CN108880791A - Cryptographic key protection method, terminal and computer readable storage medium - Google Patents

Cryptographic key protection method, terminal and computer readable storage medium Download PDF

Info

Publication number
CN108880791A
CN108880791A CN201810537651.2A CN201810537651A CN108880791A CN 108880791 A CN108880791 A CN 108880791A CN 201810537651 A CN201810537651 A CN 201810537651A CN 108880791 A CN108880791 A CN 108880791A
Authority
CN
China
Prior art keywords
key
safety chip
private key
stored
unsymmetrical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810537651.2A
Other languages
Chinese (zh)
Inventor
张育明
潘海清
陈鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZHAOSHANG BANK CO Ltd
China Merchants Bank Co Ltd
Original Assignee
ZHAOSHANG BANK CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZHAOSHANG BANK CO Ltd filed Critical ZHAOSHANG BANK CO Ltd
Priority to CN201810537651.2A priority Critical patent/CN108880791A/en
Publication of CN108880791A publication Critical patent/CN108880791A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of cryptographic key protection methods, are applied to terminal, and the terminal includes equipped with safety chip, this method:When receiving unsymmetrical key generation instruction, unsymmetrical key is generated in safety chip according to preset unsymmetrical key generating algorithm, the unsymmetrical key includes private key;The master key being pre-stored in the safety chip is obtained, the private key is encrypted by the master key and preset Encryption Algorithm, obtains private key ciphertext;The private key ciphertext is stored in the safety chip.The invention also discloses a kind of terminals and a kind of computer readable storage medium.The present invention can be improved the safety that private key is locally stored.

Description

Cryptographic key protection method, terminal and computer readable storage medium
Technical field
The present invention relates to field of information security technology more particularly to cryptographic key protection methods, terminal and computer-readable storage Medium.
Background technique
Digital cash is a kind of sabstitute money of electronic form, can be used for true exchange of goods and service.? In digital cash network, the assets of user refer to that the legal digital cash of user, the transaction needs of legal digital cash are held The private key signature of person, therefore safeguarding of assets is equivalent to the safeguard protection of participant's private key, i.e. the storage safety and visit of protection private key It pays one's respects complete, guarantees that only holder can make signature transaction of private key.
In the prior art, according to private key for user whether trustship, private key memory module can be divided into pipe of boarding at the nursery, part trustship and It is locally stored three kinds.In being locally stored in mode for private key, generally by the user key stored in clear of generation in the piece of terminal Or chip external memory, and it is protected by corresponding security software, however security software there is also by malicious attack can Can, once security software is broken, criminal can will get easily the private key of user, to bring assets to damage to user It goes wrong danger.Thus, the safety that mode is locally stored in existing private key need to be improved.
Summary of the invention
It is a primary object of the present invention to propose a kind of cryptographic key protection method, terminal and computer readable storage medium, purport In the safety that raising private key is locally stored.
To achieve the above object, the present invention provides a kind of cryptographic key protection method, and the cryptographic key protection method is applied to terminal, The terminal is equipped with safety chip, and described method includes following steps:
When receiving unsymmetrical key generation instruction, according to preset unsymmetrical key generating algorithm in safety chip Unsymmetrical key is generated, the unsymmetrical key includes private key;
The master key being pre-stored in the safety chip is obtained, the master key and preset Encryption Algorithm pair are passed through The private key is encrypted, and private key ciphertext is obtained;
The private key ciphertext is stored in the safety chip.
Preferably, described when receiving unsymmetrical key generation instruction, according to preset unsymmetrical key generating algorithm Before the step of generating unsymmetrical key in safety chip, further include:
When receiving master key generation instruction, master key of the random number as the safety chip is generated;
The master key is stored in the safety chip.
Preferably, the unsymmetrical key further includes public key, described that the private key ciphertext is stored in the safety chip In step after, further include:
When receiving the service message by the public key encryption, it is close to read the master being pre-stored in the safety chip Key;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
By, by the service message of the public key encryption, it is bright to obtain corresponding service message described in the private key plaintext decryption Text.
Preferably, described when receiving the service message by the public key encryption, reading is pre-stored in the safety The step of master key in chip includes:
When receiving the service message by the public key encryption, master key read requests are issued to the safety chip, So that the safety chip exports the prompt information for prompting user's input validation information;
The check information for receiving user's input, judges whether the check information is identical as preset check information;
If so, reading the master key pre-saved in the safety chip.
Preferably, the check information is biological characteristic or access password.
Preferably, after the step that the private key ciphertext is stored in the safety chip, further include:
When receiving service message signature command, obtain service message to be signed, and read be pre-stored in it is described Master key in safety chip;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
Abstract is calculated to the service message to be signed, and by the private key in plain text to the message digest being calculated It signs, the service message after being signed.
Preferably, the preset unsymmetrical key generating algorithm is RSA cryptographic algorithms.
Preferably, the preset Encryption Algorithm is Advanced Encryption Standard AES encryption algorithm or DES Cipher Encryption Algorithm.
In addition, to achieve the above object, the present invention also provides a kind of terminal, the terminal includes:Safety chip, storage Device, processor and it is stored in the key protector that can be run on the memory and on the processor, the key is protected The step of shield program realizes cryptographic key protection method as described above when being executed by the processor.
In addition, to achieve the above object, it is described computer-readable the present invention also provides a kind of computer readable storage medium Key protector is stored on storage medium, the key protector realizes key as described above when being executed by processor The step of guard method.
The present invention is when receiving unsymmetrical key generation instruction, according to preset unsymmetrical key generating algorithm in safety Unsymmetrical key is generated in chip, the unsymmetrical key includes private key;Obtain the master being pre-stored in the safety chip Key encrypts the private key by the master key and preset Encryption Algorithm, obtains private key ciphertext;By the private key Ciphertext is stored in the safety chip.The present invention utilizes safety chip by the way that private key for user to be stored in safety chip Master key private key is encrypted, the read-write protection to private key is enhanced, to improve the safety that private key is locally stored.
Detailed description of the invention
Fig. 1 is the terminal structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of cryptographic key protection method first embodiment of the present invention;
Fig. 3 is the flow diagram of cryptographic key protection method second embodiment of the present invention;
Fig. 4 is the refinement step schematic diagram of step S40 in Fig. 3;
Fig. 5 is the flow diagram of cryptographic key protection method 3rd embodiment of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The primary solutions of the embodiment of the present invention are:When receiving unsymmetrical key generation instruction, according to preset Unsymmetrical key generating algorithm generates unsymmetrical key in safety chip, and the unsymmetrical key includes private key;It obtains preparatory The master key being stored in the safety chip adds the private key by the master key and preset Encryption Algorithm It is close, obtain private key ciphertext;The private key ciphertext is stored in the safety chip.
In the prior art, according to private key for user whether trustship, private key memory module can be divided into pipe of boarding at the nursery, part trustship and It is locally stored three kinds.In being locally stored in mode for private key, generally by the user key stored in clear of generation in the piece of terminal Or chip external memory, and it is protected by corresponding security software, however security software there is also by malicious attack can Can, once security software is broken, criminal can will get easily the private key of user, to bring assets to damage to user It goes wrong danger.
The present invention carries out private key by the way that private key for user to be stored in safety chip, and using the master key of safety chip Encryption, enhances the read-write protection to private key, to improve the safety that private key is locally stored.
As shown in Figure 1, Fig. 1 is the terminal structure schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
The terminal of that embodiment of the invention can be directly integrated on terminal mainboard equipped with safety chip, the safety chip, It can be equipped in other small memory devices (such as Ukey), connection is established by the USB interface and terminal of small memory device. Wherein, terminal can be PC, and being also possible to smart phone, tablet computer, wearable device, portable computer etc. has display function The packaged type terminal device of energy.
As shown in Figure 1, the terminal may include:Processor 1001, such as CPU, network interface 1004, user interface 1003, memory 1005, communication bus 1002.Wherein, communication bus 1002 is for realizing the connection communication between these components. User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), optional user interface 1003 can also include standard wireline interface and wireless interface.Network interface 1004 optionally may include that the wired of standard connects Mouth, wireless interface (such as WI-FI interface).Memory 1005 can be high speed RAM memory, be also possible to stable memory (non-volatile memory), such as magnetic disk storage.Memory 1005 optionally can also be independently of aforementioned processor 1001 storage device.
Preferably, terminal can also include camera, RF (Radio Frequency, radio frequency) circuit, sensor, audio Circuit, WiFi module etc..Wherein, sensor such as optical sensor, motion sensor and other sensors.Specifically, light Sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can according to the light and shade of ambient light come The brightness of display screen is adjusted, proximity sensor can close display screen and/or backlight when mobile terminal is moved in one's ear.As One kind of motion sensor, gravity accelerometer can detect the size of (generally three axis) acceleration in all directions, quiet Size and the direction that can detect that gravity when only, the application that can be used to identify mobile terminal posture are (such as horizontal/vertical screen switching, related Game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;Certainly, mobile terminal can also match The other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor are set, details are not described herein.
It will be understood by those skilled in the art that the restriction of the not structure paired terminal of terminal structure shown in Fig. 1, can wrap It includes than illustrating more or fewer components, perhaps combines certain components or different component layouts.
As shown in Figure 1, as may include that operating system, network are logical in a kind of memory 1005 of computer storage medium Believe module, Subscriber Interface Module SIM and key protector.
In terminal shown in Fig. 1, network interface 1004 is mainly used for connecting background server, carries out with background server Data communication;User interface 1003 is mainly used for connecting client (user terminal), carries out data communication with client;And processor 1001 can be used for calling the key protector stored in memory 1005, and execute following operation:
When receiving unsymmetrical key generation instruction, according to preset unsymmetrical key generating algorithm in safety chip Unsymmetrical key is generated, the unsymmetrical key includes private key;
The master key being pre-stored in the safety chip is obtained, the master key and preset Encryption Algorithm pair are passed through The private key is encrypted, and private key ciphertext is obtained;
The private key ciphertext is stored in the safety chip.
Further, processor 1001 can call the key protector stored in memory 1005, also execute following Operation:
When receiving master key generation instruction, master key of the random number as the safety chip is generated;
The master key is stored in the safety chip.
Further, the unsymmetrical key further includes public key, and processor 1001 can call to be stored in memory 1005 Key protector, also execute following operation:
When receiving the service message by the public key encryption, it is close to read the master being pre-stored in the safety chip Key;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
By, by the service message of the public key encryption, it is bright to obtain corresponding service message described in the private key plaintext decryption Text.
Further, processor 1001 can call the key protector stored in memory 1005, also execute following Operation:
When receiving the service message by the public key encryption, master key read requests are issued to the safety chip, So that the safety chip exports the prompt information for prompting user's input validation information;
The check information for receiving user's input, judges whether the check information is identical as preset check information;
If so, reading the master key pre-saved in the safety chip.
Further, the check information is biological characteristic or access password.
Further, processor 1001 can call the key protector stored in memory 1005, also execute following Operation:
When receiving service message signature command, obtain service message to be signed, and read be pre-stored in it is described Master key in safety chip;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
Abstract is calculated to the service message to be signed, and by the private key in plain text to the message digest being calculated It signs, the service message after being signed.
Further, the preset unsymmetrical key generating algorithm is RSA cryptographic algorithms.
Further, the preset Encryption Algorithm is Advanced Encryption Standard AES encryption algorithm or data encryption standards Des encryption algorithm.
The specific embodiment of terminal of the present invention and each specific embodiment of following cryptographic key protection methods are essentially identical, herein not It repeats.
Based on above-mentioned hardware configuration, each embodiment of cryptographic key protection method of the present invention is proposed.
It is the flow diagram of cryptographic key protection method first embodiment of the present invention referring to Fig. 2, Fig. 2.The present embodiment key is protected Maintaining method is applied to terminal, the terminal equipped with safety chip, the method includes:
Step S10 is pacifying when receiving unsymmetrical key generation instruction according to preset unsymmetrical key generating algorithm Unsymmetrical key is generated in full chip, the unsymmetrical key includes private key;
The present embodiment safety chip can by the digital assets such as bank trade participant provide, when use safety chip When, user can read and write access by the safety chip processing modules implement of terminal built-in to safety chip.In the safe core In the production process of piece, initialization process can be carried out, that is, generates a master key and is stored in safety chip and store list accordingly In member;Certainly, the master key of safety chip can also receive generation when master key generates instruction in terminal, at this point, step S10 It before may include step:
When receiving master key generation instruction, master key of the random number as the safety chip is generated;By the master Key is stored in the safety chip.
Wherein, master key generates instruction and can be triggered by user by the display interface of terminal, can also be in safety chip Automatic trigger when being first used.In addition, being a random number due to the master key of safety chip and being generated in safety chip, protected It deposits, therefore can guarantee the corresponding unique master key of a safety chip, and master key is not easy to be stolen.
To realize being locally stored for key, when user uses safety chip, oneself can be generated in safety chip Unsymmetrical key, the unsymmetrical key include public key and private key.Specifically, user can be triggered non-by the display interface of terminal Symmetric key generation instruction is generated when terminal, which receives unsymmetrical key, generates instruction according to preset unsymmetrical key Algorithm generates unsymmetrical key in safety chip.Wherein, unsymmetrical key generating algorithm can carry out flexible setting in advance, In one embodiment, the unsymmetrical key generating algorithm is that (one kind is made in e-business RSA cryptographic algorithms extensively at present Rivest, shamir, adelman), the prior art can refer to using the concrete mode that RSA cryptographic algorithms generate unsymmetrical key, this Place does not repeat.
Step S20 obtains the master key that is pre-stored in the safety chip, by the master key and it is preset plus Close algorithm encrypts the private key, obtains private key ciphertext;
After safety chip generates unsymmetrical key, the master key being pre-stored in safety chip is further obtained, and The private key of generation is encrypted by the master key and preset Encryption Algorithm, to obtain private key ciphertext.Wherein, preset to add Close algorithm can be AES (Advanced Encryption Standard, Advanced Encryption Standard) Encryption Algorithm or data encryption Standard DES (Data Encryption Standard, data encryption standards) Encryption Algorithm, naturally it is also possible to be calculated for other encryptions Method, when specific implementation, can flexible settings.
The private key ciphertext is stored in the safety chip by step S30.
After encryption obtains private key ciphertext, i.e., the private key ciphertext is stored in the corresponding storage unit of safety chip, from And realize being locally stored for private key.Signature and the decryption that the private key being locally stored carries out business transaction can be used in subsequent user Deng operation, which includes but is not limited to that the same trade contracts, transfers accounts, remitting money, clearing and quick payment etc..
It should be noted that the present embodiment since user generates in local security chip and save private key, is worked as and is used When family carries out the operation such as trading signature or decryption using private key, there is complete non-repudiation.
In the present embodiment, it when receiving unsymmetrical key generation instruction, is generated and is calculated according to preset unsymmetrical key Method generates unsymmetrical key in safety chip, and the unsymmetrical key includes private key;Acquisition is pre-stored in the safe core Master key in piece encrypts the private key by the master key and preset Encryption Algorithm, obtains private key ciphertext;It will The private key ciphertext is stored in the safety chip.The present embodiment is by the way that private key for user to be stored in safety chip, and benefit Private key is encrypted with the master key of safety chip, enhances the read-write protection to private key, is locally deposited to improve private key The safety of storage.
It further, is the flow diagram of cryptographic key protection method second embodiment of the present invention referring to Fig. 3, Fig. 3.Based on upper Embodiment shown in Fig. 2 is stated, the unsymmetrical key further includes public key, after step S30, can also include:
Step S40, when receiving the service message by the public key encryption, reading is pre-stored in the safety chip In master key;
Step S50 is decrypted the private key ciphertext by the master key, obtains private in the safety chip Key is in plain text;
Step S60, by, by the service message of the public key encryption, obtaining corresponding industry described in the private key plaintext decryption Message be engaged in plain text.
In the present embodiment, when terminal carries out business transaction using safety chip, if terminal is received by client public key The service message of encryption then reads the master key being pre-stored in safety chip first, and in safety chip, passes through the master The private key ciphertext that key pair saves is decrypted, to obtain private key in plain text, in specific decipherment algorithm and above-mentioned first embodiment Used Encryption Algorithm is corresponding, for example, if using AES encryption algorithm for encryption private key before, it is corresponding at this time to use AES encryption Algorithm decrypted private key, it is corresponding at this time to use des encryption algorithm decrypted private key if using des encryption algorithm for encryption private key before; After obtaining private key plaintext, by the private key plaintext decryption by the service message of public key encryption, corresponding business report can be obtained Civilized text.Even if illegal user obtains the service message of encryption as a result, also due to it can not be decrypted without private key, thus It ensure that the safety of service message transmission.
It further, is the refinement step schematic diagram of step S40 in Fig. 3 referring to Fig. 4, Fig. 4.Above-mentioned steps S40 can be into One step includes:
Step S41 issues master key to the safety chip and reads when receiving the service message by the public key encryption Request is taken, so that the safety chip exports the prompt information for prompting user's input validation information;
Step S42, receive user input check information, judge the check information whether with preset check information phase Together;
If so, thening follow the steps S43, the master key pre-saved in the safety chip is read.
In the present embodiment, when terminal receives the service message by the public key encryption, to obtain the private being locally stored Key issues master key read requests to safety chip first to decrypt the service message, so that safety chip output is for prompting The prompt information of user's input validation information, terminal receive user input check information, and judge the check information whether with Preset check information is identical, and if they are the same, then verification passes through, and it is close can to read the master pre-saved in safety chip at this time Key.Wherein, check information can be biological characteristic (such as fingerprint, vocal print, iris) or access password (such as access password), and user It can according to need and default check information is modified at any time.
By the above-mentioned means, ensure that only user can just get master key, and finally obtained by the master key To private key, to enhance the safety that local private key uses.
It further, is the flow diagram of cryptographic key protection method 3rd embodiment of the present invention referring to Fig. 5, Fig. 5.Based on upper The embodiment for stating Fig. 2 can also include after step S30:
Step S70 obtains service message to be signed, and read and protect in advance when receiving service message encrypted instruction There are the master keys in the safety chip;
Step S80 is decrypted the private key ciphertext by the master key, obtains private in the safety chip Key is in plain text;
Step S90 calculates abstract to the service message to be signed, and by the private key in plain text to being calculated Message digest is signed, the service message after being signed.
In the present embodiment, it when terminal carries out business transaction using safety chip, is triggered if terminal is received by user Service message signature command, then obtain service message to be signed first, and read and be pre-stored in the safety chip Master key be decrypted then in safety chip by private key ciphertext of the master key to preservation, it is bright to obtain private key Text, specific decipherment algorithm is corresponding with Encryption Algorithm employed in above-mentioned first embodiment, for example, if being added before using AES Close algorithm for encryption private key, then it is corresponding at this time to use AES encryption algorithm decrypted private key, if private using des encryption algorithm for encryption before Key, then it is corresponding at this time to use des encryption algorithm decrypted private key;After obtaining private key plaintext, first to service message to be signed Abstract is calculated, for example operation can be carried out to service message to be signed by hash algorithm, to obtain message digest, then, It is signed in plain text to the message digest being calculated by private key, thus the service message after being signed, and then should Service message after signature is sent to other service nodes of digital cash network.Hereby it is achieved that being signed to service message Name, the service message sent after signed can regard the behavior that user can not deny as.
In the above process, the specific steps for reading the master key being pre-stored in safety chip can refer to the present invention second Specific steps described in embodiment, do not repeat herein.
The present invention also provides a kind of computer readable storage mediums.
Key protector is stored on computer readable storage medium of the present invention, the key protector is by processor The step of cryptographic key protection method as described above is realized when execution.
Wherein, the key protector run on the processor, which is performed realized method, can refer to the present invention The each embodiment of cryptographic key protection method, details are not described herein again.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of cryptographic key protection method, which is characterized in that the cryptographic key protection method is applied to terminal, and the terminal is equipped with peace Full chip, described method includes following steps:
When receiving unsymmetrical key generation instruction, generated in safety chip according to preset unsymmetrical key generating algorithm Unsymmetrical key, the unsymmetrical key include private key;
The master key being pre-stored in the safety chip is obtained, by the master key and preset Encryption Algorithm to described Private key is encrypted, and private key ciphertext is obtained;
The private key ciphertext is stored in the safety chip.
2. cryptographic key protection method as described in claim 1, which is characterized in that the unsymmetrical key that ought receive generates instruction When, before the step of generating unsymmetrical key in safety chip according to preset unsymmetrical key generating algorithm, further include:
When receiving master key generation instruction, master key of the random number as the safety chip is generated;
The master key is stored in the safety chip.
3. cryptographic key protection method as described in claim 1, which is characterized in that the unsymmetrical key further includes public key, described After the step that the private key ciphertext is stored in the safety chip, further include:
When receiving the service message by the public key encryption, the master key being pre-stored in the safety chip is read;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
By, by the service message of the public key encryption, obtaining corresponding service message in plain text described in the private key plaintext decryption.
4. cryptographic key protection method as claimed in claim 3, which is characterized in that described to receive by the industry of the public key encryption Be engaged in message when, read be pre-stored in the safety chip master key the step of include:
When receiving the service message by the public key encryption, master key read requests are issued to the safety chip, so that The safety chip exports the prompt information for prompting user's input validation information;
The check information for receiving user's input, judges whether the check information is identical as preset check information;
If so, reading the master key pre-saved in the safety chip.
5. cryptographic key protection method as claimed in claim 4, which is characterized in that the check information is biological characteristic or access mouth It enables.
6. cryptographic key protection method as described in claim 1, which is characterized in that described that the private key ciphertext is stored in the peace After step in full chip, further include:
When receiving service message signature command, service message to be signed is obtained, and read and be pre-stored in the safety Master key in chip;
In the safety chip, the private key ciphertext is decrypted by the master key, obtains private key in plain text;
Abstract is calculated to the service message to be signed, and the message digest being calculated is carried out in plain text by the private key Signature, the service message after being signed.
7. such as cryptographic key protection method described in any one of claims 1 to 6, which is characterized in that described preset asymmetric close Key generating algorithm is RSA cryptographic algorithms.
8. cryptographic key protection method as claimed in claim 7, which is characterized in that the preset Encryption Algorithm is superencipherment mark Quasi- AES encryption algorithm or DES Cipher Encryption Algorithm.
9. a kind of terminal, which is characterized in that the terminal includes:Safety chip, memory, processor and it is stored in the storage It is real when the key protector is executed by the processor on device and the key protector that can run on the processor Now such as the step of cryptographic key protection method described in any item of the claim 1 to 8.
10. a kind of computer readable storage medium, which is characterized in that be stored with key guarantor on the computer readable storage medium Program is protected, such as cryptographic key protection described in any item of the claim 1 to 8 is realized when the key protector is executed by processor The step of method.
CN201810537651.2A 2018-05-30 2018-05-30 Cryptographic key protection method, terminal and computer readable storage medium Pending CN108880791A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810537651.2A CN108880791A (en) 2018-05-30 2018-05-30 Cryptographic key protection method, terminal and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810537651.2A CN108880791A (en) 2018-05-30 2018-05-30 Cryptographic key protection method, terminal and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN108880791A true CN108880791A (en) 2018-11-23

Family

ID=64335595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810537651.2A Pending CN108880791A (en) 2018-05-30 2018-05-30 Cryptographic key protection method, terminal and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN108880791A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768862A (en) * 2019-03-12 2019-05-17 北京深思数盾科技股份有限公司 A kind of key management method, key call method and cipher machine
CN109981665A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 Resource provider method and device, resource access method and device and system
CN109995532A (en) * 2019-04-11 2019-07-09 晏福平 A kind of online management method and system of terminal master key
CN110287736A (en) * 2019-06-28 2019-09-27 李璐昆 A kind of safety mobile terminal system based on safety chip
CN111901312A (en) * 2020-07-10 2020-11-06 山东云海国创云计算装备产业创新中心有限公司 Method, system, equipment and readable storage medium for network access control
CN112149176A (en) * 2020-07-01 2020-12-29 南京中新赛克科技有限责任公司 Key access system and method based on EEPROM
CN112446782A (en) * 2020-11-26 2021-03-05 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium
CN112989370A (en) * 2021-02-09 2021-06-18 腾讯科技(深圳)有限公司 Secret key filling method, system, device, equipment and storage medium
CN113179240A (en) * 2020-09-28 2021-07-27 深圳华智融科技股份有限公司 Key protection method, device, equipment and storage medium
CN114124364A (en) * 2020-08-27 2022-03-01 国民技术股份有限公司 Key security processing method, device, equipment and computer readable storage medium
CN114244505A (en) * 2021-12-09 2022-03-25 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip
WO2022126980A1 (en) * 2020-12-15 2022-06-23 平安科技(深圳)有限公司 Data transmission method and apparatus, terminal, and storage medium
CN115442803A (en) * 2022-09-01 2022-12-06 中国联合网络通信集团有限公司 Information using method, device, equipment and readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
CN106301774A (en) * 2015-05-29 2017-01-04 联芯科技有限公司 Safety chip, its encryption key generate method and encryption method
CN107302436A (en) * 2017-07-28 2017-10-27 北京迪曼森科技有限公司 A kind of USB interface id password key
CN107332671A (en) * 2017-08-15 2017-11-07 鼎讯网络安全技术有限公司 A kind of safety mobile terminal system and method for secure transactions based on safety chip
CN107453862A (en) * 2017-05-15 2017-12-08 杭州复杂美科技有限公司 Private key generation storage and the scheme used

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106301774A (en) * 2015-05-29 2017-01-04 联芯科技有限公司 Safety chip, its encryption key generate method and encryption method
CN105447407A (en) * 2015-11-11 2016-03-30 中国建设银行股份有限公司 Off-line data encryption method and decryption method and corresponding apparatus and system
CN107453862A (en) * 2017-05-15 2017-12-08 杭州复杂美科技有限公司 Private key generation storage and the scheme used
CN107302436A (en) * 2017-07-28 2017-10-27 北京迪曼森科技有限公司 A kind of USB interface id password key
CN107332671A (en) * 2017-08-15 2017-11-07 鼎讯网络安全技术有限公司 A kind of safety mobile terminal system and method for secure transactions based on safety chip

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768862B (en) * 2019-03-12 2019-11-22 北京深思数盾科技股份有限公司 A kind of key management method, key call method and cipher machine
CN109768862A (en) * 2019-03-12 2019-05-17 北京深思数盾科技股份有限公司 A kind of key management method, key call method and cipher machine
CN109981665A (en) * 2019-04-01 2019-07-05 北京纬百科技有限公司 Resource provider method and device, resource access method and device and system
CN109981665B (en) * 2019-04-01 2020-05-26 北京纬百科技有限公司 Resource providing method and device, and resource access method, device and system
CN109995532A (en) * 2019-04-11 2019-07-09 晏福平 A kind of online management method and system of terminal master key
CN110287736A (en) * 2019-06-28 2019-09-27 李璐昆 A kind of safety mobile terminal system based on safety chip
CN112149176A (en) * 2020-07-01 2020-12-29 南京中新赛克科技有限责任公司 Key access system and method based on EEPROM
CN111901312A (en) * 2020-07-10 2020-11-06 山东云海国创云计算装备产业创新中心有限公司 Method, system, equipment and readable storage medium for network access control
CN114124364A (en) * 2020-08-27 2022-03-01 国民技术股份有限公司 Key security processing method, device, equipment and computer readable storage medium
CN114124364B (en) * 2020-08-27 2024-05-24 国民技术股份有限公司 Key security processing method, device, equipment and computer readable storage medium
CN113179240A (en) * 2020-09-28 2021-07-27 深圳华智融科技股份有限公司 Key protection method, device, equipment and storage medium
CN112446782A (en) * 2020-11-26 2021-03-05 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium
CN112446782B (en) * 2020-11-26 2024-07-26 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium
WO2022126980A1 (en) * 2020-12-15 2022-06-23 平安科技(深圳)有限公司 Data transmission method and apparatus, terminal, and storage medium
CN112989370B (en) * 2021-02-09 2023-06-30 腾讯科技(深圳)有限公司 Key filling method, system, device, equipment and storage medium
CN112989370A (en) * 2021-02-09 2021-06-18 腾讯科技(深圳)有限公司 Secret key filling method, system, device, equipment and storage medium
CN114244505A (en) * 2021-12-09 2022-03-25 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip
CN114244505B (en) * 2021-12-09 2024-02-20 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip
CN115442803A (en) * 2022-09-01 2022-12-06 中国联合网络通信集团有限公司 Information using method, device, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN108880791A (en) Cryptographic key protection method, terminal and computer readable storage medium
US11238139B2 (en) Methods for securely storing sensitive data on mobile device
US10491379B2 (en) System, device, and method of secure entry and handling of passwords
US12067553B2 (en) Methods for locating an antenna within an electronic device
EP3241335B1 (en) Method and apparatus for securing a mobile application
JP6374119B2 (en) Security protocol for integrated near field communication infrastructure
US8656455B1 (en) Managing data loss prevention policies
WO2016115889A1 (en) Method and system for controlling encryption of information and analyzing information as well as terminal
KR20030057565A (en) Anti-spoofing password protection
JP2008269610A (en) Protecting sensitive data intended for remote application
JP2011513839A (en) System and method for conducting wireless money transactions
TW201248409A (en) Security architecture for using host memory in the design of a secure element
US10395232B2 (en) Methods for enabling mobile payments
EP2182457A1 (en) Dynamic PIN verification for insecure environment
JP2011165102A (en) Biometrics authentication system and portable terminal
CN110999254A (en) Securely performing cryptographic operations
WO2016184087A1 (en) Method and system for transmitting information inter-device, source terminal and storage medium
TWM569453U (en) Digital data processing system
TWI672653B (en) Digital data encryption method, digital data decryption method and digital data processing system
JP2024516833A (en) Systems and methods for intertwined authentication of biosensors and biosensor outputs - Patents.com

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181123

RJ01 Rejection of invention patent application after publication