CN110166236A - Cipher key processing method, device and system and electronic equipment - Google Patents

Cipher key processing method, device and system and electronic equipment Download PDF

Info

Publication number
CN110166236A
CN110166236A CN201910470792.1A CN201910470792A CN110166236A CN 110166236 A CN110166236 A CN 110166236A CN 201910470792 A CN201910470792 A CN 201910470792A CN 110166236 A CN110166236 A CN 110166236A
Authority
CN
China
Prior art keywords
key
memory module
module
components
key components
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910470792.1A
Other languages
Chinese (zh)
Other versions
CN110166236B (en
Inventor
赵波
林峰
姜晓新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGJINGUOXIN TECHNOLOGY Co Ltd
Original Assignee
BEIJING ZHONGJINGUOXIN TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGJINGUOXIN TECHNOLOGY Co Ltd filed Critical BEIJING ZHONGJINGUOXIN TECHNOLOGY Co Ltd
Priority to CN201910470792.1A priority Critical patent/CN110166236B/en
Publication of CN110166236A publication Critical patent/CN110166236A/en
Application granted granted Critical
Publication of CN110166236B publication Critical patent/CN110166236B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of cipher key processing method: when crypto module receives the operational order of user's transmission, it triggers the safety chip and carries out operation using preset first key component and the second key components, obtain key-encrypting key, and action type corresponding with the operational order is executed using key-encrypting key, by being operated using key-encrypting key to user key, user key is saved in the form of ciphertext, reduces the risk being used directly after user key leakage;Key handling system corresponding with cipher key processing method provided by the invention avoids safety chip and conductive unit in the crypto module from being destroyed by the protective coating in the key handling system.By applying method provided by the invention and the corresponding key handling system of the method, the user key being stored in crypto module is protected, the risk being used directly after user key leakage is reduced, improves the robustness and stability of secrecy system.

Description

Cipher key processing method, device and system and electronic equipment
Technical field
The present invention relates to field of information security technology, in particular to a kind of cipher key processing method, device and system and electronics Equipment.
Background technique
With the rapid development of the internet and the continuous improvement of the information degree, digitlization industry is in China or even full generation Boundary is all rapidly developing, and all trades and professions in society gradually carry out transmitting, swap date and the negotiation of information by internet Trade etc..Internet be double-edged sword, while bringing great convenience for our life, the data of the Internet transmission and The information moment is faced with by the security risk that criminal steals and modifies, therefore people are for the data and information of transmission Confidentiality and safety are increasingly valued.
To avoid information and the data of transmission from by criminal being modified and stolen, user in encryption system usually using saving The key pair transmission in the safety chip of crypto module data and information carry out it is encrypted after passed in the form of ciphertext It is defeated, it is reused after user receives ciphertext and is stored in corresponding key pair ciphertext in safety chip and is decrypted, to drop A possibility that low leaking data and criminal steal the risk of data.User key is the core that data are transmitted, And user key is usually stored in the safety chip of encryption system in the form of plaintext, crypto module is entire encryption system Core, criminal once crack to obtain the user key being stored in safety chip, will cause the leaking data of user, Directly destroy the stability and robustness of entire encryption system.
Summary of the invention
It, can be to being stored in the safety chip in view of this, the embodiment of the present invention provides a kind of cipher key processing method Key handled, realize the probability for reducing user key leakage to the encrypting storing of user key, improve entire encryption The stability and robustness of system.
The present invention also provides a kind of key handling devices, to guarantee the reality and application of the above method in practice.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of cipher key processing method is applied to safety chip, comprising:
When crypto module receives the operational order of user's transmission, it is close to obtain first be preset in the safety chip Key component and the second key components transport the first key component and second key components according to preset algorithm It calculates, generates key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding behaviour of the operational order according to the operation information Make type;
If the corresponding action type of the operational order is cryptographic operation, the first user in the operational order is determined Key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated, it will be described First key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operation Corresponding second key ciphertext is instructed, and the second key ciphertext is decrypted using the key-encrypting key, is obtained Second user key in the second key ciphertext, and the second user key is exported to the crypto module.
Above-mentioned method, optionally, the setting up procedure of the first key component and the second key components, comprising:
When crypto module initialization, receives the key that the crypto module is sent and generate instruction, utilization is preset Generating algorithm generates key-encrypting key;
Operation is carried out to the key-encrypting key using preset function, generates three key components, and by described three A key components save the first memory module and into the outer memory module and the safety chip pre-established respectively In two memory modules;Wherein, saving to the key components of first memory module is first key component, is saved to described the The key components of two memory modules are the second key components, and saving to the key components of the outer memory module is third key Component.
Above-mentioned method, optionally, further includes:
After the safety chip power down, when restarting, the key saved into first memory module point is judged Amount whether there is;
In the absence of the key components in first memory module, it is determined whether need to obtain in the external module Key components;
When needing to obtain the key components in the external module, the crypto module and the external storage mould are triggered Block is communicated, to obtain the key components saved in the outer memory module;
The key components saved in the outer memory module that will acquire are saved into first memory module, as New first key component.
Above-mentioned method, it is optionally, described to save three key components to the external storage pre-established respectively In the first memory module and the second memory module in module and the safety chip, comprising:
Two key components in three key components are randomly selected, and described two key components of selection are sent out It send to the safety chip, triggering the safety chip, random save to described first stores respectively by described two key components In module and the second memory module;
Remaining key components are sent in the outer memory module pre-established, the outer memory module is triggered and protects Deposit the key components received.
A kind of key handling device, comprising:
Arithmetic element, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the safety First key component and the second key components in chip, by the first key component and second key components according to pre- If algorithm carry out operation, generate key-encrypting key;
Acquiring unit determines the behaviour according to the operation information for obtaining the operation information in the operational order Make to instruct corresponding action type;
Encryption unit determines that the operation refers to if be cryptographic operation for the corresponding action type of the operational order The first user key in order, and first user key is encrypted using the key-encrypting key, generate first The first key ciphertext is inputted the crypto module and saved by key ciphertext;
Decryption unit determines the password mould if be decryption oprerations for the corresponding action type of the operational order The second key ciphertext corresponding with the operational order in block, and using the key-encrypting key to the second key ciphertext It is decrypted, obtains the second user key in the second key ciphertext, and use to crypto module output described second Family key.
Above-mentioned device, optionally, further includes:
Generation unit refers to for when crypto module initialization, receiving the key generation that the crypto module is sent It enables, with preset generating algorithm, generates key-encrypting key;
First storage unit, for carrying out operation to the key-encrypting key using preset function, generation three is close Key component, and three key components are saved respectively into the outer memory module and the safety chip pre-established In first memory module and the second memory module;Wherein, saving to the key components of first memory module is first key Component, saving to the key components of second memory module is the second key components, is saved to the outer memory module Key components are third key components.
Above-mentioned device, optionally, further includes:
Judging unit when restarting, is judged to save to described first and stores mould for when the safety chip power down after Key components in block whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether need to obtain Key in the external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with The outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire are saved to described In one memory module, as new first key component.
Above-mentioned device, optionally, first storage unit, comprising:
First saving subunit for randomly selecting two key components in three key components, and will be chosen Described two key components be sent to the safety chip, trigger the safety chip by described two key components respectively with Machine is saved into first memory module and the second memory module;
Second saving subunit is touched for remaining key components to be sent in the outer memory module pre-established It sends out outer memory module described and saves the key components received.
A kind of key handling system, comprising:
Crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The safety chip is for executing cipher key processing method as described above;
The power supply switch circuit, for selecting power supply to switch to when main power source power down for the safety chip External power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed When, the conductive unit is destroyed, then the safety chip is in power-down state, and first be stored in the safety chip is deposited The key components for storing up module are lost.
A kind of electronic equipment, which is characterized in that including memory and one or more than one instruction, wherein one A perhaps more than one instruction is stored in memory and is configured to execute institute as above by one or more than one processor The cipher key processing method stated.
Compared with prior art, the present invention includes the following advantages:
The present invention provides a kind of cipher key processing methods: when crypto module receives the operational order of user's transmission, obtaining The first key component and the second key components being preset in the safety chip are taken, by the first key component and described Two key components carry out operation according to preset algorithm, generate key-encrypting key, obtain the operation letter in the operational order Breath, determines the corresponding action type of the operational order according to the operation information, if action type is cryptographic operation, determines The first user key in the operational order carries out at encryption first user key using the key-encrypting key Reason, obtains first key ciphertext, the first key ciphertext is saved;If action type be decryption oprerations, obtain with The corresponding second key ciphertext of the decryption oprerations, solves the second key ciphertext using the key-encrypting key It is close, the second user key in the second key ciphertext is obtained, and export the second user key to the crypto module. By applying method provided by the invention, user key is handled, the user key is protected in the form of ciphertext It deposits, reduces the risk directly used after user key is stolen, improve the robustness and stability of secrecy system.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of method flow diagram of cipher key processing method provided by the invention;
Fig. 2 is a kind of another method flow chart of cipher key processing method provided by the invention;
Fig. 3 is a kind of structure drawing of device of key handling device provided by the invention;
Fig. 4 is the structural schematic diagram of a kind of electronic equipment provided by the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
In this application, the terms "include", "comprise" or any other variant thereof is intended to cover non-exclusive inclusion, So that the process, method, article or equipment for including a series of elements not only includes those elements, but also including not having The other element being expressly recited, or further include for elements inherent to such a process, method, article, or device.Do not having There is the element limited in the case where more limiting by sentence "including a ...", it is not excluded that in the mistake including the element There is also other identical elements in journey, method, article or equipment.
Present invention could apply in numerous general or special purpose computing device environment or configurations.Such as: personal computer, Server computer, multi-processor device, the distributed computing including any of the above devices or devices are around environment etc..
The embodiment of the invention provides a kind of cipher key processing method, this method can be applied to computer or server secrecy In the crypto module of system, executing subject can be the safety chip of crypto module in secrecy system, by applying this method, Different operation processings, the method flow diagram of the method such as Fig. 1 are carried out to the user key for different executive conditions It is shown, it specifically includes:
S101, when crypto module receive user transmission operational order when, acquisition be preset in the safety chip First key component and the second key components, by the first key component and second key components according to preset algorithm Operation is carried out, key-encrypting key is generated.
It is when the crypto module is in normal working condition, i.e., described close in method provided in an embodiment of the present invention Code module can externally provide the encryption and decryption signature operation such as sign test, and when the crypto module is not destroyed, the password mould When block receives the operational order of user's transmission, the safety chip acquisition triggered in the crypto module is set in advance in the peace First key component and the second key components in full chip, and by the first key component and the second key components according to pre- If algorithm carry out operation, obtain key-encrypting key.
Operation information in S102, the acquisition operational order, determines the operational order pair according to the operation information The action type answered.
In method provided in an embodiment of the present invention, the operational order is parsed, obtains parsing result, the parsing As a result include the operation information in the operational order, operation corresponding with the operational order is determined according to the operation information Type, and execute corresponding operation.
If S103, the corresponding action type of the operational order are cryptographic operation, the in the operational order is determined One user key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated, The first key ciphertext is inputted the crypto module to save.
In method provided in an embodiment of the present invention, when the action type is cryptographic operation, then obtains the operation and refer to The first user key for including in order carries out cryptographic operation to first user key using key-encrypting key, generates the The first key ciphertext is inputted the crypto module and saved by one key ciphertext;It should be noted that described first User key is encrypted, and when the first key ciphertext of generation, is carried and first user in the first key ciphertext of generation The associated identification number of key, the identification number can be the unique identity number of first user key;Such as first The identity number of user key is A, then identification number A is carried in the first key ciphertext generated, close to characterize described first Key ciphertext is corresponding with first user key.
If S104, the corresponding action type of the operational order be decryption oprerations, determine in the crypto module with institute The corresponding second key ciphertext of operational order is stated, and the second key ciphertext is solved using the key-encrypting key It is close, the second user key in the second key ciphertext is obtained, and export the second user key to the crypto module.
In method provided in an embodiment of the present invention, when the action type is decryption oprerations, by referring to the operation Order is parsed, and the identification number of key ciphertext for including in the operational order is obtained, and is determined according to the identification number described close Key ciphertext corresponding with the identification number in code module;Such as the identification number for the key ciphertext in the operational order including is B, the identification number B are associated with the identification number of second user key;It is stored in the crypto module according to the identification number B The key ciphertext for carrying identification number B is searched in the ciphertext memory module of key ciphertext, the key ciphertext for carrying identification number B is second The ciphertext of user key;Operation is decrypted to the second user key ciphertext using the key-encrypting key, obtains Two user keys, and the second user key is exported to the crypto module, for the data of communication to be encrypted or are solved Close operation.
In method provided in an embodiment of the present invention, by the key-encrypting key in application this method to the user key It is saved in a manner of ciphertext after being encrypted, or by applying key-encrypting key to described corresponding with user key Ciphertext carry out operation and obtain user key, by applying this method, reduce user key and reveal the risk that is directly applied, Improve the stability and robustness of encryption system.
In method provided in an embodiment of the present invention, the key-encrypting key passes through using the first key in safety chip Component and the second key components carry out operation and obtain, the side of the first key component and the second key components setting method Method flow chart is as described in Figure 2, and details are provided below:
S201, when crypto module initialization, receive the key that the crypto module is sent and generate instruction, with pre- If generating algorithm, generate key-encrypting key.
In method provided in an embodiment of the present invention, after crypto module factory, production firm carries out crypto module Initialization, the crypto module generates key and generates instruction, and the key is generated the peace that instruction is sent in crypto module Full chip;After the safety chip receives the key generation instruction, according to pre-set generating algorithm, key is generated Encryption key, the key-encrypting key can be a string of random numbers, and the pre-set generating algorithm can be any one Kind Generating Random Number.
S202, operation is carried out to the key-encrypting key using preset function, generates three key components, and by institute It states three key components and saves the first memory module into the outer memory module and the safety chip pre-established respectively In the second memory module;Wherein, saving to the key components of first memory module is first key component, is saved to institute The key components for stating the second memory module are the second key components, and saving to the key components of the outer memory module is third Key components.
In method provided in an embodiment of the present invention, after generating key-encrypting key, using preset function to described Key-encrypting key carries out operation, generates three key components;It should be noted that the preset function can be and be based on Lagrange interpolation formula, specific generating process can refer to following detailed processes:
Assuming that key-encrypting key is indicated with S, the key-encrypting key can be 16 byte random numbers, in finite field gf (p) (t-1) a element a is arbitrarily selected ini(i=1,2 ..., t-1) constitutes (t-1) rank multinomialWherein, p is a Big prime and p > 2L, and wherein L is the bit length of S, aiIt can Think 32 byte random numbers, key-encrypting key S=f (0)=a0, generate n key componentsWherein, r=1,2 ..., n;Then SrWith being sent to for p safety Corresponding memory module is saved;By taking (2,3) thresholding as an example, key components generating process is as follows:
Key components: S1=f (1)=(a0+a1*1)mod p;
Key components: S2=f (2)=(a0+a1*2)mod p;
Key components: S3=f (3)=(a0+a1*3)mod p;
It should be noted that after generating 3 key components to the key-encrypting key application threshold technique, it is random to select Two key components in three key components are taken, two key components of selection are stored in the of safety chip at random respectively In one memory module and the second memory module, remaining key components are sent in the outer memory module pre-established, are touched It sends out outer memory module described and saves the key components received;It should be noted that being stored in the first of the safety chip The key components of memory module are first key component, and the key components for being stored in the second memory module of the safety chip are Second key components, the key components being stored in the outer memory module are third key components.
In method provided in an embodiment of the present invention, when crypto module receives the operational order of user's transmission, by obtaining Going bail for, there are two in the safety chip key components, i.e. first key component and the second key components, to described first Key components and the second key components carry out operation, key-encrypting key are generated, for the generation for illustrating key-encrypting key Process enumerates its specific calculating process here:
Any t parts of key components obtain corresponding Sr (r=1,2 ..., t) and p, public using Lagrange interpolation polynomial Formula:
Key-encrypting key S can be recovered; With (2,3) thresholding f (2), for f (3) key components and p, it may be assumed that
S=f (0)=(f (2) * L1 (x)+f (3) * L2 (x)) modp;
By the calculating process enumerated, key encryption can be calculated according to first key component and the second key components Key, it should be noted that it is generated in key-encrypting key in the present invention and applies two key components, in practical applications, It can be not limited to only apply two key components close to generate key encryption, can also generate key using 3 key components Encryption key.
In method provided in an embodiment of the present invention, when crypto module is destroyed or after power down, is stored in safe core Key components in piece in the first memory module are lost, and power in crypto module, after opening again, to reply crypto module just Normal working condition needs to be applied to key-encrypting key, because of the key point being stored in safety chip in the first memory module Amount is lost, and key-encrypting key can not be generated, therefore can not normally be worked, at this time, it may be necessary to which external storage mould will be stored in Key components in block import the safety chip of the crypto module, and the key components obtained from the outer memory module are protected It deposits into the first memory module of safety chip, it, can be using new first key component and the as new first key component Two key components generate key-encrypting key and thus reduce crypto module so that the crypto module can work normally and lose The risk for losing user key, reduces the loss of user.
It should be noted that after safety chip power down, when restarting, judge to save to first memory module In key components whether there is;In the absence of the key components in first memory module, user is determined the need for The key components in the outer memory module are obtained, when user determines the key point needed to obtain in the outer memory module When amount, the crypto module is connect with the outer memory module by interface and is communicated, trigger password module is by connecing Mouth obtains the key components saved in the outer memory module, and the key saved in the outer memory module that will acquire Component is saved into the first memory module of safety chip, as new first key component;It should be noted that when user is true When recognizing the crypto module and not needing to obtain new key components, then the crypto module is not attached with outer memory module Communication;
It should be noted that in method provided in an embodiment of the present invention, when the crypto module is being destroyed or fallen After electricity, when re-powering starting, the operational order of user's transmission is received, then judges that first of safety chip in crypto module is deposited The key components saved in storage module whether there is, and if it does not exist, then be confirmed whether to need to obtain close in outer memory module Key component then passes through interface for the crypto module and external storage mould when needing to obtain the key components in external storage Block is attached communication, to obtain the key components being stored in the outer memory module.
It should be noted that correspond to the above method, the embodiment of the invention also provides a kind of key handling system, To support the realization of the cipher key processing method, the concrete composition of the key handling system is as described below:
The key handling system includes crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The peace chip is used for when receiving the operational order of user's transmission, obtains preset first key component and pre- If the second key components, the first key component and second key components are subjected to operation according to preset algorithm, Key-encrypting key is obtained, and executes operation corresponding with the operational order using the key-encrypting key;Wherein, described The setting up procedure of preset first key component and the second key components includes: that safety chip reception generation instructs, described in triggering Safety chip generates key-encrypting key according to preset generating algorithm, and using preset function to the key-encrypting key Operation is carried out, generates three key components, and three key components are saved respectively to the external storage mould pre-established In the first memory module and the second memory module in block and the safety chip;Wherein, it saves to first memory module Key components be first key component, save to second memory module key components be the second key components, save Key components to the outer memory module are third key components;
The power supply switch circuit, for selecting power supply to switch to when main power source power down for the safety chip External power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
It should be noted that the conductive unit includes fixed conductive unit and on-fixed conductive unit, fixed conduction is single Member is arranged on the circuit board of crypto module, and is off state, closely spaced, the about 1-2mm of open circuit, the conductive list of on-fixed Member is conductor, including but not limited to conductive glue slice, is placed on circuit breaker part, so that circuit is connected;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed When, the conductive unit is destroyed, then the safety chip is in power-down state, and first be stored in the safety chip is deposited The key components for storing up module are lost;
It should be noted that the protective coating is covered on the conductive unit and safety chip, to described in fixation The position of conductive unit, it is ensured that the connection of the safety chip and power supply;Protective coating can be also covered on crypto module, The crypto module, safety chip and conductive unit is avoided directly to contact with external environment;The protective coating can be colloid, It can be fixedly attached on crypto module, and be capable of fixing the non-fixed portions in conductive unit, the protective coating includes But it is not limited to nontransparent AB glue;It should be noted that can then take up the on-fixed in conductive unit when protective coating is destroyed Conductive unit, conductive unit open circuit, then the safety chip is in power-down state.
The outer memory module, for storing key components, when the first memory module preservation in the safety chip Key components are lost, and when needing to import new key components, the outer memory module is connected by interface with the password mould It connects, the key components that the input of Xiang Suoshu crypto module saves, the crypto module saves the key components received to described In first memory module of safety chip, as new first key component, the outer memory module can be stored in password The manufacturer of module;
It should be noted that when the key components that the first memory module saves in the safety chip are lost again, it can The crypto module is connected by interface with the outer memory module again, obtains save the external storage mould again The key components of the acquisition are stored in the first memory module of the safety chip by the key components in block again, then The secondary key components by preservation are as new first key component.
It gives one example and is illustrated in this example, it is assumed that when crypto module is initialized, need for its configuring cipher key point Amount, crypto module send the key generated to safety chip and generate instruction, and the generating algorithm that the safety chip application is set generates Key-encrypting key, and application threshold technique carries out operation to the key-encrypting key, generates three different equal portions keys Component, three key components can be respectively a, b and c, select two key components, choosing from three key components at random In two key components can be a and b, and two key components chosen are sent to the safety chip, safe core Piece is at random saved described two key components respectively to the first memory module and the second memory module, is stored in described first and is deposited The key components for storing up module can be a, and the key components for being stored in second memory module can be b, by remaining key Component is imported in the outer memory module by interface and is saved, that is, the key point being stored in the outer memory module Amount is c;
It should be noted that first memory module can be the RAM module in safety chip, the second memory module can Think the FLASH module in safety chip;The key components being stored in first memory module are first key component, are protected It is the second key components, the key being stored in the outer memory module there are the key components in second memory module Component is third key components;
When the crypto module is in normal operating conditions, and receives the operational order of user, the safety is triggered Two the key components a and b that chip application saves carry out operation, generate key-encrypting key, are executed using key-encrypting key Action type corresponding with the operational order;If the crypto module for the first time by destroying when, be stored in the safety chip The first memory module in key components a lose, then can be connected by interface with the outer memory module, obtain preservation Key components c in the outer memory module saves the key components c to the first memory module of safety chip In, as new first key component, the new first key component described at this time is c, then safety chip can pass through preservation at this time Key components c and key components b carry out operation generate key-encrypting key;
If crypto module is destroyed herein or power down, the key that the first memory module saves in the safety chip divides Amount c will lose, then the crypto module can be connected with the outer memory module again by interface, obtain save again Key components c in the outer memory module, first that the key components c is stored in the safety chip again are deposited It stores up in module, again as new first key component.
In method provided in an embodiment of the present invention, safety chip generates key by using two key components of preservation and adds Key encrypts using key of the key-encrypting key to user, generates corresponding ciphertext, the ciphertext is exported It is saved to the crypto module, which thereby enhances the confidentiality of user key, reduced the user key and be acquired it After a possibility that being directly applied;When one of component in safety chip is lost, it can obtain in outer memory module and protect The key components deposited, so as to generate key-encrypting key again, avoiding can not after one of key components are lost The case where generating key-encrypting key, avoids the loss of user, improves the robustness and stability of encryption system.
Corresponding with Fig. 1, the embodiment of the present invention also provides a kind of key handling device, for the tool to method in Fig. 1 Body realizes that key handling device provided in an embodiment of the present invention can be applied to the encrypting module of computer or adding for server In close device, structural schematic diagram is as shown in figure 3, specifically include:
Arithmetic element 301, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the peace First key component and the second key components in full chip, by the first key component and second key components according to Preset algorithm carries out operation, generates key-encrypting key;
Acquiring unit 302, for obtaining the operation information in the operational order, according to described in operation information determination The corresponding action type of operational order;
Encryption unit 303 determines the operation if be cryptographic operation for the corresponding action type of the operational order The first user key in instruction, and being encrypted using the key-encrypting key to first user key generates the The first key ciphertext is inputted the crypto module and saved by one key ciphertext;
Decryption unit 304 determines the password if be decryption oprerations for the corresponding action type of the operational order The second key ciphertext corresponding with the operational order in module, and it is close to second key using the key-encrypting key Text is decrypted, and obtains the second user key in the second key ciphertext, and export described second to the crypto module User key.
In device provided in an embodiment of the present invention, when crypto module receives the operational order of user's transmission, obtain pre- The first key component and the second key components being located in the safety chip, by the first key component and described second close Key component carries out operation according to preset algorithm, generates key-encrypting key, obtains the operation information in the operational order, according to The corresponding action type of the operational order is determined according to the operation information, if action type is cryptographic operation, described in determination The first user key in operational order is encrypted first user key using the key-encrypting key, First key ciphertext is obtained, the first key ciphertext is saved;If action type be decryption oprerations, obtain with it is described The corresponding second key ciphertext of decryption oprerations is decrypted the second key ciphertext using the key-encrypting key, obtains The second user key is exported to the second user key in the second key ciphertext, and to the crypto module.Pass through Using method provided by the invention, user key is handled, the user key is saved in the form of ciphertext, is dropped The risk that low user key is directly used after being stolen, improves the robustness and stability of secrecy system.
In embodiment provided by the present invention, it is based on aforementioned schemes, further includes:
Generation unit refers to for when crypto module initialization, receiving the key generation that the crypto module is sent It enables, with preset generating algorithm, generates key-encrypting key;
First storage unit, for carrying out operation to the key-encrypting key using preset function, generation three is close Key component, and three key components are saved respectively into the outer memory module and the safety chip pre-established In first memory module and the second memory module;Wherein, saving to the key components of first memory module is first key Component, saving to the key components of second memory module is the second key components, is saved to the outer memory module Key components are third key components.
In embodiment provided by the present invention, it is based on aforementioned schemes, further includes:
Judging unit when restarting, is judged to save to described first and stores mould for when the safety chip power down after Key components in block whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether need to obtain Key components in the external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with The outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire are saved to described In one memory module, as new first key component.
In embodiment provided by the present invention, it is based on aforementioned schemes, first storage unit, comprising:
First saving subunit for randomly selecting two key components in three key components, and will be chosen Described two key components be sent to the safety chip, trigger the safety chip by described two key components respectively with Machine is saved into first memory module and the second memory module;
Second saving subunit is touched for remaining key components to be sent in the outer memory module pre-established It sends out outer memory module described and saves the key components received.
The embodiment of the invention also provides a kind of electronic equipment, structural schematic diagram is as shown in figure 4, specifically include memory 402 and one perhaps more than one 401 one of them or more than one instruction of instruction 401 be stored in memory 402 In, and be configured to by one or more than one processor 403 execute the one or more instruction 401 carry out with Lower operation:
When crypto module receives the operational order of user's transmission, it is close to obtain first be preset in the safety chip Key component and the second key components transport the first key component and second key components according to preset algorithm It calculates, generates key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding behaviour of the operational order according to the operation information Make type;
If the corresponding action type of the operational order is cryptographic operation, the first user in the operational order is determined Key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated, it will be described First key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operation Corresponding second key ciphertext is instructed, and the second key ciphertext is decrypted using the key-encrypting key, is obtained Second user key in the second key ciphertext, and the second user key is exported to the crypto module.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system or For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method The part of embodiment illustrates.System and system embodiment described above is only schematical, wherein the conduct The unit of separate part description may or may not be physically separated, component shown as a unit can be or Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill Personnel can understand and implement without creative efforts.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of cipher key processing method, which is characterized in that the method is applied to safety chip, comprising:
When crypto module receives the operational order of user's transmission, the first key point being preset in the safety chip is obtained The first key component and second key components are carried out operation according to preset algorithm by amount and the second key components, Generate key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding operation class of the operational order according to the operation information Type;
If the corresponding action type of the operational order is cryptographic operation, determine that the first user in the operational order is close Key, and being encrypted using the key-encrypting key to first user key generates first key ciphertext, by described the One key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operational order Corresponding second key ciphertext, and the second key ciphertext is decrypted using the key-encrypting key, described in acquisition Second user key in second key ciphertext, and the second user key is exported to the crypto module.
2. the method according to claim 1, wherein the setting of the first key component and the second key components Process, comprising:
When crypto module initialization, receives the key that the crypto module is sent and generate instruction, with preset generation Algorithm generates key-encrypting key;
Operation is carried out to the key-encrypting key using preset function, generates three key components, and close by described three The first memory module and second that key component is saved respectively into the outer memory module and the safety chip pre-established is deposited It stores up in module;Wherein, saving to the key components of first memory module is first key component, saves to described second and deposits The key components for storing up module are the second key components, and saving to the key components of the outer memory module is third key point Amount.
3. according to the method described in claim 2, it is characterized by further comprising:
After the safety chip power down, when restarting, judge that the key components saved into first memory module are No presence;
In the absence of the key components in first memory module, it is determined whether need to obtain close in the external module Key component;
When needing to obtain the key components in the external module, trigger the crypto module and the outer memory module into Row communication, to obtain the key components saved in the outer memory module;
The key components saved in the outer memory module that will acquire are saved into first memory module, as new First key component.
4. according to the method described in claim 2, it is characterized in that, described save three key components respectively to preparatory In the first memory module and the second memory module in the outer memory module of foundation and the safety chip, comprising:
Two key components in three key components are randomly selected, and described two key components of selection are sent to The safety chip triggers the safety chip and saves described two key components to first memory module at random respectively In the second memory module;
Remaining key components are sent in the outer memory module pre-established, the outer memory module preservation is triggered and connects The key components received.
5. a kind of key handling device characterized by comprising
Arithmetic element, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the safety chip In first key component and the second key components, by the first key component and second key components according to preset Algorithm carries out operation, generates key-encrypting key;
Acquiring unit determines that the operation refers to according to the operation information for obtaining the operation information in the operational order Enable corresponding action type;
Encryption unit determines in the operational order if be cryptographic operation for the corresponding action type of the operational order The first user key, and first user key is encrypted using the key-encrypting key, generates first key The first key ciphertext is inputted the crypto module and saved by ciphertext;
Decryption unit determines in the crypto module if be decryption oprerations for the corresponding action type of the operational order The second key ciphertext corresponding with the operational order, and the second key ciphertext is carried out using the key-encrypting key Decryption obtains the second user key in the second key ciphertext, and close to the crypto module output second user Key.
6. device according to claim 5, which is characterized in that further include:
Generation unit generates instruction, fortune for when crypto module initialization, receiving the key that the crypto module is sent With preset generating algorithm, key-encrypting key is generated;
First storage unit generates three keys point for carrying out operation to the key-encrypting key using preset function Amount, and three key components are saved into first into the outer memory module and the safety chip pre-established respectively In memory module and the second memory module;Wherein, saving to the key components of first memory module is first key component, Saving to the key components of second memory module is the second key components, is saved to the key point of the outer memory module Amount is third key components.
7. device according to claim 6, which is characterized in that further include:
Judging unit when restarting, judges preservation into first memory module for when the safety chip power down after Key components whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether described in needing to obtain Key components in external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with it is described Outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire, which are saved to described first, to be deposited It stores up in module, as new first key component.
8. device according to claim 6, which is characterized in that first storage unit, comprising:
First saving subunit, for randomly selecting two key components in three key components, and by the institute of selection It states two key components and is sent to the safety chip, trigger the safety chip and protect described two key components at random respectively It deposits into first memory module and the second memory module;
Second saving subunit triggers institute for remaining key components to be sent in the outer memory module pre-established It states outer memory module and saves the key components received.
9. a kind of key handling system characterized by comprising
Crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The safety chip requires cipher key processing method described in 1~4 any one for perform claim;
The power supply switch circuit, for selecting power supply to switch to outside when main power source power down for the safety chip Power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed, institute It states conductive unit to be destroyed, then the safety chip is in power-down state, the first storage mould being stored in the safety chip The key components of block are lost.
10. a kind of electronic equipment, which is characterized in that including memory and one or more than one instruction, one of them Perhaps more than one instruction is stored in memory and is configured to be executed by one or more than one processor as right is wanted Seek cipher key processing method described in 1~4 any one.
CN201910470792.1A 2019-05-31 2019-05-31 Key processing method, device and system and electronic equipment Active CN110166236B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910470792.1A CN110166236B (en) 2019-05-31 2019-05-31 Key processing method, device and system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910470792.1A CN110166236B (en) 2019-05-31 2019-05-31 Key processing method, device and system and electronic equipment

Publications (2)

Publication Number Publication Date
CN110166236A true CN110166236A (en) 2019-08-23
CN110166236B CN110166236B (en) 2022-01-18

Family

ID=67630863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910470792.1A Active CN110166236B (en) 2019-05-31 2019-05-31 Key processing method, device and system and electronic equipment

Country Status (1)

Country Link
CN (1) CN110166236B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111159732A (en) * 2019-12-16 2020-05-15 佛山科学技术学院 Safety data storage device
CN111327637A (en) * 2020-03-10 2020-06-23 时时同云科技(成都)有限责任公司 Service key management method and system
CN112422293A (en) * 2020-11-27 2021-02-26 苏博云科数字认证有限公司 Key generation method, device and information processing method
WO2023240866A1 (en) * 2022-06-16 2023-12-21 北京智芯半导体科技有限公司 Cipher card and root key protection method therefor, and computer readable storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1185024A2 (en) * 2000-08-29 2002-03-06 International Business Machines Corporation System, method, and program for managing a user key used to sign a message for a data processing system
US20030161476A1 (en) * 2000-06-16 2003-08-28 Fransdonk Robert W. Method and system to store and distribute encryption keys
CN101311942A (en) * 2007-05-23 2008-11-26 西门子(中国)有限公司 Software encryption and decryption method and encryption and decryption device
CN105933113A (en) * 2016-06-13 2016-09-07 北京三未信安科技发展有限公司 Secret key backup recovering method and system, and related devices
CN106301774A (en) * 2015-05-29 2017-01-04 联芯科技有限公司 Safety chip, its encryption key generate method and encryption method
CN106330868A (en) * 2016-08-14 2017-01-11 北京数盾信息科技有限公司 Encrypted storage key management system and method of high-speed network
CN107317677A (en) * 2017-05-25 2017-11-03 苏州科达科技股份有限公司 Key storage and equipment identities authentication method, device
US20180144114A1 (en) * 2011-08-09 2018-05-24 Michael Stephen Fiske Securing Blockchain Transactions Against Cyberattacks
CN108632295A (en) * 2018-05-09 2018-10-09 湖南东方华龙信息科技有限公司 The method for preventing terminal attack server repeatedly
CN109088729A (en) * 2018-09-28 2018-12-25 北京金山安全软件有限公司 Key storage method and device
CN109768862A (en) * 2019-03-12 2019-05-17 北京深思数盾科技股份有限公司 A kind of key management method, key call method and cipher machine

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030161476A1 (en) * 2000-06-16 2003-08-28 Fransdonk Robert W. Method and system to store and distribute encryption keys
EP1185024A2 (en) * 2000-08-29 2002-03-06 International Business Machines Corporation System, method, and program for managing a user key used to sign a message for a data processing system
CN101311942A (en) * 2007-05-23 2008-11-26 西门子(中国)有限公司 Software encryption and decryption method and encryption and decryption device
US20180144114A1 (en) * 2011-08-09 2018-05-24 Michael Stephen Fiske Securing Blockchain Transactions Against Cyberattacks
CN106301774A (en) * 2015-05-29 2017-01-04 联芯科技有限公司 Safety chip, its encryption key generate method and encryption method
CN105933113A (en) * 2016-06-13 2016-09-07 北京三未信安科技发展有限公司 Secret key backup recovering method and system, and related devices
CN106330868A (en) * 2016-08-14 2017-01-11 北京数盾信息科技有限公司 Encrypted storage key management system and method of high-speed network
CN107317677A (en) * 2017-05-25 2017-11-03 苏州科达科技股份有限公司 Key storage and equipment identities authentication method, device
CN108632295A (en) * 2018-05-09 2018-10-09 湖南东方华龙信息科技有限公司 The method for preventing terminal attack server repeatedly
CN109088729A (en) * 2018-09-28 2018-12-25 北京金山安全软件有限公司 Key storage method and device
CN109768862A (en) * 2019-03-12 2019-05-17 北京深思数盾科技股份有限公司 A kind of key management method, key call method and cipher machine

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MENGMENG LING: "Design of Monitor and Protect Circuits against FIB Attack on Chip Security", 《IEEE》 *
吕远方: "基于秘密共享的无线传感器网络组密钥管理方案", 《微计算机应用》 *
张勇: "密钥管理中的若干问题研究", 《中国博士学位论文全文数据库》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111159732A (en) * 2019-12-16 2020-05-15 佛山科学技术学院 Safety data storage device
CN111327637A (en) * 2020-03-10 2020-06-23 时时同云科技(成都)有限责任公司 Service key management method and system
CN111327637B (en) * 2020-03-10 2022-12-02 时时同云科技(成都)有限责任公司 Service key management method and system
CN112422293A (en) * 2020-11-27 2021-02-26 苏博云科数字认证有限公司 Key generation method, device and information processing method
CN112422293B (en) * 2020-11-27 2023-09-05 苏博云科数字认证有限公司 Key generation method, device and information processing method
WO2023240866A1 (en) * 2022-06-16 2023-12-21 北京智芯半导体科技有限公司 Cipher card and root key protection method therefor, and computer readable storage medium

Also Published As

Publication number Publication date
CN110166236B (en) 2022-01-18

Similar Documents

Publication Publication Date Title
CN109933995B (en) User sensitive data protection and system based on cloud service and block chain
CN110166236A (en) Cipher key processing method, device and system and electronic equipment
CN100487715C (en) Date safety storing system, device and method
US10187200B1 (en) System and method for generating a multi-stage key for use in cryptographic operations
CA2754268C (en) Split key secure access system
CN111131278B (en) Data processing method and device, computer storage medium and electronic equipment
US20130145169A1 (en) Efficient authentication for mobile and pervasive computing
US8904195B1 (en) Methods and systems for secure communications between client applications and secure elements in mobile devices
US20150215117A1 (en) White box encryption apparatus and method
CN109768862B (en) A kind of key management method, key call method and cipher machine
CN104468089A (en) Data protecting apparatus and method thereof
US20120063592A1 (en) Apparatus for encrypting data
US20160013933A1 (en) Order-preserving encryption system, device, method, and program
CN110995720B (en) Encryption method, device, host terminal and encryption chip
CN108462574A (en) A kind of lightweight cipher encrypting method and system
KR20070085129A (en) Encryption processing method and encryption processing device
CN112865957A (en) Data encryption transmission method and device, computer target equipment and storage medium
CN210955077U (en) Bus encryption and decryption device based on state cryptographic algorithm and PUF
US20080165954A1 (en) System for encrypting and decrypting data using derivative equations and factors
JPH1139082A (en) Keyboard device having security function and method therefor
Pandian et al. Dynamic Hash key‐based stream cipher for secure transmission of real time ECG signal
CN114785527B (en) Data transmission method, device, equipment and storage medium
CN109936448A (en) A kind of data transmission method and device
CN115396179A (en) Data transmission method, device, medium and equipment based on block chain
CN112910630B (en) Method and device for replacing expanded key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant