise, an error is reported; according to the technical scheme, the access device can be used on the Mac OS X system to enable the system to read the certificate in the intelligent key device, so that the user experience is improved, and the user operation is facilitated.

Description

Method and device for operating intelligent key equipment in MacOSX system
Technical Field
The present invention relates to the field of computers, and in particular, to a method and apparatus for operating a smart key device in a Mac OS X system.
Background
OS X is a proprietary operating system developed by apple for the Mac series of products. OS X is a pre-installed system for apple Mac series products, and is also a Unix-based operating system, comprising two main components: the core name is Darwin, the core name is based on FreeBSD source codes and Mach micro-core, the core is developed by apple and independent developers in a community cooperation mode, the purpose of conciseness is reflected everywhere, and super-strong performance and super-dazzling graphs are provided and the internet standard is supported.
The mutual identity authentication can be effectively completed by the client and the server through the bidirectional authentication, but in the prior art, the certificate of the intelligent key equipment cannot be read and used on a Mac OS X system, so that the bidirectional authentication cannot be performed between the client and the server, the operation of a user is limited, and the user experience is reduced.
Disclosure of Invention
The invention aims to solve the problems in the prior art and provides a method and a device for operating a smart key device in a Mac OS X system.
The technical scheme adopted by the invention is as follows:
in one aspect, the present invention provides a method of operating a smart key device in a Mac OS X system, comprising:
step S1: a security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds a corresponding access device according to the type of the intelligent key equipment, and if not, the security service daemon device continues to wait;
step S2: the access device waits for the system call interface, performs step S3 when the read data interface is called, performs step S4 when the password verification interface is called, and performs step S5 when the signature interface is called;
step S3: the access device reads and packages the certificate and the key information in the intelligent key device, returns the packaged certificate and the packaged key information to the system, and returns to the step S2;
step S4: the access device receives the signature certificate and the password transmitted by the system, verifies whether the password is correct, acquires and stores the signature key according to the signature certificate if the password is correct, and returns to the step S2, otherwise, reports an error;
step S5: the access device judges the current authority, if the current authority is not the user authority, the access device reports an error and returns to the step S2; if the user authority is the user authority, the access device executes pre-signing operation after receiving the signature data transmitted by the system, calls a signature key to sign the signature data, judges whether the signature is successful, returns a signature result to the system if the signature is successful, returns to the step S2, otherwise, reports an error, and returns to the step S2.
In another aspect, the present invention provides an apparatus for operating a smart key device in a Mac OS X system, comprising:
the monitoring module is used for monitoring whether the intelligent secret key equipment is inserted or not by a security service daemon device of the system;
the searching module is used for finding the corresponding access device by the security service daemon device according to the type of the intelligent secret key equipment when the monitoring module monitors that the intelligent secret key equipment is inserted;
the detection module is used for detecting the condition of a system calling interface;
the reading and packaging module is used for reading and packaging the certificate and the key information in the intelligent key device when the detection module detects that the reading data interface is called;
the first returning module is used for returning the certificate and the key information which are packaged by the reading and packaging module to the system and triggering the detection module;
the first receiving module is used for receiving a signature certificate and a password transmitted by the system when the detection module detects that the password verification interface is called;
the first judging module is used for judging whether the password received by the first receiving module is correct or not;
the first obtaining module is used for obtaining and storing the signature key according to the signature certificate received by the receiving module when the first judging module judges that the password is correct;
the error reporting module is used for reporting an error and triggering the detection module when the first judgment module judges that the password is wrong; the second judging module is also used for reporting an error and triggering the detection module when the second judging module judges that the current authority is the user authority; the third judging module is used for reporting an error and triggering the detection module when judging that the signature of the signature module fails;
the second judgment module is used for judging the current authority when the detection module detects that the signature interface is called;
the second receiving module is used for receiving the signature data transmitted by the system when the second judging module judges that the current authority is the user authority;
the pre-signing module is used for performing pre-signing operation on the signature data received by the second receiving module;
the signature module is used for calling a signature key to sign the signature data;
the third judging module is used for judging whether the signature of the signature module is successful or not;
and the second returning module is used for returning a signature result to the system and triggering the detection module when the third judging module judges that the signature of the signature module is successful.
The beneficial effects obtained by the invention are as follows: by adopting the technical method, the access device is utilized on the Mac OS X system, so that the system can read the certificate in the intelligent secret key equipment, and the bidirectional authentication can be carried out between the client and the server, thereby improving the user experience and facilitating the user operation.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a diagram illustrating a method for operating a smart key device in a Mac OS X system according to a second embodiment of the present invention;
FIG. 2 is a block diagram of a method for operating a smart key device in a Mac OS X system according to a third embodiment of the present invention;
fig. 3 is a block diagram of an apparatus for operating a smart key device in a Mac OS X system according to a fourth embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment provides a method for operating a smart key device in a Mac OS X system, where an access device refers to token engineering, and the method includes:
step S1: a security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds a corresponding access device according to the type of the intelligent key equipment, and if not, the security service daemon device continues to wait;
specifically, step S1 is preceded by: registering and installing an access device in an operating system;
further, registering, installing and accessing the device in the operating system specifically includes: judging the system version, if the system version is lower than the preset version, directly copying the access device file into the system, and adding the user authority; and if the system version is not lower than the preset version, copying the files of the access device into the specified directory, and adding the user authority.
Further, before copying the access device file into the designated directory, the method further comprises: judging whether the appointed directory exists or not, and if so, directly adding user authority for the appointed directory; if not, a designated directory is created, the access device files are copied into the designated directory, and then user permissions are added to the designated directory.
Step S2: the access device waits for the system call interface, performs step S3 when the read data interface is called, performs step S4 when the password verification interface is called, and performs step S5 when the signature interface is called;
specifically, step S2 further includes: when the termination interface is called, the access device calls the termination function to terminate the access device, returning to step S2.
When the data encryption interface is called, the access device obtains the identification of the type of the intelligent key equipment, obtains the corresponding encryption function through the identification, calls the encryption function to encrypt the encrypted data after receiving the encryption algorithm and the encrypted data transmitted by the system, and returns to the step S2.
Step S3: the access device reads and packages the certificate and the key information in the intelligent key device, returns the packaged certificate and the packaged key information to the system, and returns to the step S2;
specifically, before executing step S3, the method further includes: the access device acquires the equipment identification of the intelligent secret key equipment, matches the acquired equipment identification with the preset equipment identification, and if the equipment identification is inconsistent with the preset equipment identification, the access device does not support the current intelligent secret key equipment and reports an error; if so, then the access device supports the current smart key device and proceeds to step S3.
Specifically, encapsulating the certificate and key information of the smart key device specifically includes:
step B1: initializing a standard relation model;
specifically, step B1 specifically includes: creating a standard relationship of certificates conforming to the format; a standard relationship for the keys is created.
More specifically, creating a standard relationship of the key specifically includes: creating a standard relation of a private key, and writing in attributes; and creating a standard relationship of the public key, writing the attribute, and returning the public key attribute relationship to the system.
Step B2: and packaging the certificate and the key information according to a standard relation model.
Specifically, step B2 specifically includes: and the access device respectively obtains the relations of the certificate, the public key and the private key from the standard relation model and then packages the certificates according to the standard format.
Step S4: after receiving the signature certificate and the password transmitted by the system, the access device verifies whether the password is correct, if so, the access device acquires and stores the signature key according to the signature certificate, sets the current authority of the access device as the user authority, and returns to the step S2, otherwise, sets the current authority of the access device as the non-user authority and reports an error;
step S5: the access device judges the current authority, if the current authority is not the user authority, the access device reports an error and returns to the step S2; if the user authority is the user authority, the access device executes pre-signing operation after receiving the signature data transmitted by the system, calls a signature key to sign the signature data, judges whether the signature is successful, returns a signature result to the system if the signature is successful, returns to the step S2, otherwise, reports an error, and returns to the step S2.
In step S5, a pre-signature operation is performed, which specifically includes: and the access device receives the signature algorithm transmitted by the system, converts the format of the signature algorithm and recombines the signature data.
Specifically, before the reorganizing the signature data, the method further includes: the header is determined according to a signature algorithm.
The reorganization of the signature data specifically comprises: and the access device adds a data header to the signature data and fills the signature data.
The format of the conversion signature algorithm specifically comprises: converting the character string format of the signature algorithm into a binary format.
Example two
The second embodiment provides a method for operating a smart key device in a Mac OS X system, where the access device refers to token engineering, as shown in fig. 1, including:
step 101: registering and installing the access device;
in this embodiment, the access device file has a specific installation directory in Mac OS X10.10 and the following versions, and the Mac OS X10.10 and the following versions of the installation directory are: System/Library/Security/token/, since Mac OS X10.11 and above, a protection mechanism of SIP (Session Initiation Protocol) is added, an operation/System directory is not allowed, and only the token can be installed in/Library/Security/token/, and an execution right is ensured.
Specifically, the installation method comprises the following steps: judging the System version by executing the installation script, and if the System version is lower than 10.11, directly copying the access device file to a System/Library/Security/token/, and adding user authority for the directory; if the system is 10.11 or more versions, judging whether the/Library/Security/token directory exists or not, and if so, directly adding user rights to the directory; if not, the directory is created and user rights are then added to the directory.
More specifically, in this embodiment, the instruction chmod 755 adds read-write execution permission to the owner of the/Library/Security/token, and the owner group user and other users only have read-write and execution permission, and then copies the access device file to be installed and registered to the/Library/Security/token directory.
Step 102: the security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds out a corresponding access device according to the type of the intelligent key equipment, and step 103 is executed; otherwise, continuing to wait, and returning to the step 102;
step 103: the access device waits for a system call interface, executes step 104 when a read data interface is called, executes step 108 when a password verification interface is called, executes step 110 when a signature interface is called, executes corresponding operation according to the instruction if other interfaces are called, and returns to step 103;
step 104: the access device executes initialization operation;
in this embodiment, the access device calls an initialization function to initialize itself.
Specifically, in this embodiment, the security service daemon device of the system is always in a monitoring state to monitor whether the smart key device is inserted. When the intelligent key device is inserted, a Driver in the intelligent key device is monitored by a security service daemon process, and the security service daemon process automatically traverses all the access devices in a specified access device installation directory.
Specifically, before starting and initializing the access device, the method further includes: the Mac OS X judges whether the intelligent secret key equipment is inserted, if so, the step 101 is executed, otherwise, a failure error code is returned;
step 105: the access device judges whether the access device supports the inserted intelligent key equipment, if so, the relevant information of the intelligent key equipment is obtained, step 106 is executed, otherwise, a failure error code is returned, and step 103 is returned;
in this embodiment, after the access device acquires the identifier of the current smart key device, the acquired device identifier is matched with the preset smart key device identifier, and if the device identifier is not consistent with the preset smart key device identifier, a failure error code is returned to the access device, and the access device exits; if the matching is consistent, a response of successful matching is returned to the access device, which indicates that the access device supports the inserted intelligent key equipment.
Specifically, the identification of the smart key device includes: OEMID, PID, VID, and the like. Wherein OEMID (original Equipment Manufacturer identification) is the original Equipment Manufacturer ID, PID (product ID) is the Manufacturer ID, and VID (Vendor ID) is the supplier ID.
Further, in this embodiment, after it is determined that the access apparatus supports the inserted smart key device, a slot list in the system is obtained, then information of a slot in which the current smart key device is located in the system is obtained, and after information of the current smart key device in the system is obtained, the obtained information of the smart key device is returned to the system;
more specifically, the smart key device information includes: the name of the smart key device.
In this embodiment, the access device loads the MDS resource file by calling the estabilish () function. The MDS resource file defines some relationships and corresponding mode information about the access device, including descriptions of some attributes of the access device, including the name of the access device, the identification of the system, and the like. With this mode information, the application can query its resource files through the system services (MDS) to select a service module appropriate for the current task.
Among them, the Security mechanism used by the Mac OS X system is a Common Data Security Architecture (CDSA), in which CSSM (Common Security Server Manager) is the core of the CDSA. The CSSM records the information of functions, services, authentication, positioning realization, and the like of each module through mds (module Directory services) services. Namely, the system locates the access device through the resource file information of the MDS, and further finds the inserted intelligent key equipment.
Step 106: the access device reads the certificate and the key information of the intelligent key equipment and judges whether the reading is successful, if so, step 107 is executed, otherwise, a failure error code is returned, and the step 103 is returned;
in this embodiment, the access device opens a session between the current smart key device and the slot in which it is currently located, saves the session handle, reads the certificate and key information for the smart key device, and saves the certificate and key information to the associated variables in the access device's engineering if the reading is successful.
Step 107: the access device encapsulates the certificate and key information, and returns to step 103;
in this embodiment, the data format is encapsulated into a data storage library (DL) format using a standard API of the DL format. The CSSM manages meta information of DL format, which describes the data retrieval and storage functions. The application may retrieve useful DL information via the MDS service to provide to the desired service. The DL service is responsible for acquiring and managing the creation and storage of metadata defined with respect to each application program, which acquires corresponding DL data using the CSSM _ DL _ GetDbNames () function.
In this embodiment, the package certificate and the key information specifically include:
step 107-1: initializing a standard relation model;
in this embodiment, initializing the standard relationship model specifically includes: calling a create Standard relationship function to create a Standard relationship which conforms to the SecKeychain layer requirement and relates to the CSSM _ DL _ DB _ RECORD _ X509_ CERTIFICATE CERTIFICATE format; and creating a standard relation of the key, and writing information such as relevant attributes, use cases and the like of the key.
More specifically, the standard relationship of the key is created, specifically: firstly, calling a createKeyRelations function to create a standard relationship of a private key, and writing in attributes; and then, calling a createKeyRelations function to create a standard relationship of the public key, writing the attribute into the standard relationship, and returning the attribute relationship of the public key.
Step 107-2: and packaging the certificate and the key information according to a standard relation model, and establishing association between the public key and the private key.
In this embodiment, in the standard relationship network created by the access device, the relationship examples of CSSM _ DL _ DB _ RECORD _ X509_ CERTIFICATE, CSSM _ DL _ DB _ RECORD _ prior _ KEY and CSSM _ DL _ DB _ RECORD _ PUBLIC _ KEY are respectively obtained, then the stored certificate and KEY object are initialized into a standard RECORD item mode, and are respectively added to the corresponding relationship examples, and a corresponding relationship between one data object and the corresponding RECORD item is established.
It should be noted that, if the object is a certificate object, a correspondence relationship between the certificate object and its CKA _ ID is also established. And traversing the public and private key objects matched with each certificate CKA _ ID, acquiring the relationship record item of the public and private key objects, and establishing an association record between the relationship record item and the relationship record item of the certificate.
In this embodiment, the access device calls the related function to obtain the relationship between the certificate, the public key, and the private key from the initialized standard relationship model, and then packages the certificate, the public key, and the private key according to the standard format.
Step 108: the access device receives the signature certificate transmitted by the system and the password input by the user, verifies whether the password is correct, if yes, executes step 109, otherwise returns a failure error code, and returns to step 103;
in this embodiment, the system provides a user interaction interface through a server agent mechanism for a user to input a password for verification, and after the user inputs the password, the system determines whether the password input by the user is consistent with a password pre-stored in the current intelligent key device, if so, the password verification is successful, and if not, the password verification is unsuccessful.
It should be noted that, when the access device determines that the password is correct, the current authority of the access device is set as the user authority; and when the access device judges that the password is correct, setting the current authority of the access device as the non-user authority, and reporting an error.
Step 109: the access device acquires and stores the signature key according to the signature certificate, and returns to step 103;
step 110: the access device judges the current authority, if the current authority is not the user authority, a failure error code is returned, and the step 103 is returned; if the user authority is the user authority, executing step 111;
step 111: the access device executes pre-signature operation after receiving the signature data transmitted by the system;
in this embodiment, the executing of the pre-signature operation specifically includes: the access device receives the signature algorithm transmitted by the system, converts the format of the signature algorithm and recombines the signature data.
Specifically, since the signature algorithms are diverse, each signature algorithm has a corresponding signature rule and format, and the signature algorithm selected by the system needs to be subjected to format conversion before signature.
Specifically, the string format of the incoming signature algorithm is converted to a binary format.
In general, the signature algorithm is: SHA1, MD5, and the like.
In the embodiment, the data header is determined according to the type of the signature algorithm, the length of the data header is added with the length of the incoming signature data to obtain a new incoming length, and then the data is filled according to the incoming filling pattern to obtain completely new signature data.
For example, the following is the header of sha1 as follows:
Figure BDA0001426853950000111
Figure BDA0001426853950000121
step 112: the access device calls the signing key to sign the incoming signing data, judges whether the signing is successful, returns the signing result and the certificate of the intelligent key equipment if the signing is successful, and returns to the step 103; otherwise, a failure error code is returned, and the step 103 is returned.
Specifically, in the present embodiment, a generic Signature function is called to perform a Signature operation.
In this embodiment, the signing operation is ended, and the signing result is returned to the client browser after the signing result is obtained.
In this embodiment, after the signing operation is finished, the access device returns the read certificate and the signature result to the client browser, and the browser sends the signature result and the certificate of the client to the server for verification.
In this embodiment, the other interfaces include: a termination interface, a data encryption interface, a data decryption interface, and the like.
Specifically, when the termination interface is called, the access device calls a termination function to terminate the access device, and the step 103 is returned to; when the data encryption interface is called, the access device calls an encryption function to encrypt the incoming data, and the step 103 is returned; when the data decryption interface is called, the access device calls a decryption function to decrypt the incoming data, and returns to step 103.
EXAMPLE III
The third embodiment provides a method for operating a smart key device in a Mac OS X system, where the access device refers to token engineering, as shown in fig. 2, including:
step 201: registering and installing the access device;
in this embodiment, the access device has a specific installation directory in Mac OS X10.10 and the following versions, and the Mac OS X10.10 and the following versions of the installation directory are: System/Library/Security/token/, since Mac OS X10.11 and above versions, a protection mechanism of SIP (Session Initiation Protocol) is added, an operation/System directory is not allowed, and only an access device can be installed in/Library/Security/token/, and is ensured to have an execution right.
Specifically, the installation method comprises the following steps: the user selects installation, the System version is judged by executing the installation script, if the System version is lower than 10.11, the access device file is directly copied to/System/Library/Security/token/, if the System version is 10.11 or more, whether the/Library/Security/token directory exists needs to be judged firstly, and if the System version is 10.11 or more, all user rights are directly added to the directory; if not, the directory is created and then all user permissions are added to the directory.
More specifically, in this embodiment, the instruction chmod 755 adds read/write execution permission to the owner of the/Library/Security/access device, and the owner group user and other users only have read and execute permission, and then copies the access device to be installed and registered to the/Library/Security/token directory.
Step 202: the security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds the corresponding access device according to the type of the intelligent key equipment, and executes step 203, otherwise, the security service daemon device continues to wait and returns to step 202;
specifically, in this embodiment, the security service daemon of the system is always in a monitoring state to monitor whether the smart key device is inserted. When the intelligent key device is inserted, the drive file in the intelligent key device can be monitored by the security service daemon device, and the security service daemon device automatically traverses all the access devices in the specified access device installation directory.
Step 203: the access device waits for a system call interface, executes step 204 when a read data interface is called, executes step 210 when a password verification interface is called, executes step 212 when a signature interface is called, executes corresponding operation according to the instruction if other interfaces are called, and returns to step 203;
step 204: the access device executes initialization operation;
in this embodiment, the access device calls an initialization function to initialize itself.
Step 205: the access device judges whether the access device supports the inserted intelligent key equipment, if so, the step 206 is executed, otherwise, a failure error code is returned, and the step 203 is returned;
in this embodiment, after the access apparatus acquires the identifier of the inserted smart key device, the access apparatus matches the acquired device identifier with a preset smart key device identifier, and if the device identifier is not consistent with the preset smart key device identifier, returns a response of failure in matching to the access apparatus, and exits; if so, a response of successful matching is returned to the access device, and step 203 is executed.
Specifically, the obtaining of the identifier of the smart key device obtained by the device identifier function includes: OEMID, PID, VID, and the like. Where OEMID is the original equipment manufacturer identity, PID (product ID) is the manufacturer ID, and VID (Vendor ID) is the supplier ID.
Step 206: acquiring related information of the intelligent key equipment;
further, in this embodiment, after it is determined that the access apparatus supports the inserted smart key device, a slot list in the system is obtained, then information of a slot in which the current smart key device is located in the system is obtained, and after information of the current smart key device in the system is obtained, the obtained information of the smart key device is returned to the system;
more specifically, the smart key device information includes: the name of the smart key device.
In this embodiment, the access device loads the MDS resource file by calling the estabilish () function. The MDS resource file defines some relationships and corresponding mode information about the access device, including descriptions of some attributes of the access device, including the name of the access device, the identification of the system, and the like. With this mode information, the application can query its resource files through the system services (MDS) to select a service module appropriate for the current task.
In this embodiment, the Security mechanism used by the Mac OS X system is CDSA (Common Data Security architecture), where the core of the CDSA is CSSM (Common Security Server Manager). The CSSM module records the function, service, authentication, positioning and other information of each module through MDS (Module Directory services) service. Namely, the system locates the access device through the resource file information served by the MDS system, and further finds the inserted intelligent key equipment.
Step 207: the access device reads the certificate and the key information of the intelligent key equipment, and judges whether the reading is successful, if so, step 208 is executed, otherwise, a failure error code is returned, and the step 203 is returned;
in this embodiment, the access apparatus opens a session between the slot in which the current smart key device is located and the current smart key device, saves a session handle, then starts a search for a token and a session object matching a template, obtains a handle of a data object in the device after the token and the session object matching the template are searched, and obtains one or more attribute values of the object, thereby reading the certificate and key information of the smart key device, and if the reading is successful, saves the certificate and key information into the relevant variables in the engineering of the access apparatus.
Step 208: initializing a standard relation model by the access device;
in this embodiment, the data format is encapsulated into a data storage library (DL) format using a standard API of the DL format. The CSSM manages meta information of DL format, which describes the data retrieval and storage functions. The application may retrieve useful DL information via the MDS to provide to the desired service. DL is responsible for acquiring and managing metadata creation and storage defined with respect to each application program, which acquires corresponding DL data using CSSM _ DL _ GetDb Names () function.
In this embodiment, initializing the standard relationship model specifically includes: the access device calls a standard relation creating function to create a standard relation which accords with the SecKeychain layer requirement and relates to the format of CSSM _ DL _ DB _ RECORD _ X509_ CERTIFICATE CERTIFICATE; and creating a standard relation of the key, and writing information such as relevant attributes, use cases and the like of the key.
More specifically, the standard relationship of the key is created, specifically: firstly, calling a function for creating a key relationship to create a standard relationship of a private key, and writing the standard relationship into an attribute; and then, calling a function for creating a key relationship to create a standard relationship of the public key, writing the attribute into the function, and returning the attribute relationship of the public key.
Step 209: the access device packages the certificate and the key information according to a standard relation model;
in this embodiment, in the standard relationship network created by the access device, the relationship examples of CSSM _ DL _ DB _ RECORD _ X509_ CERTIFICATE, CSSM _ DL _ DB _ RECORD _ prior _ KEY and CSSM _ DL _ DB _ RECORD _ PUBLIC _ KEY are respectively obtained, then the stored certificate and KEY object are initialized into a standard RECORD item mode, and are respectively added to the corresponding relationship examples, and a corresponding relationship between one data object and the corresponding RECORD item is established.
It should be noted that, if the object is a certificate object, a correspondence relationship between the certificate object and its CKA _ ID is also established. And traversing the public and private key objects matched with each certificate CKA _ ID, acquiring the relationship record item of the public and private key objects, and establishing an association record between the relationship record item and the relationship record item of the certificate.
In this embodiment, the access device calls the related function to obtain the relationships between the certificate, the public key, and the private key from the initialized basic model, and then packages the relationships according to the standard relationship model.
Step 210: if yes, executing step 211, otherwise, returning a failure error code, and returning to step 203;
in this embodiment, the system provides a user interaction interface through a server agent mechanism for a user to input a password for verification, and after the user inputs the password, the system determines whether the password input by the user is consistent with a password pre-stored in the current intelligent key device, if so, the password verification is successful, and if not, the password verification is unsuccessful.
It should be noted that, when the access device determines that the password is correct, the current authority of the access device is set as the user authority; and when the access device judges that the password is correct, setting the current authority of the access device as the non-user authority, and reporting an error.
Step 211: the access device obtains and stores the signature key according to the signature certificate, and returns to step 203;
specifically, after the password is verified successfully, the access device acquires and stores the signature key according to the signature certificate.
Step 212: the access device judges the current authority, if the current authority is not the user authority, a failure error code is returned, and the step 203 is returned; if the user authority is the user authority, executing step 213;
step 213: the access device executes pre-signature operation after receiving the signature data transmitted by the system;
the executing of the pre-signature operation specifically includes: converting the format of the transmitted signature algorithm, setting a data header and recombining signature data;
specifically, since the signature algorithms are diverse, each signature algorithm has a corresponding signature rule and format, and the signature algorithm selected by the system needs to be subjected to format conversion before signature.
Specifically, the string format of the incoming signature algorithm is converted to a binary format.
In general, the signature algorithm is: SHA1, MD5, and the like.
In the embodiment, the data header is determined according to the type of the signature algorithm, the length of the data header is added with the length of the incoming signature data to obtain a new incoming length, and then the data is filled according to the incoming filling pattern to obtain completely new signature data.
For example, the following is the header of sha1 as follows:
Figure BDA0001426853950000171
Figure BDA0001426853950000181
step 214: the access device calls the signature key to sign the incoming signature data, judges whether the signature is successful or not, if so, returns the signature result and the certificate of the intelligent key equipment, otherwise, returns a failure error code, and returns to the step 203;
it should be noted that, in this embodiment, the other instructions may include: a pull instruction, a data encryption instruction, a data decryption instruction, etc.
When the intelligent key equipment is pulled out, the access device receives a pull-out instruction which is an instruction sent by a system, and calls a termination function to terminate the process of bidirectional authentication; when the access device receives that the command sent by the system is a data encryption command, the access device calls an encryption function and encrypts the incoming data by using a corresponding encryption algorithm.
Example four
The fourth embodiment provides an apparatus for operating a smart key device in a Mac OS X system, where the access apparatus refers to token engineering, as shown in fig. 3, including:
a monitoring module 401, configured to monitor whether an intelligent key device is inserted into a security service daemon of the system;
a searching module 402, configured to find, when the monitoring module 401 monitors that the smart key device is inserted, the security service daemon device finds a corresponding access device according to the type of the smart key device;
a detection module 403, configured to detect a system call interface condition;
a read encapsulation module 404, configured to read and encapsulate the certificate and the key information in the smart key device when the detection module 403 detects that the read data interface is called;
a first returning module 405, configured to return the certificate and the key information encapsulated by the reading and encapsulating module 404 to the system, and trigger the detecting module 403;
a first receiving module 406, configured to receive a signature certificate and a password that are sent by the system when the detecting module 403 detects that the password verification interface is called;
a first determining module 407, configured to determine whether the password received by the first receiving module 406 is correct;
a first obtaining module 408, configured to, when the first determining module 407 determines that the password is correct, obtain and store a signature key according to the signature certificate received by the receiving module, and set the current authority of the access device as the user authority;
an error reporting module 409, configured to set the current permission of the access device as a non-user permission when the first determining module 407 determines that the password is an error, report the error, and trigger the detecting module 403; the second judging module 410 is further configured to report an error and trigger the detecting module 403 when the second judging module 410 judges that the current right is the non-user right; the third judging module 414 is further configured to report an error and trigger the detecting module 403 when the third judging module 414 judges that the signature of the signature module fails;
a second judging module 410, configured to judge the current permission when the detecting module 403 detects that the signature interface is called;
the second receiving module 411 is configured to receive signature data sent by the system when the second determining module 410 determines that the current right is the user right;
a pre-signing module 412, configured to perform a pre-signing operation on the signature data received by the second receiving module 411;
a signature module 413, configured to invoke a signature key to sign the signature data;
a third determining module 414, configured to determine whether the signature of the signature module 413 is successful;
and a second returning module 415, configured to, when the third determining module 414 determines that the signature of the signature module 413 is successful, return a signature result to the system, and trigger the detecting module 403.
Specifically, the apparatus further comprises: the fourth judging module, the copying module and the adding module;
the fourth judging module is used for judging the system version;
the copying module is used for copying the access device file to the specified directory when the fourth judging module judges that the system version is lower than the preset version;
the adding module is used for adding user permission; and the fourth judging module is used for directly adding the user permission when the system version is judged to be not lower than the preset version.
Specifically, the apparatus further comprises: a fifth judging module;
the fifth judging module is used for judging whether the specified directory exists or not;
the adding module is used for directly adding the user permission to the appointed directory when the fifth judging module judges that the appointed directory exists; the system is also used for adding user authority to the specified directory created by the creation module;
the creating module is used for creating the appointed directory when the fifth judging module judges that the appointed directory exists;
and the copying module is also used for copying the access device file into the specified directory created by the creating module.
The device still includes: a sixth judging module;
and the sixth judgment module is used for judging whether the self supports the inserted intelligent secret key equipment.
Specifically, the sixth determining module includes: an acquisition unit and a judgment unit;
the acquiring unit is used for acquiring the equipment identification of the intelligent secret key equipment;
the judging unit is used for judging whether the equipment identifier acquired by the acquiring unit is consistent with a preset equipment identifier or not;
the error reporting module 409 is further configured to, when the fifth determining module determines that the device identifier obtained by the obtaining unit is inconsistent with the preset device identifier, determine that the access device does not support the inserted smart key device, report an error, and trigger the detecting module 403;
the reading and packaging module 404 is further configured to read and package the certificate and the key information in the smart key device when the fifth determining module determines that the device identifier obtained by the obtaining unit is consistent with the preset device identifier;
further, the read encapsulation module 404 includes: initializing a sub-module and packaging the sub-module;
an initialization submodule, configured to initialize a standard relationship model when the detection module 403 detects that a read data interface is called;
and the packaging submodule is used for packaging the certificate and the key information according to a standard relation model.
Further, the initialization submodule includes: a first creating unit and a second creating unit;
a first creating unit configured to create a standard relationship of a certificate conforming to a format;
and the second creating unit is used for creating the standard relation of the key.
The package sub-module includes: an acquisition unit and a packaging unit;
the acquiring unit is used for respectively acquiring the relation among the certificate, the public key and the private key from the standard relation model;
and the packaging unit is used for packaging the information acquired by the acquisition unit according to a standard format.
Still further, the second creating unit includes: the system comprises a first creating subunit, a second creating subunit and a returning subunit;
the first creating subunit is used for creating a standard relationship of the private key and writing the attribute;
the second creating subunit creates a standard relationship of the public key and writes the attribute into the public key;
and the return subunit is used for returning the public key attribute relationship to the system.
Specifically, the pre-signature module 412 includes: a conversion submodule and a recombination submodule;
the second receiving module 411 is further configured to receive a signature algorithm sent by the system;
a conversion sub-module for converting the format of the signature algorithm received by the second receiving module 411;
more specifically, the conversion submodule is specifically configured to: converting the character string format of the signature algorithm into a binary format.
And the restructuring submodule is configured to restructure the signature data received by the second receiving module 411.
Preferably, the pre-signing module further comprises: determining a submodule;
and a determining submodule, configured to determine the data header according to the signature algorithm received by the second receiving module 411.
Specifically, the reassembly sub-module is specifically configured to add a data header to the signature data and fill the signature data.
Preferably, the apparatus further comprises:
and a termination module, configured to, when the detection module detects that the termination interface is called, call a termination function to terminate the access device, and trigger the detection module 403.
Preferably, the apparatus further comprises:
the second acquisition module is used for acquiring the type identifier of the intelligent key equipment when the detection module detects that the data encryption interface is called, and acquiring a corresponding encryption function through the identifier;
the third receiving module is used for receiving an encryption algorithm and encryption data transmitted by the system;
and the encryption module is configured to call an encryption function to perform encryption operation on the encrypted data, and trigger the detection module 403.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (24)

1. A method of operating a smart key device in a Mac OS X system, comprising:
step S1: a security service daemon device of the system monitors whether the intelligent key equipment is inserted, if so, the security service daemon device finds a corresponding access device according to the type of the intelligent key equipment, and if not, the security service daemon device continues to wait;
step S2: the access device waits for a system call interface, performs step S3 when the read data interface is called, performs step S4 when the password verification interface is called, and performs step S5 when the signature interface is called;
step S3: the access device reads and packages the certificate and the key information in the intelligent key device, returns the packaged certificate and the packaged key information to the system, and returns to the step S2;
step S4: the access device receives the signature certificate and the password transmitted by the system and then judges whether the password is correct, if yes, the access device acquires and stores the signature key according to the signature certificate, sets the current authority of the access device as the user authority, and returns to the step S2; otherwise, setting the current authority of the access device as the non-user authority, reporting an error, and returning to the step S2;
step S5: the access device judges the current authority, if the current authority is the non-user authority, the access device reports an error and returns to the step S2; if the user authority is the user authority, after the access device receives the signature data transmitted by the system, executing pre-signature operation, calling a signature key to sign the signature data, judging whether the signature is successful, if so, returning a signature result to the system, returning to the step S2, otherwise, reporting an error, and returning to the step S2;
the step S1 is preceded by: registering and installing an access device in an operating system;
the device for registering, installing and accessing the operating system specifically comprises: judging the system version, if the system version is higher than the preset version, copying the file of the access device into an appointed directory, and adding user permission; if the system version is lower than the preset version, directly adding user permission;
copying the file of the access device into a specified directory, wherein adding the user authority specifically comprises: judging whether the specified directory exists or not, and if so, directly adding user permission to the specified directory; if the user right does not exist in the designated directory, the designated directory is created, the files of the access device are copied into the designated directory, and the user right is added to the designated directory;
the adding of the user right to the specified directory specifically comprises: and adding read-write execution permission to the owner of the appointed directory through a preset instruction, and adding read-write and execution permission to the owner group user and other users.
2. The method according to claim 1, wherein the step S3 is preceded by: the access device determines whether it supports the inserted smart key device.
3. The method according to claim 2, wherein the access device determines whether it supports the inserted smart key device, specifically: the access device acquires the equipment identifier of the inserted intelligent key equipment, judges whether the acquired equipment identifier is consistent with the equipment identifier preset by the access device, if not, the access device does not support the inserted intelligent key equipment, reports an error and returns to the step S2; if so, the access device supports the inserted smart key device and proceeds to step S3.
4. The method according to claim 1, wherein said encapsulating the certificate and key information within the smart key device specifically comprises:
step B1: initializing a standard relation model;
step B2: and packaging the certificate and the key information according to the standard relation model.
5. The method according to claim 4, wherein the step B1 specifically comprises: creating a standard relationship of certificates conforming to the format; a standard relationship for the keys is created.
6. The method according to claim 5, wherein the creating a standard relationship of the key specifically comprises: creating a standard relation of a private key, and writing in attributes; and creating a standard relationship of the public key, writing the attribute, and returning the public key attribute relationship to the system.
7. The method according to claim 4, wherein the step B2 specifically comprises: and the access device respectively obtains the relations of the certificate, the public key and the private key from the standard relation model and then packages the relations according to a standard format.
8. The method according to claim 1, wherein the performing of the pre-signing operation in step S5 specifically includes: and the access device receives a signature algorithm transmitted by a system, converts the format of the signature algorithm and recombines the signature data.
9. The method of claim 8, wherein said re-assembling said signature data further comprises, prior to said re-assembling said signature data: determining a data header according to the signature algorithm;
the reconstructing the signature data specifically includes: and the access device adds a data header to the signature data and fills the signature data.
10. The method according to claim 8, wherein the converting the format of the signature algorithm is specifically: and converting the character string format of the signature algorithm into a binary format.
11. The method according to claim 1, wherein the step S2 further comprises: when the termination interface is called, the access device calls a termination function to terminate the access device, returning to step S2.
12. The method according to claim 1, wherein the step S2 further comprises: when the data encryption interface is called, the access device obtains the type identifier of the intelligent key device, obtains the corresponding encryption function through the identifier, and after receiving the encryption algorithm and the encryption data transmitted by the system, the access device calls the encryption function to encrypt the encryption data, and the step S2 is returned.
13. An apparatus for operating a smart key device in a Mac OS X system, comprising:
the monitoring module is used for monitoring whether the intelligent secret key equipment is inserted;
the searching module is used for searching a corresponding access device according to the type of the intelligent secret key equipment when the monitoring module monitors that the intelligent secret key equipment is inserted;
the detection module is used for detecting the condition of a system calling interface;
the reading and packaging module is used for reading and packaging the certificate and the key information in the intelligent key device when the detection module detects that the reading data interface is called;
the first returning module is used for returning the certificate and the key information packaged by the reading and packaging module to a system and triggering the detection module;
the first receiving module is used for receiving a signature certificate and a password transmitted by a system when the detection module detects that the password verification interface is called;
the first judging module is used for judging whether the password received by the first receiving module is correct or not;
the first obtaining module is used for obtaining and storing a signature key according to the signature certificate received by the receiving module when the first judging module judges that the password is correct, and setting the current authority of the access device as the user authority;
the error reporting module is used for setting the current authority of the access device as non-user authority when the first judging module judges that the password is wrong, reporting the error and triggering the detection module; the second judging module is also used for reporting an error and triggering the detection module when the second judging module judges that the current authority is the non-user authority; the third judging module is used for reporting an error and triggering the detection module when judging that the signature of the signature module fails;
the second judging module is used for judging the current authority when the detection module detects that the signature interface is called;
the second receiving module is used for receiving signature data transmitted by the system when the second judging module judges that the current authority is the user authority;
the pre-signing module is used for performing pre-signing operation on the signature data received by the second receiving module;
the signature module is used for calling a signature key to sign the signature data;
the third judging module is used for judging whether the signature of the signature module is successful or not;
the second returning module is used for returning a signature result to the system and triggering the detection module when the third judging module judges that the signature of the signature module is successful;
the fourth judging module is used for judging the system version;
the copying module is used for copying the access device file to the specified directory when the fourth judging module judges that the system version is higher than the preset version;
the adding module is used for adding user permission; the fourth judging module is used for directly adding the user permission when the system version is judged to be lower than the preset version;
the device further comprises: a fifth judging module;
the fifth judging module is used for judging whether the specified directory exists or not;
the adding module is used for directly adding user permission to the appointed directory when the fifth judging module judges that the appointed directory exists; the system is also used for adding user authority to the specified directory created by the creation module;
the creating module is used for creating the specified directory when the fifth judging module judges that the specified directory exists;
the copying module is further used for copying the access device file to the specified directory created by the creating module;
the adding module is used for adding a read-write execution permission for an owner of the specified directory through a preset instruction and adding read-write execution permission for the owner of the specified directory and other users when the user permission is added to the specified directory created by the creating module.
14. The apparatus of claim 13, further comprising: a sixth judging module;
and the sixth judging module is used for judging whether the self supports the inserted intelligent secret key equipment.
15. The apparatus of claim 14, wherein the sixth determining module comprises: an acquisition unit and a judgment unit;
the acquiring unit is used for acquiring the equipment identification of the intelligent secret key equipment;
the judging unit is used for judging whether the equipment identifier acquired by the acquiring unit is consistent with a preset equipment identifier or not;
the error reporting module is further configured to, when the determining unit determines that the device identifier acquired by the acquiring unit is inconsistent with a preset device identifier, trigger the detecting module when the access device does not support the inserted smart key device and reports an error;
and the reading and packaging module is further configured to read and package the certificate and the key information in the intelligent key device when the judging unit judges that the device identifier obtained by the obtaining unit is consistent with the preset device identifier.
16. The apparatus of claim 13, wherein the read encapsulation module comprises: initializing a sub-module and packaging the sub-module;
the initialization submodule is used for initializing a standard relation model when the detection module detects that the read data interface is called;
and the packaging submodule is used for packaging the certificate and the key information according to the standard relation model.
17. The apparatus of claim 16, wherein the initialization submodule comprises: a first creating unit and a second creating unit;
the first creating unit is used for creating a standard relation of a certificate conforming to a format when the detection module detects that the read data interface is called;
the second creating unit is used for creating the standard relation of the key.
18. The apparatus of claim 17, wherein the second creating unit comprises: the system comprises a first creating subunit, a second creating subunit and a returning subunit;
the first creating subunit is used for creating a standard relationship of a private key and writing in an attribute;
the second creating subunit creates a standard relationship of the public key and writes the attribute into the second creating subunit;
and the return subunit is used for returning the public key attribute relationship to the system.
19. The apparatus of claim 16, wherein the encapsulation submodule comprises: an acquisition unit and a packaging unit;
the acquiring unit is used for respectively acquiring the relation of the certificate, the public key and the private key from the standard relation model;
and the packaging unit is used for packaging the information acquired by the acquisition unit according to a standard format.
20. The apparatus of claim 13, wherein the pre-signature module comprises: a conversion submodule and a recombination submodule;
the second receiving module is further used for receiving a signature algorithm transmitted by the system;
the conversion submodule is used for converting the format of the signature algorithm received by the second receiving module;
and the restructuring submodule is used for restructuring the signature data received by the second receiving module.
21. The apparatus of claim 20, wherein the pre-signing module further comprises: determining a submodule;
the determining submodule is used for determining a data header according to the signature algorithm received by the second receiving module;
the restructuring submodule is specifically used for adding a data header to the signature data and filling the signature data.
22. The apparatus of claim 20, wherein the conversion submodule is specifically configured to: and converting the character string format of the signature algorithm into a binary format.
23. The apparatus of claim 13, further comprising:
and the termination module is used for calling a termination function to terminate the access device and triggering the detection module when the detection module detects that the termination interface is called.
24. The apparatus of claim 13, further comprising:
the second acquisition module is used for acquiring the type identifier of the intelligent key equipment when the detection module detects that the data encryption interface is called, and acquiring a corresponding encryption function through the identifier;
the third receiving module is used for receiving an encryption algorithm and encryption data transmitted by the system;
and the encryption module is used for calling the encryption function to carry out encryption operation on the encrypted data and triggering the detection module.
CN201710940478.6A 2017-09-30 2017-09-30 Method and device for operating intelligent key equipment in MacOSX system Active CN107769927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710940478.6A CN107769927B (en) 2017-09-30 2017-09-30 Method and device for operating intelligent key equipment in MacOSX system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710940478.6A CN107769927B (en) 2017-09-30 2017-09-30 Method and device for operating intelligent key equipment in MacOSX system

Publications (2)

Publication Number Publication Date
CN107769927A CN107769927A (en) 2018-03-06
CN107769927B true CN107769927B (en) 2021-11-26

Family

ID=61267908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710940478.6A Active CN107769927B (en) 2017-09-30 2017-09-30 Method and device for operating intelligent key equipment in MacOSX system

Country Status (1)

Country Link
CN (1) CN107769927B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5781723A (en) * 1996-06-03 1998-07-14 Microsoft Corporation System and method for self-identifying a portable information device to a computing unit
CN1805338A (en) * 2005-01-14 2006-07-19 中兴通讯股份有限公司 Cipher device and its user management method
US8959353B2 (en) * 2009-03-31 2015-02-17 Topaz Systems, Inc. Distributed system for multi-function secure verifiable signer authentication
CN101645124B (en) * 2009-09-03 2012-04-18 飞天诚信科技股份有限公司 Method for unlocking PIN code and intelligent secret key device
CN105117033B (en) * 2015-08-28 2018-03-23 小米科技有限责任公司 The connection method of external equipment and device
CN106250750B (en) * 2016-07-18 2019-08-16 深圳市文鼎创数据科技有限公司 USB device cut-in method and device based on MacOSX system
CN106161037B (en) * 2016-08-19 2019-05-10 北京小米移动软件有限公司 Digital signature method and device

Also Published As

Publication number Publication date
CN107769927A (en) 2018-03-06

Similar Documents

Publication Publication Date Title
TWI665575B (en) Authentication method, device and authentication client
JP5635978B2 (en) Authenticated database connection for applications without human intervention
US7748609B2 (en) System and method for browser based access to smart cards
US20140052993A1 (en) Information operating device, information output device, and information processing method
CN104506487B (en) The credible execution method of privacy policy under cloud environment
US9608966B2 (en) Information handling device, information output device, and recording medium
CN108270739B (en) Method and device for managing encryption information
WO2016127436A1 (en) Data uploading method, device and system
CN114650154B (en) Webpage authority behavior control method and device, computer equipment and storage medium
CN111460410A (en) Server login method, device and system and computer readable storage medium
CN110958239A (en) Method and device for verifying access request, storage medium and electronic device
CN107769927B (en) Method and device for operating intelligent key equipment in MacOSX system
CN113127850A (en) Browser password filling interaction control method and device
CN109088733B (en) Method and device for realizing application expansion of smart card
KR100453504B1 (en) Method and system for authenticating a software
CN117118598A (en) Data sharing method, electronic equipment and computer cluster
CN101917433B (en) Protection system for network remote registration and localized reappearing
US20220078176A1 (en) Method for connecting a computer application to a secure computer resource
JP2022020604A (en) Decentralized electronic contract certification platform
CN111680003B (en) File center system and file management method based on distribution
CN113742696B (en) User login method, device, equipment and medium based on distributed login component
CN111562916B (en) Method and device for sharing algorithm
US20230291577A1 (en) Apparatus and method for managing data certificates in an icn network
CN116186645A (en) Product authorized deployment method and device based on containerization
CN114189527A (en) Information synchronization method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant