CN110233723B - Secondary key management method and security chip - Google Patents
Secondary key management method and security chip Download PDFInfo
- Publication number
- CN110233723B CN110233723B CN201910350078.9A CN201910350078A CN110233723B CN 110233723 B CN110233723 B CN 110233723B CN 201910350078 A CN201910350078 A CN 201910350078A CN 110233723 B CN110233723 B CN 110233723B
- Authority
- CN
- China
- Prior art keywords
- storage area
- key
- primary
- management key
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Abstract
The invention provides a secondary key management method in the field of data security, which comprises the steps of S10, creating a primary storage area and a secondary storage area; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key; step S20, creating a primary entry management key and a secondary entry management key, and setting the authority of the primary entry management key and the secondary entry management key; and S30, managing the primary storage area and the secondary storage area according to the authority. The invention has the advantages that: the hierarchical management of the key is realized, and the safety of the equipment and the flexibility of service development are further improved.
Description
Technical Field
The present invention relates to the field of data security, and in particular, to a secondary key management method and a security chip.
Background
The key (Ukey/token) is the core of the whole encryption system, and is an electronic key for identity authentication, the key can be stored in the brain, a magnetic stripe card, a smart card and a device memory, and the security of encryption is actually realized depending on the key. With the development of science and technology, cryptographic keys are widely used in various industries.
However, the conventional Ukey is generally issued by a certain organization in a unified manner, only simple functions of data encryption, decryption, signature and signature verification are supported, the conventional Ukey is an independent device, the Ukey is inserted into the target device when identity authentication is required, and a fixed binding relationship is not formed between the Ukey and the target device. With the diversification of application scenarios, the conventional Ukey cannot be competent in a specific scenario, for example, hierarchical management cannot be performed on equipment using the Ukey, and different permissions are respectively set, so as to better develop services.
Therefore, how to provide a security chip supporting hierarchical management and a key management method to satisfy security requirements in a specific scenario becomes a problem to be solved urgently.
Disclosure of Invention
One of the technical problems to be solved by the present invention is to provide a secondary key management method, which implements hierarchical management of keys, thereby improving the security of the device and the flexibility of service development.
The invention realizes one of the technical problems as follows: a secondary key management method, the method comprising the steps of:
step S10, a primary storage area and a secondary storage area are created; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key;
step S20, creating a primary entry management key and a secondary entry management key, and setting the authority of the primary entry management key and the secondary entry management key;
and S30, managing the primary storage area and the secondary storage area according to the authority.
Further, the step S20 specifically includes:
step S21, a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area are created;
s22, setting the authority of the primary entrance management key as the access right of a primary storage area, first data, a first key and the use right of a secondary entrance management key; and setting the authority of the secondary entrance management key as an access right for managing a secondary storage area, second data and a use right of the second key.
Further, the step S21 specifically includes:
creating a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area, and setting a first time and a second time; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, the secondary storage area is permanently locked.
Further, the step S30 specifically includes:
managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entry management key according to the authority of the primary entry management key;
and managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entry management key.
The second technical problem to be solved by the present invention is to provide a secondary key management method, which implements hierarchical management of keys, thereby improving the security of the device and the flexibility of service development.
The invention realizes the second technical problem in the following way: a secondary key management security chip, the security chip comprising the following modules:
the memory area creating module is used for creating a primary memory area and a secondary memory area; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key;
the system comprises an entrance management key creating module, a first-level entrance management key and a second-level entrance management key, and a first-level entrance management key and a second-level entrance management key, wherein the entrance management key creating module is used for creating the first-level entrance management key and the second-level entrance management key and setting the authority of the first-level entrance management key and the second-level entrance management key;
and the storage area management module is used for managing the primary storage area and the secondary storage area according to the authority.
Further, the portal management key creating module specifically includes:
the device comprises an entrance management key creating unit, a first-level entrance management key for creating a first-level storage area and a second-level entrance management key for creating a second-level storage area;
the authority setting unit is used for setting the authority of the primary entrance management key to manage the access right of the primary storage area, the first data, the first key and the use right of the secondary entrance management key; and setting the authority of the secondary entrance management key as an access right for managing a secondary storage area, second data and a use right of the second key.
Further, the entry management key creating unit is specifically:
creating a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area, and setting a first time and a second time; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, the secondary storage area is permanently locked.
Further, the step of the storage area management module is:
managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entry management key according to the authority of the primary entry management key;
and managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entrance management key.
The invention has the advantages that: the data of the primary storage area, the first key and the secondary entry management key of the secondary storage area are managed in a grading way through the primary storage area of the security chip, the primary entry management key manages the data of the primary storage area, the first key and the secondary entry management key, and the secondary entry management key manages the data of the secondary storage area and the second key, so that a central mechanism with the primary entry management key can uniformly manage and control all equipment integrating the security chip, and a branch mechanism with the secondary entry management key can adjust the data stored in the secondary storage area according to the service requirement of the branch mechanism.
Drawings
The invention will be further described with reference to the following examples with reference to the accompanying drawings.
FIG. 1 is a flow chart of a secondary key management method of the present invention.
Fig. 2 is a schematic diagram of secondary management of a secondary key management security chip according to the present invention.
Detailed Description
Referring to fig. 1 to fig. 2, a preferred embodiment of a secondary key management method according to the present invention includes the following steps:
step S10, a primary storage area and a secondary storage area are created; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key; the primary storage area and the secondary storage area are stored and used independently; the first data, the second data, the first key and the second key are called through an instruction;
step S20, creating a primary entry management key and a secondary entry management key, and setting the authority of the primary entry management key and the secondary entry management key;
and S30, managing the primary storage area and the secondary storage area according to the authority.
The step S20 specifically includes:
step S21, a primary entrance management key of a primary storage area and a secondary entrance management key of a secondary storage area are created;
s22, setting the authority of the primary entrance management key as the access right of a primary storage area, first data, a first key and the use right of a secondary entrance management key; and setting the authority of the secondary entrance management key as an access right for managing a secondary storage area, second data and a use right of the second key.
The step S21 specifically includes:
creating a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area, and setting a first time and a second time; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, the secondary storage area is permanently locked. For example, the first number is set to 3 times, the second number is set to 10 times, and the locking is performed after 3 consecutive times or 10 cumulative times of authentication failures.
The step S30 specifically includes:
managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entry management key according to the authority of the primary entry management key;
and managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entry management key.
One of the preferred embodiments of a second-level key management security chip of the present invention includes the following modules:
the storage area creating module is used for creating a primary storage area and a secondary storage area; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key; the primary storage area and the secondary storage area are mutually independently stored and used; the first data, the second data, the first key and the second key are called through an instruction; the format of the instruction at least comprises the essential elements of the area number, the data segment number, the key number and the like of the storage area;
the system comprises an entrance management key creating module, a first-level entrance management key and a second-level entrance management key, wherein the entrance management key creating module is used for creating the first-level entrance management key and the second-level entrance management key and setting the authority of the first-level entrance management key and the second-level entrance management key;
and the storage area management module is used for managing the primary storage area and the secondary storage area according to the authority.
Further, the portal management key creating module specifically includes:
the device comprises an entrance management key creating unit, a first-level entrance management key for creating a first-level storage area and a second-level entrance management key for creating a second-level storage area;
the authority setting unit is used for setting the authority of the primary entrance management key to manage the access right of the primary storage area, the first data, the first key and the use right of the secondary entrance management key; and setting the authority of the secondary entrance management key as the access right for managing a secondary storage area, the second data and the use right of the second key.
Further, the entry management key creating unit is specifically:
creating a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area, and setting a first time and a second time; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, the secondary storage area is permanently locked. For example, the first number is set to 3, the second number is set to 10, and the locking is performed after 3 consecutive authentication failures or 10 accumulated authentication failures.
Further, the step of the storage area management module is as follows:
managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entry management key according to the authority of the primary entry management key;
and managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entry management key.
The security chip is a hardware product, integrates functions of key management, cryptographic algorithm and the like, has the characteristics of good security and strong anti-attack capability, and is an infrastructure for protecting data communication and storage security in the industries of finance, government affairs, public security, commerce and the like. The security chip packages the sensitive data, the secret key and the cryptographic algorithm into a black box, the external part can only input data according to interface specifications and obtain readable data or call related encryption and decryption and digital signature verification functions under the strict control of each level of secret key, and finally, an operation result is obtained through output. And for sensitive data, a protection key and a cryptographic algorithm in the security chip, the external part cannot be peened, stolen and damaged. The security of the security chip can ensure that a user can obtain a data operation function and a password operation function within an authorization range, and can prevent the user from illegally obtaining secrets and capabilities outside the authorization range.
The secondary key management security chip is bound with the equipment in a mainboard welding mode to form the identification characteristics of the equipment, and has data protection, algorithm acceleration and anti-attack infrastructure with the same level as Ukey.
The second preferred embodiment of the second-level key management security chip of the present invention:
company a produces a security authentication device D with a secondary key management security chip built in. The headquarters of the organization B managing the security certification equipment D uniformly carries out security chip initialization filling on the security certification equipment D, sets a primary entrance management key of a primary storage area, writes the code of the organization B and a private key for headquarters communication into the primary storage area, and presets a secondary entrance management key of a secondary storage area. And when the safety certification equipment D after the initial filling is handed over to each provincial branch of the organization B, informing the branch of the secondary entrance management key. The branch office can write the information, service code number and other application key of the branch office into the secondary storage area through the secondary entrance management key, and develop various service applications.
Due to the hierarchical authority management mechanism, the branch organization can read the code number of the organization B in the primary storage area in the security authentication device D and directly exchange data with the headquarters by using the private key for headquarters communication. But the branch organization can not modify the code number stored in the primary storage area and the private key for headquarter communication, so that the safety certification equipment D can not be taken out of the organization B for use after being changed. The branch office masters the secondary entrance management key, and can modify the data in the secondary storage area at any time, thereby conveniently changing and resetting the security authentication device D within the range of the branch office to develop various different service applications.
In conclusion, the invention has the advantages that: the data of the primary storage area, the first key and the secondary entry management key of the secondary storage area are managed in a grading mode through the primary storage area of the security chip, the primary entry management key manages the data of the primary storage area, the first key and the secondary entry management key, and the secondary entry management key manages the data of the secondary storage area and the second key.
Although specific embodiments of the invention have been described above, it will be understood by those skilled in the art that the specific embodiments described are illustrative only and are not limiting upon the scope of the invention, and that equivalent modifications and variations can be made by those skilled in the art without departing from the spirit of the invention, which is to be limited only by the appended claims.
Claims (2)
1. A secondary key management method, characterized by: the method comprises the following steps:
step S10, a primary storage area and a secondary storage area are created; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key; the primary storage area and the secondary storage area are stored and used independently;
step S20, establishing a primary entrance management key and a secondary entrance management key, and setting the authority of the primary entrance management key and the secondary entrance management key;
step S30, managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entrance management key according to the authority of the primary entrance management key;
managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entrance management key;
the step S20 specifically includes:
step S21, creating a primary entry management key of a primary storage area and a secondary entry management key of a secondary storage area, and setting a first time and a second time; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the secondary storage area;
s22, setting the authority of the primary entrance management key as the access right of a primary storage area, first data, a first key and the use right of a secondary entrance management key; and setting the authority of the secondary entrance management key as an access right for managing a secondary storage area, second data and a use right of the second key.
2. A kind of second level key management security chip, characterized by that: the security chip comprises the following modules:
the storage area creating module is used for creating a primary storage area and a secondary storage area; the primary storage area is used for storing first data and a first key, and the secondary storage area is used for storing second data and a second key; the primary storage area and the secondary storage area are stored and used independently;
the system comprises an entrance management key creating module, a first-level entrance management key for creating a first-level storage area and a second-level entrance management key for creating a second-level storage area, and a first time and a second time are set; when the primary entry management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the primary storage area and the secondary storage area; when the secondary entrance management key is reset, if the identity authentication continuously fails for the first time or the identity authentication accumulatively fails for the second time, permanently locking the secondary storage area;
the storage area management module is used for managing the access right of the primary storage area, the use right of the first data, the use right of the first key and the use right of the secondary entry management key according to the authority of the primary entry management key;
managing the access right of the secondary storage area, the use right of the second data and the use right of the second key according to the authority of the secondary entrance management key;
the portal management key creating module specifically includes:
the system comprises an entrance management key creating unit, a first-level entrance management key for creating a first-level storage area and a second-level entrance management key for creating a second-level storage area;
the authority setting unit is used for setting the authority of the primary entrance management key into the access right for managing the primary storage area, the first data, the first key and the use right of the secondary entrance management key; and setting the authority of the secondary entrance management key as the access right for managing a secondary storage area, the second data and the use right of the second key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910350078.9A CN110233723B (en) | 2019-04-28 | 2019-04-28 | Secondary key management method and security chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910350078.9A CN110233723B (en) | 2019-04-28 | 2019-04-28 | Secondary key management method and security chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110233723A CN110233723A (en) | 2019-09-13 |
| CN110233723B true CN110233723B (en) | 2023-02-14 |
Family
ID=67860341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910350078.9A Active CN110233723B (en) | 2019-04-28 | 2019-04-28 | Secondary key management method and security chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110233723B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183938A (en) * | 2007-10-22 | 2008-05-21 | 华中科技大学 | Wireless network security transmission method, system and equipment |
| CN101441705A (en) * | 2007-11-19 | 2009-05-27 | 飞力凯网路股份有限公司 | Communication system, information processing method and program product |
| CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
| CN106713228A (en) * | 2015-11-13 | 2017-05-24 | 航天信息股份有限公司 | Cloud platform key management method and system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3821768B2 (en) * | 2002-09-11 | 2006-09-13 | ソニー株式会社 | Information recording medium, information processing apparatus, information processing method, and computer program |
| CN1702591A (en) * | 2005-04-29 | 2005-11-30 | 西安三茗科技有限责任公司 | Hand disk locking and de-locking control scheme based on USB key apparatus |
| DE102006057587A1 (en) * | 2006-12-06 | 2008-06-12 | Utimaco Safeware Ag | Method for encrypting data and a suitable system for this |
| WO2009018483A1 (en) * | 2007-07-31 | 2009-02-05 | Viasat, Inc. | Input output access controller |
| WO2012080972A2 (en) * | 2010-12-15 | 2012-06-21 | Taron Mohan | Storage media |
| CN102238183B (en) * | 2011-07-07 | 2014-04-09 | 广州杰赛科技股份有限公司 | Method for distributing and verifying system customer keys |
| EP2890084B1 (en) * | 2013-12-31 | 2018-04-18 | Thales Nederland B.V. | A data securing system and method |
-
2019
- 2019-04-28 CN CN201910350078.9A patent/CN110233723B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183938A (en) * | 2007-10-22 | 2008-05-21 | 华中科技大学 | Wireless network security transmission method, system and equipment |
| CN101441705A (en) * | 2007-11-19 | 2009-05-27 | 飞力凯网路股份有限公司 | Communication system, information processing method and program product |
| CN106713228A (en) * | 2015-11-13 | 2017-05-24 | 航天信息股份有限公司 | Cloud platform key management method and system |
| CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110233723A (en) | 2019-09-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100363855C (en) | Key storage administration | |
| CN1682488B (en) | Loading data onto an electronic device | |
| JP4428055B2 (en) | Data communication apparatus and memory management method for data communication apparatus | |
| KR101061332B1 (en) | Apparatus and method for controlling the use of memory cards | |
| CN107004083B (en) | Device key protection | |
| RU2573211C2 (en) | Execution method and universal electronic card and smart card system | |
| JP2003058840A (en) | Information protection management program utilizing rfid-loaded computer recording medium | |
| MX2007014237A (en) | Implementation of an integrity-protected secure storage. | |
| CN108049720B (en) | A kind of access control system | |
| CN101950342B (en) | Device and method for managing access control permission of integrated circuit card | |
| US7716477B2 (en) | Data processing method, program of the same, and device of the same | |
| CN103812649A (en) | Method and system for safety access control of machine-card interface, and handset terminal | |
| JP2005196412A (en) | Data communication device and memory management method for data communication device | |
| US8079078B2 (en) | Encryption apparatus, program for use therewith, and method for use therewith | |
| JP5073312B2 (en) | IC tag system | |
| US5615262A (en) | Device for securing an information system used in microcomputers | |
| CN107423583A (en) | A kind of software protecting device remapping method and device | |
| CN110233723B (en) | Secondary key management method and security chip | |
| KR100590587B1 (en) | Method for deleting an application provider security domain of smart card with plural security domains | |
| CN113515764B (en) | Data management and control method | |
| EP4246873A1 (en) | Method and system for changing key in security module | |
| CN111523127B (en) | Authority authentication method and system for password equipment | |
| CN103793742A (en) | Technology of electronic tag safety authentication and information encryption of traffic electronic license plate | |
| CN112311807A (en) | Method, device, equipment and storage medium for preventing smart card from being reused | |
| Kose et al. | A SECURE DESIGN ON MIFARE CLASSIC CARDS FOR ENSURING CONTACTLESS PAYMENT AND CONTROL SERVICES |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |