CN110166236A - Cipher key processing method, device and system and electronic equipment - Google Patents
Cipher key processing method, device and system and electronic equipment Download PDFInfo
- Publication number
- CN110166236A CN110166236A CN201910470792.1A CN201910470792A CN110166236A CN 110166236 A CN110166236 A CN 110166236A CN 201910470792 A CN201910470792 A CN 201910470792A CN 110166236 A CN110166236 A CN 110166236A
- Authority
- CN
- China
- Prior art keywords
- key
- memory module
- module
- components
- key components
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of cipher key processing method: when crypto module receives the operational order of user's transmission, it triggers the safety chip and carries out operation using preset first key component and the second key components, obtain key-encrypting key, and action type corresponding with the operational order is executed using key-encrypting key, by being operated using key-encrypting key to user key, user key is saved in the form of ciphertext, reduces the risk being used directly after user key leakage;Key handling system corresponding with cipher key processing method provided by the invention avoids safety chip and conductive unit in the crypto module from being destroyed by the protective coating in the key handling system.By applying method provided by the invention and the corresponding key handling system of the method, the user key being stored in crypto module is protected, the risk being used directly after user key leakage is reduced, improves the robustness and stability of secrecy system.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of cipher key processing method, device and system and electronics
Equipment.
Background technique
With the rapid development of the internet and the continuous improvement of the information degree, digitlization industry is in China or even full generation
Boundary is all rapidly developing, and all trades and professions in society gradually carry out transmitting, swap date and the negotiation of information by internet
Trade etc..Internet be double-edged sword, while bringing great convenience for our life, the data of the Internet transmission and
The information moment is faced with by the security risk that criminal steals and modifies, therefore people are for the data and information of transmission
Confidentiality and safety are increasingly valued.
To avoid information and the data of transmission from by criminal being modified and stolen, user in encryption system usually using saving
The key pair transmission in the safety chip of crypto module data and information carry out it is encrypted after passed in the form of ciphertext
It is defeated, it is reused after user receives ciphertext and is stored in corresponding key pair ciphertext in safety chip and is decrypted, to drop
A possibility that low leaking data and criminal steal the risk of data.User key is the core that data are transmitted,
And user key is usually stored in the safety chip of encryption system in the form of plaintext, crypto module is entire encryption system
Core, criminal once crack to obtain the user key being stored in safety chip, will cause the leaking data of user,
Directly destroy the stability and robustness of entire encryption system.
Summary of the invention
It, can be to being stored in the safety chip in view of this, the embodiment of the present invention provides a kind of cipher key processing method
Key handled, realize the probability for reducing user key leakage to the encrypting storing of user key, improve entire encryption
The stability and robustness of system.
The present invention also provides a kind of key handling devices, to guarantee the reality and application of the above method in practice.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of cipher key processing method is applied to safety chip, comprising:
When crypto module receives the operational order of user's transmission, it is close to obtain first be preset in the safety chip
Key component and the second key components transport the first key component and second key components according to preset algorithm
It calculates, generates key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding behaviour of the operational order according to the operation information
Make type;
If the corresponding action type of the operational order is cryptographic operation, the first user in the operational order is determined
Key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated, it will be described
First key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operation
Corresponding second key ciphertext is instructed, and the second key ciphertext is decrypted using the key-encrypting key, is obtained
Second user key in the second key ciphertext, and the second user key is exported to the crypto module.
Above-mentioned method, optionally, the setting up procedure of the first key component and the second key components, comprising:
When crypto module initialization, receives the key that the crypto module is sent and generate instruction, utilization is preset
Generating algorithm generates key-encrypting key;
Operation is carried out to the key-encrypting key using preset function, generates three key components, and by described three
A key components save the first memory module and into the outer memory module and the safety chip pre-established respectively
In two memory modules;Wherein, saving to the key components of first memory module is first key component, is saved to described the
The key components of two memory modules are the second key components, and saving to the key components of the outer memory module is third key
Component.
Above-mentioned method, optionally, further includes:
After the safety chip power down, when restarting, the key saved into first memory module point is judged
Amount whether there is;
In the absence of the key components in first memory module, it is determined whether need to obtain in the external module
Key components;
When needing to obtain the key components in the external module, the crypto module and the external storage mould are triggered
Block is communicated, to obtain the key components saved in the outer memory module;
The key components saved in the outer memory module that will acquire are saved into first memory module, as
New first key component.
Above-mentioned method, it is optionally, described to save three key components to the external storage pre-established respectively
In the first memory module and the second memory module in module and the safety chip, comprising:
Two key components in three key components are randomly selected, and described two key components of selection are sent out
It send to the safety chip, triggering the safety chip, random save to described first stores respectively by described two key components
In module and the second memory module;
Remaining key components are sent in the outer memory module pre-established, the outer memory module is triggered and protects
Deposit the key components received.
A kind of key handling device, comprising:
Arithmetic element, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the safety
First key component and the second key components in chip, by the first key component and second key components according to pre-
If algorithm carry out operation, generate key-encrypting key;
Acquiring unit determines the behaviour according to the operation information for obtaining the operation information in the operational order
Make to instruct corresponding action type;
Encryption unit determines that the operation refers to if be cryptographic operation for the corresponding action type of the operational order
The first user key in order, and first user key is encrypted using the key-encrypting key, generate first
The first key ciphertext is inputted the crypto module and saved by key ciphertext;
Decryption unit determines the password mould if be decryption oprerations for the corresponding action type of the operational order
The second key ciphertext corresponding with the operational order in block, and using the key-encrypting key to the second key ciphertext
It is decrypted, obtains the second user key in the second key ciphertext, and use to crypto module output described second
Family key.
Above-mentioned device, optionally, further includes:
Generation unit refers to for when crypto module initialization, receiving the key generation that the crypto module is sent
It enables, with preset generating algorithm, generates key-encrypting key;
First storage unit, for carrying out operation to the key-encrypting key using preset function, generation three is close
Key component, and three key components are saved respectively into the outer memory module and the safety chip pre-established
In first memory module and the second memory module;Wherein, saving to the key components of first memory module is first key
Component, saving to the key components of second memory module is the second key components, is saved to the outer memory module
Key components are third key components.
Above-mentioned device, optionally, further includes:
Judging unit when restarting, is judged to save to described first and stores mould for when the safety chip power down after
Key components in block whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether need to obtain
Key in the external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with
The outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire are saved to described
In one memory module, as new first key component.
Above-mentioned device, optionally, first storage unit, comprising:
First saving subunit for randomly selecting two key components in three key components, and will be chosen
Described two key components be sent to the safety chip, trigger the safety chip by described two key components respectively with
Machine is saved into first memory module and the second memory module;
Second saving subunit is touched for remaining key components to be sent in the outer memory module pre-established
It sends out outer memory module described and saves the key components received.
A kind of key handling system, comprising:
Crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The safety chip is for executing cipher key processing method as described above;
The power supply switch circuit, for selecting power supply to switch to when main power source power down for the safety chip
External power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed
When, the conductive unit is destroyed, then the safety chip is in power-down state, and first be stored in the safety chip is deposited
The key components for storing up module are lost.
A kind of electronic equipment, which is characterized in that including memory and one or more than one instruction, wherein one
A perhaps more than one instruction is stored in memory and is configured to execute institute as above by one or more than one processor
The cipher key processing method stated.
Compared with prior art, the present invention includes the following advantages:
The present invention provides a kind of cipher key processing methods: when crypto module receives the operational order of user's transmission, obtaining
The first key component and the second key components being preset in the safety chip are taken, by the first key component and described
Two key components carry out operation according to preset algorithm, generate key-encrypting key, obtain the operation letter in the operational order
Breath, determines the corresponding action type of the operational order according to the operation information, if action type is cryptographic operation, determines
The first user key in the operational order carries out at encryption first user key using the key-encrypting key
Reason, obtains first key ciphertext, the first key ciphertext is saved;If action type be decryption oprerations, obtain with
The corresponding second key ciphertext of the decryption oprerations, solves the second key ciphertext using the key-encrypting key
It is close, the second user key in the second key ciphertext is obtained, and export the second user key to the crypto module.
By applying method provided by the invention, user key is handled, the user key is protected in the form of ciphertext
It deposits, reduces the risk directly used after user key is stolen, improve the robustness and stability of secrecy system.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of method flow diagram of cipher key processing method provided by the invention;
Fig. 2 is a kind of another method flow chart of cipher key processing method provided by the invention;
Fig. 3 is a kind of structure drawing of device of key handling device provided by the invention;
Fig. 4 is the structural schematic diagram of a kind of electronic equipment provided by the invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
In this application, the terms "include", "comprise" or any other variant thereof is intended to cover non-exclusive inclusion,
So that the process, method, article or equipment for including a series of elements not only includes those elements, but also including not having
The other element being expressly recited, or further include for elements inherent to such a process, method, article, or device.Do not having
There is the element limited in the case where more limiting by sentence "including a ...", it is not excluded that in the mistake including the element
There is also other identical elements in journey, method, article or equipment.
Present invention could apply in numerous general or special purpose computing device environment or configurations.Such as: personal computer,
Server computer, multi-processor device, the distributed computing including any of the above devices or devices are around environment etc..
The embodiment of the invention provides a kind of cipher key processing method, this method can be applied to computer or server secrecy
In the crypto module of system, executing subject can be the safety chip of crypto module in secrecy system, by applying this method,
Different operation processings, the method flow diagram of the method such as Fig. 1 are carried out to the user key for different executive conditions
It is shown, it specifically includes:
S101, when crypto module receive user transmission operational order when, acquisition be preset in the safety chip
First key component and the second key components, by the first key component and second key components according to preset algorithm
Operation is carried out, key-encrypting key is generated.
It is when the crypto module is in normal working condition, i.e., described close in method provided in an embodiment of the present invention
Code module can externally provide the encryption and decryption signature operation such as sign test, and when the crypto module is not destroyed, the password mould
When block receives the operational order of user's transmission, the safety chip acquisition triggered in the crypto module is set in advance in the peace
First key component and the second key components in full chip, and by the first key component and the second key components according to pre-
If algorithm carry out operation, obtain key-encrypting key.
Operation information in S102, the acquisition operational order, determines the operational order pair according to the operation information
The action type answered.
In method provided in an embodiment of the present invention, the operational order is parsed, obtains parsing result, the parsing
As a result include the operation information in the operational order, operation corresponding with the operational order is determined according to the operation information
Type, and execute corresponding operation.
If S103, the corresponding action type of the operational order are cryptographic operation, the in the operational order is determined
One user key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated,
The first key ciphertext is inputted the crypto module to save.
In method provided in an embodiment of the present invention, when the action type is cryptographic operation, then obtains the operation and refer to
The first user key for including in order carries out cryptographic operation to first user key using key-encrypting key, generates the
The first key ciphertext is inputted the crypto module and saved by one key ciphertext;It should be noted that described first
User key is encrypted, and when the first key ciphertext of generation, is carried and first user in the first key ciphertext of generation
The associated identification number of key, the identification number can be the unique identity number of first user key;Such as first
The identity number of user key is A, then identification number A is carried in the first key ciphertext generated, close to characterize described first
Key ciphertext is corresponding with first user key.
If S104, the corresponding action type of the operational order be decryption oprerations, determine in the crypto module with institute
The corresponding second key ciphertext of operational order is stated, and the second key ciphertext is solved using the key-encrypting key
It is close, the second user key in the second key ciphertext is obtained, and export the second user key to the crypto module.
In method provided in an embodiment of the present invention, when the action type is decryption oprerations, by referring to the operation
Order is parsed, and the identification number of key ciphertext for including in the operational order is obtained, and is determined according to the identification number described close
Key ciphertext corresponding with the identification number in code module;Such as the identification number for the key ciphertext in the operational order including is
B, the identification number B are associated with the identification number of second user key;It is stored in the crypto module according to the identification number B
The key ciphertext for carrying identification number B is searched in the ciphertext memory module of key ciphertext, the key ciphertext for carrying identification number B is second
The ciphertext of user key;Operation is decrypted to the second user key ciphertext using the key-encrypting key, obtains
Two user keys, and the second user key is exported to the crypto module, for the data of communication to be encrypted or are solved
Close operation.
In method provided in an embodiment of the present invention, by the key-encrypting key in application this method to the user key
It is saved in a manner of ciphertext after being encrypted, or by applying key-encrypting key to described corresponding with user key
Ciphertext carry out operation and obtain user key, by applying this method, reduce user key and reveal the risk that is directly applied,
Improve the stability and robustness of encryption system.
In method provided in an embodiment of the present invention, the key-encrypting key passes through using the first key in safety chip
Component and the second key components carry out operation and obtain, the side of the first key component and the second key components setting method
Method flow chart is as described in Figure 2, and details are provided below:
S201, when crypto module initialization, receive the key that the crypto module is sent and generate instruction, with pre-
If generating algorithm, generate key-encrypting key.
In method provided in an embodiment of the present invention, after crypto module factory, production firm carries out crypto module
Initialization, the crypto module generates key and generates instruction, and the key is generated the peace that instruction is sent in crypto module
Full chip;After the safety chip receives the key generation instruction, according to pre-set generating algorithm, key is generated
Encryption key, the key-encrypting key can be a string of random numbers, and the pre-set generating algorithm can be any one
Kind Generating Random Number.
S202, operation is carried out to the key-encrypting key using preset function, generates three key components, and by institute
It states three key components and saves the first memory module into the outer memory module and the safety chip pre-established respectively
In the second memory module;Wherein, saving to the key components of first memory module is first key component, is saved to institute
The key components for stating the second memory module are the second key components, and saving to the key components of the outer memory module is third
Key components.
In method provided in an embodiment of the present invention, after generating key-encrypting key, using preset function to described
Key-encrypting key carries out operation, generates three key components;It should be noted that the preset function can be and be based on
Lagrange interpolation formula, specific generating process can refer to following detailed processes:
Assuming that key-encrypting key is indicated with S, the key-encrypting key can be 16 byte random numbers, in finite field gf
(p) (t-1) a element a is arbitrarily selected ini(i=1,2 ..., t-1) constitutes (t-1) rank multinomialWherein, p is a Big prime and p > 2L, and wherein L is the bit length of S, aiIt can
Think 32 byte random numbers, key-encrypting key S=f (0)=a0, generate n key componentsWherein, r=1,2 ..., n;Then SrWith being sent to for p safety
Corresponding memory module is saved;By taking (2,3) thresholding as an example, key components generating process is as follows:
Key components: S1=f (1)=(a0+a1*1)mod p;
Key components: S2=f (2)=(a0+a1*2)mod p;
Key components: S3=f (3)=(a0+a1*3)mod p;
It should be noted that after generating 3 key components to the key-encrypting key application threshold technique, it is random to select
Two key components in three key components are taken, two key components of selection are stored in the of safety chip at random respectively
In one memory module and the second memory module, remaining key components are sent in the outer memory module pre-established, are touched
It sends out outer memory module described and saves the key components received;It should be noted that being stored in the first of the safety chip
The key components of memory module are first key component, and the key components for being stored in the second memory module of the safety chip are
Second key components, the key components being stored in the outer memory module are third key components.
In method provided in an embodiment of the present invention, when crypto module receives the operational order of user's transmission, by obtaining
Going bail for, there are two in the safety chip key components, i.e. first key component and the second key components, to described first
Key components and the second key components carry out operation, key-encrypting key are generated, for the generation for illustrating key-encrypting key
Process enumerates its specific calculating process here:
Any t parts of key components obtain corresponding Sr (r=1,2 ..., t) and p, public using Lagrange interpolation polynomial
Formula:
Key-encrypting key S can be recovered;
With (2,3) thresholding f (2), for f (3) key components and p, it may be assumed that
S=f (0)=(f (2) * L1 (x)+f (3) * L2 (x)) modp;
By the calculating process enumerated, key encryption can be calculated according to first key component and the second key components
Key, it should be noted that it is generated in key-encrypting key in the present invention and applies two key components, in practical applications,
It can be not limited to only apply two key components close to generate key encryption, can also generate key using 3 key components
Encryption key.
In method provided in an embodiment of the present invention, when crypto module is destroyed or after power down, is stored in safe core
Key components in piece in the first memory module are lost, and power in crypto module, after opening again, to reply crypto module just
Normal working condition needs to be applied to key-encrypting key, because of the key point being stored in safety chip in the first memory module
Amount is lost, and key-encrypting key can not be generated, therefore can not normally be worked, at this time, it may be necessary to which external storage mould will be stored in
Key components in block import the safety chip of the crypto module, and the key components obtained from the outer memory module are protected
It deposits into the first memory module of safety chip, it, can be using new first key component and the as new first key component
Two key components generate key-encrypting key and thus reduce crypto module so that the crypto module can work normally and lose
The risk for losing user key, reduces the loss of user.
It should be noted that after safety chip power down, when restarting, judge to save to first memory module
In key components whether there is;In the absence of the key components in first memory module, user is determined the need for
The key components in the outer memory module are obtained, when user determines the key point needed to obtain in the outer memory module
When amount, the crypto module is connect with the outer memory module by interface and is communicated, trigger password module is by connecing
Mouth obtains the key components saved in the outer memory module, and the key saved in the outer memory module that will acquire
Component is saved into the first memory module of safety chip, as new first key component;It should be noted that when user is true
When recognizing the crypto module and not needing to obtain new key components, then the crypto module is not attached with outer memory module
Communication;
It should be noted that in method provided in an embodiment of the present invention, when the crypto module is being destroyed or fallen
After electricity, when re-powering starting, the operational order of user's transmission is received, then judges that first of safety chip in crypto module is deposited
The key components saved in storage module whether there is, and if it does not exist, then be confirmed whether to need to obtain close in outer memory module
Key component then passes through interface for the crypto module and external storage mould when needing to obtain the key components in external storage
Block is attached communication, to obtain the key components being stored in the outer memory module.
It should be noted that correspond to the above method, the embodiment of the invention also provides a kind of key handling system,
To support the realization of the cipher key processing method, the concrete composition of the key handling system is as described below:
The key handling system includes crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The peace chip is used for when receiving the operational order of user's transmission, obtains preset first key component and pre-
If the second key components, the first key component and second key components are subjected to operation according to preset algorithm,
Key-encrypting key is obtained, and executes operation corresponding with the operational order using the key-encrypting key;Wherein, described
The setting up procedure of preset first key component and the second key components includes: that safety chip reception generation instructs, described in triggering
Safety chip generates key-encrypting key according to preset generating algorithm, and using preset function to the key-encrypting key
Operation is carried out, generates three key components, and three key components are saved respectively to the external storage mould pre-established
In the first memory module and the second memory module in block and the safety chip;Wherein, it saves to first memory module
Key components be first key component, save to second memory module key components be the second key components, save
Key components to the outer memory module are third key components;
The power supply switch circuit, for selecting power supply to switch to when main power source power down for the safety chip
External power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
It should be noted that the conductive unit includes fixed conductive unit and on-fixed conductive unit, fixed conduction is single
Member is arranged on the circuit board of crypto module, and is off state, closely spaced, the about 1-2mm of open circuit, the conductive list of on-fixed
Member is conductor, including but not limited to conductive glue slice, is placed on circuit breaker part, so that circuit is connected;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed
When, the conductive unit is destroyed, then the safety chip is in power-down state, and first be stored in the safety chip is deposited
The key components for storing up module are lost;
It should be noted that the protective coating is covered on the conductive unit and safety chip, to described in fixation
The position of conductive unit, it is ensured that the connection of the safety chip and power supply;Protective coating can be also covered on crypto module,
The crypto module, safety chip and conductive unit is avoided directly to contact with external environment;The protective coating can be colloid,
It can be fixedly attached on crypto module, and be capable of fixing the non-fixed portions in conductive unit, the protective coating includes
But it is not limited to nontransparent AB glue;It should be noted that can then take up the on-fixed in conductive unit when protective coating is destroyed
Conductive unit, conductive unit open circuit, then the safety chip is in power-down state.
The outer memory module, for storing key components, when the first memory module preservation in the safety chip
Key components are lost, and when needing to import new key components, the outer memory module is connected by interface with the password mould
It connects, the key components that the input of Xiang Suoshu crypto module saves, the crypto module saves the key components received to described
In first memory module of safety chip, as new first key component, the outer memory module can be stored in password
The manufacturer of module;
It should be noted that when the key components that the first memory module saves in the safety chip are lost again, it can
The crypto module is connected by interface with the outer memory module again, obtains save the external storage mould again
The key components of the acquisition are stored in the first memory module of the safety chip by the key components in block again, then
The secondary key components by preservation are as new first key component.
It gives one example and is illustrated in this example, it is assumed that when crypto module is initialized, need for its configuring cipher key point
Amount, crypto module send the key generated to safety chip and generate instruction, and the generating algorithm that the safety chip application is set generates
Key-encrypting key, and application threshold technique carries out operation to the key-encrypting key, generates three different equal portions keys
Component, three key components can be respectively a, b and c, select two key components, choosing from three key components at random
In two key components can be a and b, and two key components chosen are sent to the safety chip, safe core
Piece is at random saved described two key components respectively to the first memory module and the second memory module, is stored in described first and is deposited
The key components for storing up module can be a, and the key components for being stored in second memory module can be b, by remaining key
Component is imported in the outer memory module by interface and is saved, that is, the key point being stored in the outer memory module
Amount is c;
It should be noted that first memory module can be the RAM module in safety chip, the second memory module can
Think the FLASH module in safety chip;The key components being stored in first memory module are first key component, are protected
It is the second key components, the key being stored in the outer memory module there are the key components in second memory module
Component is third key components;
When the crypto module is in normal operating conditions, and receives the operational order of user, the safety is triggered
Two the key components a and b that chip application saves carry out operation, generate key-encrypting key, are executed using key-encrypting key
Action type corresponding with the operational order;If the crypto module for the first time by destroying when, be stored in the safety chip
The first memory module in key components a lose, then can be connected by interface with the outer memory module, obtain preservation
Key components c in the outer memory module saves the key components c to the first memory module of safety chip
In, as new first key component, the new first key component described at this time is c, then safety chip can pass through preservation at this time
Key components c and key components b carry out operation generate key-encrypting key;
If crypto module is destroyed herein or power down, the key that the first memory module saves in the safety chip divides
Amount c will lose, then the crypto module can be connected with the outer memory module again by interface, obtain save again
Key components c in the outer memory module, first that the key components c is stored in the safety chip again are deposited
It stores up in module, again as new first key component.
In method provided in an embodiment of the present invention, safety chip generates key by using two key components of preservation and adds
Key encrypts using key of the key-encrypting key to user, generates corresponding ciphertext, the ciphertext is exported
It is saved to the crypto module, which thereby enhances the confidentiality of user key, reduced the user key and be acquired it
After a possibility that being directly applied;When one of component in safety chip is lost, it can obtain in outer memory module and protect
The key components deposited, so as to generate key-encrypting key again, avoiding can not after one of key components are lost
The case where generating key-encrypting key, avoids the loss of user, improves the robustness and stability of encryption system.
Corresponding with Fig. 1, the embodiment of the present invention also provides a kind of key handling device, for the tool to method in Fig. 1
Body realizes that key handling device provided in an embodiment of the present invention can be applied to the encrypting module of computer or adding for server
In close device, structural schematic diagram is as shown in figure 3, specifically include:
Arithmetic element 301, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the peace
First key component and the second key components in full chip, by the first key component and second key components according to
Preset algorithm carries out operation, generates key-encrypting key;
Acquiring unit 302, for obtaining the operation information in the operational order, according to described in operation information determination
The corresponding action type of operational order;
Encryption unit 303 determines the operation if be cryptographic operation for the corresponding action type of the operational order
The first user key in instruction, and being encrypted using the key-encrypting key to first user key generates the
The first key ciphertext is inputted the crypto module and saved by one key ciphertext;
Decryption unit 304 determines the password if be decryption oprerations for the corresponding action type of the operational order
The second key ciphertext corresponding with the operational order in module, and it is close to second key using the key-encrypting key
Text is decrypted, and obtains the second user key in the second key ciphertext, and export described second to the crypto module
User key.
In device provided in an embodiment of the present invention, when crypto module receives the operational order of user's transmission, obtain pre-
The first key component and the second key components being located in the safety chip, by the first key component and described second close
Key component carries out operation according to preset algorithm, generates key-encrypting key, obtains the operation information in the operational order, according to
The corresponding action type of the operational order is determined according to the operation information, if action type is cryptographic operation, described in determination
The first user key in operational order is encrypted first user key using the key-encrypting key,
First key ciphertext is obtained, the first key ciphertext is saved;If action type be decryption oprerations, obtain with it is described
The corresponding second key ciphertext of decryption oprerations is decrypted the second key ciphertext using the key-encrypting key, obtains
The second user key is exported to the second user key in the second key ciphertext, and to the crypto module.Pass through
Using method provided by the invention, user key is handled, the user key is saved in the form of ciphertext, is dropped
The risk that low user key is directly used after being stolen, improves the robustness and stability of secrecy system.
In embodiment provided by the present invention, it is based on aforementioned schemes, further includes:
Generation unit refers to for when crypto module initialization, receiving the key generation that the crypto module is sent
It enables, with preset generating algorithm, generates key-encrypting key;
First storage unit, for carrying out operation to the key-encrypting key using preset function, generation three is close
Key component, and three key components are saved respectively into the outer memory module and the safety chip pre-established
In first memory module and the second memory module;Wherein, saving to the key components of first memory module is first key
Component, saving to the key components of second memory module is the second key components, is saved to the outer memory module
Key components are third key components.
In embodiment provided by the present invention, it is based on aforementioned schemes, further includes:
Judging unit when restarting, is judged to save to described first and stores mould for when the safety chip power down after
Key components in block whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether need to obtain
Key components in the external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with
The outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire are saved to described
In one memory module, as new first key component.
In embodiment provided by the present invention, it is based on aforementioned schemes, first storage unit, comprising:
First saving subunit for randomly selecting two key components in three key components, and will be chosen
Described two key components be sent to the safety chip, trigger the safety chip by described two key components respectively with
Machine is saved into first memory module and the second memory module;
Second saving subunit is touched for remaining key components to be sent in the outer memory module pre-established
It sends out outer memory module described and saves the key components received.
The embodiment of the invention also provides a kind of electronic equipment, structural schematic diagram is as shown in figure 4, specifically include memory
402 and one perhaps more than one 401 one of them or more than one instruction of instruction 401 be stored in memory 402
In, and be configured to by one or more than one processor 403 execute the one or more instruction 401 carry out with
Lower operation:
When crypto module receives the operational order of user's transmission, it is close to obtain first be preset in the safety chip
Key component and the second key components transport the first key component and second key components according to preset algorithm
It calculates, generates key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding behaviour of the operational order according to the operation information
Make type;
If the corresponding action type of the operational order is cryptographic operation, the first user in the operational order is determined
Key, and first user key is encrypted using the key-encrypting key, first key ciphertext is generated, it will be described
First key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operation
Corresponding second key ciphertext is instructed, and the second key ciphertext is decrypted using the key-encrypting key, is obtained
Second user key in the second key ciphertext, and the second user key is exported to the crypto module.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system or
For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method
The part of embodiment illustrates.System and system embodiment described above is only schematical, wherein the conduct
The unit of separate part description may or may not be physically separated, component shown as a unit can be or
Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root
According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill
Personnel can understand and implement without creative efforts.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. a kind of cipher key processing method, which is characterized in that the method is applied to safety chip, comprising:
When crypto module receives the operational order of user's transmission, the first key point being preset in the safety chip is obtained
The first key component and second key components are carried out operation according to preset algorithm by amount and the second key components,
Generate key-encrypting key;
The operation information in the operational order is obtained, determines the corresponding operation class of the operational order according to the operation information
Type;
If the corresponding action type of the operational order is cryptographic operation, determine that the first user in the operational order is close
Key, and being encrypted using the key-encrypting key to first user key generates first key ciphertext, by described the
One key ciphertext inputs the crypto module and is saved;
If the corresponding action type of the operational order is decryption oprerations, determine in the crypto module with the operational order
Corresponding second key ciphertext, and the second key ciphertext is decrypted using the key-encrypting key, described in acquisition
Second user key in second key ciphertext, and the second user key is exported to the crypto module.
2. the method according to claim 1, wherein the setting of the first key component and the second key components
Process, comprising:
When crypto module initialization, receives the key that the crypto module is sent and generate instruction, with preset generation
Algorithm generates key-encrypting key;
Operation is carried out to the key-encrypting key using preset function, generates three key components, and close by described three
The first memory module and second that key component is saved respectively into the outer memory module and the safety chip pre-established is deposited
It stores up in module;Wherein, saving to the key components of first memory module is first key component, saves to described second and deposits
The key components for storing up module are the second key components, and saving to the key components of the outer memory module is third key point
Amount.
3. according to the method described in claim 2, it is characterized by further comprising:
After the safety chip power down, when restarting, judge that the key components saved into first memory module are
No presence;
In the absence of the key components in first memory module, it is determined whether need to obtain close in the external module
Key component;
When needing to obtain the key components in the external module, trigger the crypto module and the outer memory module into
Row communication, to obtain the key components saved in the outer memory module;
The key components saved in the outer memory module that will acquire are saved into first memory module, as new
First key component.
4. according to the method described in claim 2, it is characterized in that, described save three key components respectively to preparatory
In the first memory module and the second memory module in the outer memory module of foundation and the safety chip, comprising:
Two key components in three key components are randomly selected, and described two key components of selection are sent to
The safety chip triggers the safety chip and saves described two key components to first memory module at random respectively
In the second memory module;
Remaining key components are sent in the outer memory module pre-established, the outer memory module preservation is triggered and connects
The key components received.
5. a kind of key handling device characterized by comprising
Arithmetic element, when for receiving the operational order of user's transmission when crypto module, acquisition is preset in the safety chip
In first key component and the second key components, by the first key component and second key components according to preset
Algorithm carries out operation, generates key-encrypting key;
Acquiring unit determines that the operation refers to according to the operation information for obtaining the operation information in the operational order
Enable corresponding action type;
Encryption unit determines in the operational order if be cryptographic operation for the corresponding action type of the operational order
The first user key, and first user key is encrypted using the key-encrypting key, generates first key
The first key ciphertext is inputted the crypto module and saved by ciphertext;
Decryption unit determines in the crypto module if be decryption oprerations for the corresponding action type of the operational order
The second key ciphertext corresponding with the operational order, and the second key ciphertext is carried out using the key-encrypting key
Decryption obtains the second user key in the second key ciphertext, and close to the crypto module output second user
Key.
6. device according to claim 5, which is characterized in that further include:
Generation unit generates instruction, fortune for when crypto module initialization, receiving the key that the crypto module is sent
With preset generating algorithm, key-encrypting key is generated;
First storage unit generates three keys point for carrying out operation to the key-encrypting key using preset function
Amount, and three key components are saved into first into the outer memory module and the safety chip pre-established respectively
In memory module and the second memory module;Wherein, saving to the key components of first memory module is first key component,
Saving to the key components of second memory module is the second key components, is saved to the key point of the outer memory module
Amount is third key components.
7. device according to claim 6, which is characterized in that further include:
Judging unit when restarting, judges preservation into first memory module for when the safety chip power down after
Key components whether there is;
Determination unit, in the absence of the key components in first memory module, it is determined whether described in needing to obtain
Key components in external module;
Communication unit, for when needing to obtain the key components in the external module, trigger the crypto module with it is described
Outer memory module is communicated, to obtain the key components saved in the outer memory module;
Second storage unit, the key components saved in the outer memory module for will acquire, which are saved to described first, to be deposited
It stores up in module, as new first key component.
8. device according to claim 6, which is characterized in that first storage unit, comprising:
First saving subunit, for randomly selecting two key components in three key components, and by the institute of selection
It states two key components and is sent to the safety chip, trigger the safety chip and protect described two key components at random respectively
It deposits into first memory module and the second memory module;
Second saving subunit triggers institute for remaining key components to be sent in the outer memory module pre-established
It states outer memory module and saves the key components received.
9. a kind of key handling system characterized by comprising
Crypto module and outer memory module;
The crypto module includes: safety chip, power supply switch circuit, protective coating and conductive unit;
The safety chip requires cipher key processing method described in 1~4 any one for perform claim;
The power supply switch circuit, for selecting power supply to switch to outside when main power source power down for the safety chip
Power supply, to guarantee the normal power supply to the safety chip;
The conductive unit, for the safety chip to be connected to power supply;
The protective coating, for protecting the conductive unit and the safety chip, when the protective coating is destroyed, institute
It states conductive unit to be destroyed, then the safety chip is in power-down state, the first storage mould being stored in the safety chip
The key components of block are lost.
10. a kind of electronic equipment, which is characterized in that including memory and one or more than one instruction, one of them
Perhaps more than one instruction is stored in memory and is configured to be executed by one or more than one processor as right is wanted
Seek cipher key processing method described in 1~4 any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910470792.1A CN110166236B (en) | 2019-05-31 | 2019-05-31 | Key processing method, device and system and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910470792.1A CN110166236B (en) | 2019-05-31 | 2019-05-31 | Key processing method, device and system and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110166236A true CN110166236A (en) | 2019-08-23 |
CN110166236B CN110166236B (en) | 2022-01-18 |
Family
ID=67630863
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910470792.1A Active CN110166236B (en) | 2019-05-31 | 2019-05-31 | Key processing method, device and system and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110166236B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111159732A (en) * | 2019-12-16 | 2020-05-15 | 佛山科学技术学院 | Safety data storage device |
CN111327637A (en) * | 2020-03-10 | 2020-06-23 | 时时同云科技(成都)有限责任公司 | Service key management method and system |
CN112422293A (en) * | 2020-11-27 | 2021-02-26 | 苏博云科数字认证有限公司 | Key generation method, device and information processing method |
WO2023240866A1 (en) * | 2022-06-16 | 2023-12-21 | 北京智芯半导体科技有限公司 | Cipher card and root key protection method therefor, and computer readable storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1185024A2 (en) * | 2000-08-29 | 2002-03-06 | International Business Machines Corporation | System, method, and program for managing a user key used to sign a message for a data processing system |
US20030161476A1 (en) * | 2000-06-16 | 2003-08-28 | Fransdonk Robert W. | Method and system to store and distribute encryption keys |
CN101311942A (en) * | 2007-05-23 | 2008-11-26 | 西门子(中国)有限公司 | Software encryption and decryption method and encryption and decryption device |
CN105933113A (en) * | 2016-06-13 | 2016-09-07 | 北京三未信安科技发展有限公司 | Secret key backup recovering method and system, and related devices |
CN106301774A (en) * | 2015-05-29 | 2017-01-04 | 联芯科技有限公司 | Safety chip, its encryption key generate method and encryption method |
CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
CN107317677A (en) * | 2017-05-25 | 2017-11-03 | 苏州科达科技股份有限公司 | Key storage and equipment identities authentication method, device |
US20180144114A1 (en) * | 2011-08-09 | 2018-05-24 | Michael Stephen Fiske | Securing Blockchain Transactions Against Cyberattacks |
CN108632295A (en) * | 2018-05-09 | 2018-10-09 | 湖南东方华龙信息科技有限公司 | The method for preventing terminal attack server repeatedly |
CN109088729A (en) * | 2018-09-28 | 2018-12-25 | 北京金山安全软件有限公司 | Key storage method and device |
CN109768862A (en) * | 2019-03-12 | 2019-05-17 | 北京深思数盾科技股份有限公司 | A kind of key management method, key call method and cipher machine |
-
2019
- 2019-05-31 CN CN201910470792.1A patent/CN110166236B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030161476A1 (en) * | 2000-06-16 | 2003-08-28 | Fransdonk Robert W. | Method and system to store and distribute encryption keys |
EP1185024A2 (en) * | 2000-08-29 | 2002-03-06 | International Business Machines Corporation | System, method, and program for managing a user key used to sign a message for a data processing system |
CN101311942A (en) * | 2007-05-23 | 2008-11-26 | 西门子(中国)有限公司 | Software encryption and decryption method and encryption and decryption device |
US20180144114A1 (en) * | 2011-08-09 | 2018-05-24 | Michael Stephen Fiske | Securing Blockchain Transactions Against Cyberattacks |
CN106301774A (en) * | 2015-05-29 | 2017-01-04 | 联芯科技有限公司 | Safety chip, its encryption key generate method and encryption method |
CN105933113A (en) * | 2016-06-13 | 2016-09-07 | 北京三未信安科技发展有限公司 | Secret key backup recovering method and system, and related devices |
CN106330868A (en) * | 2016-08-14 | 2017-01-11 | 北京数盾信息科技有限公司 | Encrypted storage key management system and method of high-speed network |
CN107317677A (en) * | 2017-05-25 | 2017-11-03 | 苏州科达科技股份有限公司 | Key storage and equipment identities authentication method, device |
CN108632295A (en) * | 2018-05-09 | 2018-10-09 | 湖南东方华龙信息科技有限公司 | The method for preventing terminal attack server repeatedly |
CN109088729A (en) * | 2018-09-28 | 2018-12-25 | 北京金山安全软件有限公司 | Key storage method and device |
CN109768862A (en) * | 2019-03-12 | 2019-05-17 | 北京深思数盾科技股份有限公司 | A kind of key management method, key call method and cipher machine |
Non-Patent Citations (3)
Title |
---|
MENGMENG LING: "Design of Monitor and Protect Circuits against FIB Attack on Chip Security", 《IEEE》 * |
吕远方: "基于秘密共享的无线传感器网络组密钥管理方案", 《微计算机应用》 * |
张勇: "密钥管理中的若干问题研究", 《中国博士学位论文全文数据库》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111159732A (en) * | 2019-12-16 | 2020-05-15 | 佛山科学技术学院 | Safety data storage device |
CN111327637A (en) * | 2020-03-10 | 2020-06-23 | 时时同云科技(成都)有限责任公司 | Service key management method and system |
CN111327637B (en) * | 2020-03-10 | 2022-12-02 | 时时同云科技(成都)有限责任公司 | Service key management method and system |
CN112422293A (en) * | 2020-11-27 | 2021-02-26 | 苏博云科数字认证有限公司 | Key generation method, device and information processing method |
CN112422293B (en) * | 2020-11-27 | 2023-09-05 | 苏博云科数字认证有限公司 | Key generation method, device and information processing method |
WO2023240866A1 (en) * | 2022-06-16 | 2023-12-21 | 北京智芯半导体科技有限公司 | Cipher card and root key protection method therefor, and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110166236B (en) | 2022-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109933995B (en) | User sensitive data protection and system based on cloud service and block chain | |
CN110166236A (en) | Cipher key processing method, device and system and electronic equipment | |
CN100487715C (en) | Date safety storing system, device and method | |
US10187200B1 (en) | System and method for generating a multi-stage key for use in cryptographic operations | |
CA2754268C (en) | Split key secure access system | |
CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
US20130145169A1 (en) | Efficient authentication for mobile and pervasive computing | |
US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
US20150215117A1 (en) | White box encryption apparatus and method | |
CN109768862B (en) | A kind of key management method, key call method and cipher machine | |
CN104468089A (en) | Data protecting apparatus and method thereof | |
US20120063592A1 (en) | Apparatus for encrypting data | |
US20160013933A1 (en) | Order-preserving encryption system, device, method, and program | |
CN110995720B (en) | Encryption method, device, host terminal and encryption chip | |
CN108462574A (en) | A kind of lightweight cipher encrypting method and system | |
KR20070085129A (en) | Encryption processing method and encryption processing device | |
CN112865957A (en) | Data encryption transmission method and device, computer target equipment and storage medium | |
CN210955077U (en) | Bus encryption and decryption device based on state cryptographic algorithm and PUF | |
US20080165954A1 (en) | System for encrypting and decrypting data using derivative equations and factors | |
JPH1139082A (en) | Keyboard device having security function and method therefor | |
Pandian et al. | Dynamic Hash key‐based stream cipher for secure transmission of real time ECG signal | |
CN114785527B (en) | Data transmission method, device, equipment and storage medium | |
CN109936448A (en) | A kind of data transmission method and device | |
CN115396179A (en) | Data transmission method, device, medium and equipment based on block chain | |
CN112910630B (en) | Method and device for replacing expanded key |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |