CN110855429A - Software key protection method based on TPM - Google Patents
Software key protection method based on TPM Download PDFInfo
- Publication number
- CN110855429A CN110855429A CN201911138546.2A CN201911138546A CN110855429A CN 110855429 A CN110855429 A CN 110855429A CN 201911138546 A CN201911138546 A CN 201911138546A CN 110855429 A CN110855429 A CN 110855429A
- Authority
- CN
- China
- Prior art keywords
- key
- tpm
- user
- encryption
- tpm2
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 22
- 150000003839 salts Chemical class 0.000 claims abstract description 8
- 238000011084 recovery Methods 0.000 claims abstract description 7
- 238000013508 migration Methods 0.000 claims description 3
- 230000005012 migration Effects 0.000 claims description 3
- 230000002085 persistent effect Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- JBWKIWSBJXDJDT-UHFFFAOYSA-N triphenylmethyl chloride Chemical compound C=1C=CC=CC=1C(C=1C=CC=CC=1)(Cl)C1=CC=CC=C1 JBWKIWSBJXDJDT-UHFFFAOYSA-N 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
Abstract
The invention discloses a software key protection method based on TPM, which comprises the following steps of key generation, key encryption storage, key use and key recovery, and key generation: when the application software needs to generate a key, firstly, a user is required to input a user password, the password is memorized, the password and salt are used for generating a key seed through a PBKDF2 algorithm, the salt value is a fixed word 'menmonic', then a HASH algorithm is used for generating a user key (USERKEY) through the seed, the generated user key is also a plaintext key at this time, the plaintext key needs to be deleted after the encryption, and the method for generating the encryption key through the user password is used for recovering the key after the key is lost. Has the advantages that: the method of the invention can safely protect the secret key, and has convenient software development and high universality.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a software key protection method based on TPM.
Background
Some application software needs to use a cryptographic algorithm to protect the security of the application software itself or protect other file data from being illegally read due to security requirements, but almost all software applications face a problem, that is, how to safely store a key, the application software can only store the key on a general storage medium such as a disk, and an attacker can easily read the disk to steal the key to the key. On the other hand, with the rise of digital currency, many people are paying attention to and possessing digital currency assets, and digital currency is anonymous, and the digital currency is confirmed to possess by cryptology principle, who possesses a private key corresponding to a currency address, and who can possess the digital currency assets. At present, most of digital wallets store keys in a plain text form locally, and the keys are easy to crack by hackers, so that digital currency assets are stolen.
The software can not solve the problem of key protection all the time without the support of actual hardware safety equipment, the cost is increased by using some special safety equipment, the software also needs to be purposefully developed according to the hardware and bound with the hardware, the development period of the software and the hardware is long, the universality is poor, and how to protect the software key is a problem to be solved.
An effective solution to the problems in the related art has not been proposed yet.
Disclosure of Invention
The invention aims to provide a trusted platform module (TPM/TPCM) when a plurality of computers leave a factory, wherein the TPM/TPCM is a security module, and trusted computing ensures platform trust by an algorithm and a secret key implanted in trusted hardware by a chip manufacturer and measurement and verification of a system and application by an integrated special microcontroller. The security level of a trusted chip generally reaches EAL 4+ security level, the possibility of the chip being cracked is extremely low, and because the trusted platform module is mostly pre-installed on a computer and supported by the bottom layer of an operating system, software is easy to access and use the trusted platform module, a method for protecting a secret key by using a TPM is provided.
In order to achieve the purpose, the invention provides the following technical scheme: a TPM-based software key protection method comprises key generation, key encryption storage, key use and key recovery.
Further, generation of the key: when the application software needs to generate a key, firstly, a user is required to input a user password, the password is memorized, the password and salt are used for generating a key seed through a PBKDF2 algorithm, the salt value is a fixed word 'menmonic', then a HASH algorithm is used for generating a user key (USERKEY) through the seed, the generated user key is also a plaintext key at this time, the plaintext key needs to be deleted after the encryption, and the method for generating the encryption key through the user password is used for recovering the key after the key is lost.
Further, the encrypted storage of the key: the TPM calls the TPM _ INIT to execute initialization work, then the TPM2_ STARTUP is executed to start the TPM, the TPM self-check command TPM2_ SELFTESTFULL is executed, whether the TPM works normally or not is checked, if the TPM does not work normally, an error code is returned to a system program, warning information is sent to a user by the system, the TPM2_ CREATPRMARY command is executed to establish a TPM master key (SRK), the TPM2_ Create command is executed to generate an encryption key (VMK), the generated key type is selected to be storage, the cipher type is AES, the key migration type is migratable key, the parent key is SRK, the TPM2_ LOAD is executed to LOAD the VMK, and the TPM2_ EVCONTICTROL is used for persistent storage.
Further, the TPM 2-ENCRYPTDECRYPT executes to encrypt the user key using the VMK, obtain encrypted key data userkkey, delete the user key, and the encrypted key data may be stored on the disk.
Further, the use of the key: when the application software needs to encrypt and decrypt data by using the key, the TPM module is used for decrypting UserKey. encrypted by executing a command TPM 2-ENCRYPTDECRYPT, the user key USERKEY is solved, and the software loads the USERKEY to complete data encryption and decryption.
Further, the recovery of the key: and when the user key encrypted data is lost or deleted, re-executing key generation and key encryption storage.
Compared with the prior art, the invention has the following beneficial effects: the method of the invention can safely protect the secret key, and has convenient software development and high universality.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating a key generation flow of a TPM-based software key protection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a key encryption storage flow of a TPM-based software key protection method according to an embodiment of the present invention;
fig. 3 is a key usage flow diagram of a TPM-based software key protection method according to an embodiment of the present invention.
Detailed Description
The invention is further described with reference to the following drawings and detailed description:
referring to fig. 1-3, a TPM-based software key protection method according to an embodiment of the present invention includes key generation, key storage, key usage, and key recovery.
Referring to fig. 1, key generation: when the application software needs to generate a key, firstly, a user is required to input a user password, the password is memorized, the password and salt are used for generating a key seed through a PBKDF2 algorithm, the salt value is a fixed word 'menmonic', then a HASH algorithm is used for generating a user key (USERKEY) through the seed, the generated user key is also a plaintext key at this time, the plaintext key needs to be deleted after the encryption, and the method for generating the encryption key through the user password is used for recovering the key after the key is lost.
Referring to fig. 2, the encrypted storage of the key: the TPM calls the TPM _ INIT to execute initialization work, then the TPM2_ STARTUP is executed to start the TPM, the TPM self-check command TPM2_ SELFTESTFULL is executed, whether the TPM works normally or not is checked, if the TPM does not work normally, an error code is returned to a system program, warning information is sent to a user by the system, the TPM2_ CREATPRMARY command is executed to establish a TPM master key (SRK), the TPM2_ Create command is executed to generate an encryption key (VMK), the generated key type is selected to be storage, the cipher type is AES, the key migration type is migratable key, the parent key is SRK, the TPM2_ LOAD is executed to LOAD the VMK, and the TPM2_ EVCONTICTROL is used for persistent storage. The TPM 2-ENCRYPTDECRYPT is executed to encrypt the user key by using the VMK, obtain the encrypted key data UserKey.
Referring to fig. 3, the use of keys: when the application software needs to encrypt and decrypt data by using the key, the TPM module is used for decrypting UserKey. encrypted by executing a command TPM 2-ENCRYPTDECRYPT, the user key USERKEY is solved, and the software loads the USERKEY to complete data encryption and decryption.
Referring to fig. 1-2, key recovery: and when the user key encrypted data is lost or deleted, re-executing key generation and key encryption storage.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that various changes, modifications and substitutions can be made without departing from the spirit and scope of the invention as defined by the appended claims. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. A TPM-based software key protection method is characterized by comprising key generation, key encryption storage, key use and key recovery.
2. The TPM-based software key protection method according to claim 1, wherein the generation of the key: when the application software needs to generate a key, firstly, a user is required to input a user password, the password is memorized, the password and salt are used for generating a key seed through a PBKDF2 algorithm, the salt value is a fixed word 'menmonic', then a HASH algorithm is used for generating a user key (USERKEY) through the seed, the generated user key is also a plaintext key at this time, the plaintext key needs to be deleted after the encryption, and the method for generating the encryption key through the user password is used for recovering the key after the key is lost.
3. The TPM-based software key protection method according to claim 1, wherein the encryption of the key stores: the TPM calls the TPM _ INIT to execute initialization work, then the TPM2_ STARTUP is executed to start the TPM, the TPM self-check command TPM2_ SELFTESTFULL is executed, whether the TPM works normally or not is checked, if the TPM does not work normally, an error code is returned to a system program, warning information is sent to a user by the system, the TPM2_ CREATPRMARY command is executed to establish a TPM master key (SRK), the TPM2_ Create command is executed to generate an encryption key (VMK), the generated key type is selected to be storage, the cipher type is AES, the key migration type is migratable key, the parent key is SRK, the TPM2_ LOAD is executed to LOAD the VMK, and the TPM2_ EVCONTICTROL is used for persistent storage.
4. The TPM-based software key protection method according to claim 3, wherein the TPM2_ ENCRYPTDECRYPT is executed to encrypt the user key using the VMK, obtain the encrypted key data UserKey.
5. The TPM-based software key protection method according to claim 1, wherein the key usage: when the application software needs to encrypt and decrypt data by using the key, the TPM module is used for decrypting UserKey. encrypted by executing a command TPM 2-ENCRYPTDECRYPT, the user key USERKEY is solved, and the software loads the USERKEY to complete data encryption and decryption.
6. The TPM-based software key protection method according to claim 1, wherein the key recovery comprises: and when the user key encrypted data is lost or deleted, re-executing key generation and key encryption storage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138546.2A CN110855429A (en) | 2019-11-20 | 2019-11-20 | Software key protection method based on TPM |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138546.2A CN110855429A (en) | 2019-11-20 | 2019-11-20 | Software key protection method based on TPM |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110855429A true CN110855429A (en) | 2020-02-28 |
Family
ID=69602394
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911138546.2A Pending CN110855429A (en) | 2019-11-20 | 2019-11-20 | Software key protection method based on TPM |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855429A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111967864A (en) * | 2020-09-02 | 2020-11-20 | 上海思赞博微信息科技有限公司 | Wallet integrating trusted computing chip with digital currency and working process thereof |
| CN113609497A (en) * | 2021-06-30 | 2021-11-05 | 荣耀终端有限公司 | Data protection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102236756A (en) * | 2011-05-09 | 2011-11-09 | 山东超越数控电子有限公司 | File encryption method based on TCM (trusted cryptography module) and USBkey |
| CN105245334A (en) * | 2015-10-28 | 2016-01-13 | 武汉大学 | TPM secret key and authorized data backup recovery system and method thereof |
| CN106027503A (en) * | 2016-05-09 | 2016-10-12 | 浪潮集团有限公司 | Cloud storage data encryption method based on TPM |
| US20170230179A1 (en) * | 2016-02-05 | 2017-08-10 | Mohammad Mannan | Password triggered trusted encrytpion key deletion |
| CN108133144A (en) * | 2017-12-22 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing |
| US20180287792A1 (en) * | 2017-03-28 | 2018-10-04 | Alibaba Group Holding Limited | Method and system for protecting data keys in trusted computing |
-
2019
- 2019-11-20 CN CN201911138546.2A patent/CN110855429A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102236756A (en) * | 2011-05-09 | 2011-11-09 | 山东超越数控电子有限公司 | File encryption method based on TCM (trusted cryptography module) and USBkey |
| CN105245334A (en) * | 2015-10-28 | 2016-01-13 | 武汉大学 | TPM secret key and authorized data backup recovery system and method thereof |
| US20170230179A1 (en) * | 2016-02-05 | 2017-08-10 | Mohammad Mannan | Password triggered trusted encrytpion key deletion |
| CN106027503A (en) * | 2016-05-09 | 2016-10-12 | 浪潮集团有限公司 | Cloud storage data encryption method based on TPM |
| US20180287792A1 (en) * | 2017-03-28 | 2018-10-04 | Alibaba Group Holding Limited | Method and system for protecting data keys in trusted computing |
| CN108133144A (en) * | 2017-12-22 | 2018-06-08 | 浪潮(北京)电子信息产业有限公司 | A kind of virtual disk files guard method, device, equipment and readable storage medium storing program for executing |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111967864A (en) * | 2020-09-02 | 2020-11-20 | 上海思赞博微信息科技有限公司 | Wallet integrating trusted computing chip with digital currency and working process thereof |
| CN113609497A (en) * | 2021-06-30 | 2021-11-05 | 荣耀终端有限公司 | Data protection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11263020B2 (en) | System and method for wiping encrypted data on a device having file-level content protection | |
| EP3678324B1 (en) | Method and apparatus for encrypting and decrypting product information | |
| US8315394B2 (en) | Techniques for encrypting data on storage devices using an intermediate key | |
| US9043610B2 (en) | Systems and methods for data security | |
| US8181028B1 (en) | Method for secure system shutdown | |
| Deshmukh et al. | Transparent Data Encryption--Solution for Security of Database Contents | |
| CN102262599B (en) | Trusted root-based portable hard disk fingerprint identification method | |
| CN110855430B (en) | Computing system and method for managing a secure object store in a computing system | |
| CN104012030A (en) | Systems and methods for protecting symmetric encryption keys | |
| CN101523399A (en) | Methods and systems for modifying an integrity measurement based on user athentication | |
| CN102207999A (en) | Data protection method based on trusted computing cryptography support platform | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| CN110874726A (en) | TPM-based digital currency security protection method | |
| CN107908574A (en) | The method for security protection of solid-state disk data storage | |
| EP2108145A2 (en) | Protecting secrets in an untrusted recipient | |
| KR20230175184A (en) | Computer file security encryption methods, decryption methods and readable storage media | |
| CN110855429A (en) | Software key protection method based on TPM | |
| CN102769525B (en) | The user key backup of a kind of TCM and restoration methods | |
| CN101692266A (en) | Method of intensively encrypting and protecting files by using hidden partition (HPA) and CPU ID | |
| Loftus et al. | Android 7 file based encryption and the attacks against it | |
| US20230327855A1 (en) | System and method for protecting secret data items using multiple tiers of encryption and secure element | |
| CN100531032C (en) | Method for storing cipher key | |
| KR20080096054A (en) | Method for writing data by encryption and reading the data thereof | |
| CN201479144U (en) | Key migrating system of trusted computing platform | |
| US11283600B2 (en) | Symmetrically encrypt a master passphrase key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |