CN111490876A - Communication method based on USB KEY and USB KEY - Google Patents
Communication method based on USB KEY and USB KEY Download PDFInfo
- Publication number
- CN111490876A CN111490876A CN202010259796.8A CN202010259796A CN111490876A CN 111490876 A CN111490876 A CN 111490876A CN 202010259796 A CN202010259796 A CN 202010259796A CN 111490876 A CN111490876 A CN 111490876A
- Authority
- CN
- China
- Prior art keywords
- key
- system service
- csp system
- usb key
- operation result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Abstract
The embodiment of the application discloses a communication method based on USB KEY and the USB KEY, wherein the method comprises the following steps: the USB KEY generates a symmetric KEY, the symmetric KEY is encrypted by an RSA public KEY, and an encrypted first operation result is sent to a CSP system service of an encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY; receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service; and comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allowing the USB Key and the CSP system service to establish an encryption channel. The communication safety of the USB KEY is guaranteed.
Description
Technical Field
The embodiment of the application relates to the field of information security, in particular to a communication method based on USB KEY and USBKEY.
Background
The USB Key is developed from the smart card technology, is a new generation identity authentication product combining the modern cryptography technology, the smart card technology and the USB technology, and is a good carrier for network user identity authentication identification and data protection. The USB Key can internally generate a private Key, realizes the safe storage of the private Key and has non-exportability. The method can rapidly complete the cryptographic algorithm, including symmetric encryption and decryption, asymmetric encryption and decryption and Hash algorithm, and realize various safety functions such as data encryption and decryption, digital signature verification and the like.
The USB Key is a common device connected to the PC and is open to all processes on the PC. The Trojan attacks the system, namely, the signature of the USB Key is obtained instead of the CSP, so that the identity of the CSP is used for doing something which can only be done by a legal process.
The Key of the attack is to obtain the signature of the USB Key, but the Trojan does not need to obtain the signature after obtaining the private Key, and only needs to obtain the result of the signature. The CSP sends a command to the USB Key, and the Trojan can intercept, modify or even directly send a false command. The USB Key cannot identify the source of the command, and therefore cannot prevent the trojan from obtaining the signature of the private Key.
Disclosure of Invention
Therefore, the embodiment of the application provides a communication method based on the USB KEY, the device and the readable storage medium, and communication safety of the USB KEY is guaranteed.
In order to achieve the above object, the embodiments of the present application provide the following technical solutions:
according to a first aspect of embodiments of the present application, there is provided a communication method based on USB KEY, the method including:
the USB KEY generates a symmetric KEY, the symmetric KEY is encrypted by an RSA public KEY, and an encrypted first operation result is sent to a CSP system service of an encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY;
receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service;
and comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allowing the USB Key and the CSP system service to establish an encryption channel.
Optionally, before the USB KEY generates the symmetric KEY, the method further includes:
and the USB KEY verifies the identity of the CSP system service.
Optionally, the verifying the identity of the CSP system service by the USB KEY includes:
the USB KEY generates a random number and sends the random number to the CSP system service;
receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key;
and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
Optionally, the comparing the second operation result with the symmetric key further includes:
and if the USB Key and the CSP system service are different, the USB Key and the CSP system service are not allowed to establish an encrypted channel, and an alarm message is sent.
According to a second aspect of embodiments of the present application, there is provided a USB KEY, including:
the encryption module is used for generating a symmetric KEY by the USB KEY, encrypting the symmetric KEY by the RSA public KEY and sending an encrypted first operation result to the CSP system service of the encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY;
the message receiving module is used for receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service;
and the verification module is used for comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, the USB Key and the CSP system service are allowed to establish an encryption channel.
Optionally, the USB KEY further includes:
and the CSP verification module is used for verifying the identity of the CSP system service by the USB KEY.
Optionally, the CSP verification module is specifically configured to:
the USB KEY generates a random number and sends the random number to the CSP system service;
receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key;
and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
Optionally, the verification module is further configured to:
and if the second operation result is different from the symmetric Key, not allowing the USB Key and the CSP system service to establish an encrypted channel and sending an alarm message.
According to a third aspect of embodiments herein, there is provided an apparatus comprising: the device comprises a data acquisition device, a processor and a memory;
the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform the method according to any of the above first aspects.
According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium having one or more program instructions embodied therein for performing the method of any of the first aspects above.
In summary, the embodiment of the present application provides a communication method based on a USB KEY, a device, and a readable storage medium, where a symmetric KEY is generated through the USB KEY, encrypted by an RSA public KEY, and an encrypted first operation result is sent to a CSP system service of an encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY; receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service; and comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allowing the USB Key and the CSP system service to establish an encryption channel. The communication safety of the USB KEY is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic overall structure diagram of a USB Key provided in the embodiment of the present application;
fig. 2 is a schematic diagram of an application topology provided in an embodiment of the present application;
fig. 3 is a schematic diagram of another application topology provided in the embodiment of the present application;
fig. 4 is a schematic flowchart of a communication method based on USB KEY according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a USB KEY system according to an embodiment of the present application.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The encryption of the document only solves the problem of confidentiality of the transmitted information, but prevents others from destroying the transmitted document, and needs to adopt other means for determining the identity of the sender, which means is a digital signature. In security and privacy systems, digital signature technology is of particular importance, and is used in source authentication, integrity services, and non-repudiation services in security services.
The present digital signature is based on a public key system, and is another application of public key encryption technology. The main way is that the sender of the message generates a 128-bit hash value (or message digest) from the message text. The sender encrypts this hash value with its own private key to form the sender's digital signature. This digital signature will then be sent to the recipient of the message as an attachment to the message along with the message. The receiver of the message first computes a 128-bit hash value (or message digest) from the original message received, and then decrypts the digital signature appended to the message using the sender's public key. If the two hash values are the same, the receiver can confirm that the digital signature is of the sender. The original message can be identified through the digital signature.
There are three main types of digital signature methods that are widely used, namely: RSA signatures, DSS signatures and Hash signatures. The three algorithms can be used independently or together. The digital signature is realized by encrypting and decrypting data through a cryptographic algorithm.
The digital signature technique in the RSA algorithm is actually implemented by a hash function. The feature of a digital signature is that it represents the characteristics of a document, and if the document changes, the value of the digital signature will also change. Different files will get different digital signatures. One of the simplest hash functions is to accumulate the binary codes of the file, taking the last bits. The hash function is public to both parties sending the data.
The overall structure of the USB Key is composed of a hardware layer, a core driver layer, a standard middleware layer, and an application layer, as shown in fig. 1.
(1) The application layer is developed aiming at the USB Key and used for various applications, such as network login software or a file encryptor and the like.
(2) The standard middleware layer is positioned between the application layer and the device driver, comprises a PKCS # 11 standard interface with cross-platform characteristics and a Cryptographic Service Provider (CSP) interface based on a Windows platform, and is the lowest encryption and decryption interface provided by Microsoft for Windows developers.
(3) The core driver layer refers to a USB driver at the host end. Is a driver developed according to the microsoft defined PC/SC (personal computer/Smart Card) standard so that upper layers can access KEY through the Win32 standard function set. This layer is responsible for coordinating data interaction between the user host and the hardware layer and handling access requests to KEY by upper layer applications.
(4) The hardware layer comprises a hardware circuit, a smart card operating system COS (card operating system) solidified in the chip and a USB driver program at the equipment end. APDU (Application protocol Data Unit) of COS is exchanged between the hardware layer and the user host.
The application topology is shown in figure 2. And the USB Key is directly interacted with a WINDOWS PC terminal.
There may be many external applications, such as remote identity authentication, and the application topology is shown in fig. 3. And the USB Key is interacted with the cloud terminal through a WINDOWS PC terminal.
The USB Key is a common device connected to the PC and is open to all processes on the PC. The Trojan attacks the system, namely, the signature of the USB Key is obtained instead of the CSP, so that the identity of the CSP is used for doing something which can only be done by a legal process. The Key of the attack is to obtain the signature of the USB Key, but the Trojan does not need to obtain the signature after obtaining the private Key, and only needs to obtain the result of the signature. The CSP sends a command to the USB Key, and the Trojan can intercept, modify or even directly send a false command. The USB Key cannot identify the source of the command, and therefore cannot prevent the trojan from obtaining the signature of the private Key.
Fig. 4 shows that the communication method based on the USB KEY according to the embodiment of the present application can effectively prevent such an attack, can establish an encrypted channel between the CSP and the USB KEY, and can guarantee communication security by identifying whether an entity sending a command is legal or not through the USB KEY. The method comprises the following steps:
step 401: the USB KEY generates a symmetric KEY, the symmetric KEY is encrypted by an RSA public KEY, and an encrypted first operation result is sent to a CSP system service of an encryption service provider; wherein, the RSA public KEY is pre-stored in the USB KEY in the initialization stage.
Step 402: receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service.
Step 403: and comparing the second operation result with the symmetric key, and if the second operation result is the same as the symmetric key, allowing the USBKey and the CSP system service to establish an encryption channel.
In a possible embodiment, before step 401, the method further comprises: and the USB KEY verifies the identity of the CSP system service.
In one possible implementation, the verifying the identity of the CSP system service by the USB KEY includes:
the USB KEY generates a random number and sends the random number to the CSP system service; receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key; and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
In a possible implementation manner, in step 403, the method further includes: and if the USB Key and the CSP system service are different, the USB Key and the CSP system service are not allowed to establish an encrypted channel, and an alarm message is sent.
The technical scheme is based on a zero-knowledge proof and digital envelope mechanism of RSA decoding capability. The method specifically comprises the following steps:
(1) the USB Key is preinstalled with an RSA public Key { e, n } in the personalization stage, and the code of the CSP program contains an RSA private Key { d, n }.
(2) And generating a random number C by the USB Key and sending the random number C to the CSP.
(3) CSP calculates with private key d: and M is C ^ d mod n, and M is sent to the USB Key.
(4) And the USB Key verifies that M ^ e mod n is C, so that the communication object is the CSP.
Since the Trojan does not know the RSA private key, the Trojan cannot pass the authentication. On the basis, the USB Key and the CSP can establish an encryption channel through a digital envelope mechanism. The method comprises the following specific steps:
(1) the USB Key internally generates a symmetric Key K for encryption, encrypts K '═ K ^ e mod n by an RSA public Key, and sends K' to the CSP.
(2) And the CSP decrypts the ciphertext by using the RSA private key to obtain a process key K ═ K' ^ d mod n.
Through the two mechanisms, the identity authentication of the CSP and the USB Key is realized, the identity legality of an entity sending a command is ensured, and a process Key generated at the same time can enable an encrypted channel to be established between the CSP and the USB Key. Thereby defending against trojan attacks.
In the system application of the Windows PC realized by the USB Key, the invention can be adopted to strengthen the system security and help the USB Key to resist the Trojan attack, because anyone can not ensure that the Windows PC can not infect the Trojan virus.
To sum up, the embodiment of the present application provides a communication method based on USB KEY, which generates a symmetric KEY through USB KEY, encrypts the symmetric KEY by RSA public KEY, and sends the encrypted first operation result to the CSP system service of the encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY; receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service; and comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allowing the USB Key and the CSP system service to establish an encryption channel. The communication safety of the USB KEY is guaranteed.
Based on the same technical concept, an embodiment of the present application further provides a USB KEY, as shown in fig. 5, where the USB KEY includes:
the encryption module 501 is used for generating a symmetric KEY by the USB KEY, encrypting the symmetric KEY by the RSA public KEY, and sending an encrypted first operation result to the CSP system service of the encryption service provider; wherein, the RSA public KEY is pre-stored in the USB KEY in the initialization stage.
A message receiving module 502, configured to receive a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service.
The checking module 503 is configured to compare the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allow the USB Key and the CSP system service to establish an encrypted channel.
In one possible implementation, the USB KEY further includes: and the CSP verification module is used for verifying the identity of the CSP system service by the USB KEY.
In a possible implementation manner, the CSP verification module is specifically configured to: the USB KEY generates a random number and sends the random number to the CSP system service; receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key; and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
In a possible implementation manner, the checking module 503 is further configured to: and if the second operation result is different from the symmetric Key, not allowing the USB Key and the CSP system service to establish an encrypted channel and sending an alarm message.
Based on the same technical concept, an embodiment of the present application further provides an apparatus, including: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor is configured to execute one or more program instructions to perform the method according to any of the above methods.
Based on the same technical concept, the embodiment of the present application further provides a computer-readable storage medium, wherein the computer-readable storage medium contains one or more program instructions, and the one or more program instructions are used for executing the method according to any one of the above methods.
In the present specification, each embodiment of the method is described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. Reference is made to the description of the method embodiments.
It is noted that while the operations of the methods of the present invention are depicted in the drawings in a particular order, this is not a requirement or suggestion that the operations must be performed in this particular order or that all of the illustrated operations must be performed to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
Although the present application provides method steps as in embodiments or flowcharts, additional or fewer steps may be included based on conventional or non-inventive approaches. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an apparatus or client product in practice executes, it may execute sequentially or in parallel (e.g., in a parallel processor or multithreaded processing environment, or even in a distributed data processing environment) according to the embodiments or methods shown in the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded.
The units, devices, modules, etc. set forth in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the present application, the functions of each module may be implemented in one or more software and/or hardware, or a module implementing the same function may be implemented by a combination of a plurality of sub-modules or sub-units, and the like. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may therefore be considered as a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a mobile terminal, a server, or a network device) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same or similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
The above-mentioned embodiments are further described in detail for the purpose of illustrating the invention, and it should be understood that the above-mentioned embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A communication method based on USB KEY is characterized by comprising the following steps:
the USB KEY generates a symmetric KEY, the symmetric KEY is encrypted by an RSA public KEY, and an encrypted first operation result is sent to a CSP system service of an encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY;
receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service;
and comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, allowing the USB Key and the CSP system service to establish an encryption channel.
2. The method of claim 1, wherein prior to the USB KEY generating the symmetric KEY, the method further comprises:
and the USB KEY verifies the identity of the CSP system service.
3. The method of claim 2, wherein the USB KEY verifying the identity of the CSP system services comprises:
the USB KEY generates a random number and sends the random number to the CSP system service;
receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key;
and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
4. The method of claim 1, wherein the comparing the second operation result to the symmetric key further comprises:
and if the USB Key and the CSP system service are different, the USB Key and the CSP system service are not allowed to establish an encrypted channel, and an alarm message is sent.
5. A USB KEY, comprising:
the encryption module is used for generating a symmetric KEY by the USB KEY, encrypting the symmetric KEY by the RSA public KEY and sending an encrypted first operation result to the CSP system service of the encryption service provider; wherein, the RSA public KEY is prestored in the initialization stage by the USB KEY;
the message receiving module is used for receiving a second operation result sent by the CSP system service; the second operation result is obtained by decrypting the first operation result by the CSP system service by using an RSA private key, and the RSA private key is prestored in the initialization stage by the CSP system service;
and the verification module is used for comparing the second operation result with the symmetric Key, and if the second operation result is the same as the symmetric Key, the USB Key and the CSP system service are allowed to establish an encryption channel.
6. The USB KEY of claim 5, wherein the USB KEY further comprises:
and the CSP verification module is used for verifying the identity of the CSP system service by the USB KEY.
7. The USB KEY of claim 6, wherein the CSP verification module is specifically configured to:
the USB KEY generates a random number and sends the random number to the CSP system service;
receiving a decryption result sent by the CSP system service, wherein the decryption result is obtained by decrypting the random number by the CSP system service by using the RSA private key;
and verifying the decryption result by using the RSA public key, and if the calculation result is the random number, the CSP passes the verification.
8. The USB KEY of claim 5, wherein the verification module is further configured to:
and if the second operation result is different from the symmetric Key, not allowing the USB Key and the CSP system service to establish an encrypted channel and sending an alarm message.
9. A USB KEY-based communication device, the device comprising: the device comprises a data acquisition device, a processor and a memory;
the data acquisition device is used for acquiring data; the memory is to store one or more program instructions; the processor, configured to execute one or more program instructions to perform the method of any of claims 1-4.
10. A computer-readable storage medium having one or more program instructions embodied therein for performing the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010259796.8A CN111490876B (en) | 2020-04-03 | 2020-04-03 | Communication method based on USB KEY and USB KEY |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010259796.8A CN111490876B (en) | 2020-04-03 | 2020-04-03 | Communication method based on USB KEY and USB KEY |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111490876A true CN111490876A (en) | 2020-08-04 |
| CN111490876B CN111490876B (en) | 2021-12-28 |
Family
ID=71810892
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010259796.8A Active CN111490876B (en) | 2020-04-03 | 2020-04-03 | Communication method based on USB KEY and USB KEY |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111490876B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992383A (en) * | 2021-10-22 | 2022-01-28 | 上海瓶钵信息科技有限公司 | Symmetric key production line method and system based on asymmetric key protection |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090307495A1 (en) * | 2008-06-04 | 2009-12-10 | Panasonic Corporation | Confidential communication method |
| CN101729854A (en) * | 2009-12-24 | 2010-06-09 | 公安部第一研究所 | Method for distributing code stream encrypting and decrypting keys in SIP video monitoring system |
| CN101783800A (en) * | 2010-01-27 | 2010-07-21 | 华为终端有限公司 | Embedded system safety communication method, device and system |
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| US20110107105A1 (en) * | 2009-10-30 | 2011-05-05 | International Business Machines Corporation | Message sending/receiving method |
| CN103067401A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for key protection |
| US20150043735A1 (en) * | 2012-03-28 | 2015-02-12 | Kabushiki Kaisha Toshiba | Re-encrypted data verification program, re-encryption apparatus and re-encryption system |
| CN105450419A (en) * | 2015-05-05 | 2016-03-30 | 北京天诚盛业科技有限公司 | Method, device and system |
| CN105635147A (en) * | 2015-12-30 | 2016-06-01 | 深圳市图雅丽特种技术有限公司 | Vehicle-mounted-special-equipment-system-based secure data transmission method and system |
| CN106850207A (en) * | 2017-02-28 | 2017-06-13 | 南方电网科学研究院有限责任公司 | Identity identifying method and system without CA |
| CN109039628A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
| CN109347635A (en) * | 2018-11-14 | 2019-02-15 | 中云信安(深圳)科技有限公司 | A kind of Internet of Things security certification system and authentication method based on national secret algorithm |
| US20190132120A1 (en) * | 2017-10-27 | 2019-05-02 | EMC IP Holding Company LLC | Data Encrypting System with Encryption Service Module and Supporting Infrastructure for Transparently Providing Encryption Services to Encryption Service Consumer Processes Across Encryption Service State Changes |
-
2020
- 2020-04-03 CN CN202010259796.8A patent/CN111490876B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090307495A1 (en) * | 2008-06-04 | 2009-12-10 | Panasonic Corporation | Confidential communication method |
| US20110107105A1 (en) * | 2009-10-30 | 2011-05-05 | International Business Machines Corporation | Message sending/receiving method |
| CN101729854A (en) * | 2009-12-24 | 2010-06-09 | 公安部第一研究所 | Method for distributing code stream encrypting and decrypting keys in SIP video monitoring system |
| CN101783800A (en) * | 2010-01-27 | 2010-07-21 | 华为终端有限公司 | Embedded system safety communication method, device and system |
| CN101989984A (en) * | 2010-08-24 | 2011-03-23 | 北京易恒信认证科技有限公司 | Electronic document safe sharing system and method thereof |
| US20150043735A1 (en) * | 2012-03-28 | 2015-02-12 | Kabushiki Kaisha Toshiba | Re-encrypted data verification program, re-encryption apparatus and re-encryption system |
| CN103067401A (en) * | 2013-01-10 | 2013-04-24 | 天地融科技股份有限公司 | Method and system for key protection |
| CN105450419A (en) * | 2015-05-05 | 2016-03-30 | 北京天诚盛业科技有限公司 | Method, device and system |
| CN105635147A (en) * | 2015-12-30 | 2016-06-01 | 深圳市图雅丽特种技术有限公司 | Vehicle-mounted-special-equipment-system-based secure data transmission method and system |
| CN106850207A (en) * | 2017-02-28 | 2017-06-13 | 南方电网科学研究院有限责任公司 | Identity identifying method and system without CA |
| US20190132120A1 (en) * | 2017-10-27 | 2019-05-02 | EMC IP Holding Company LLC | Data Encrypting System with Encryption Service Module and Supporting Infrastructure for Transparently Providing Encryption Services to Encryption Service Consumer Processes Across Encryption Service State Changes |
| CN109039628A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
| CN109347635A (en) * | 2018-11-14 | 2019-02-15 | 中云信安(深圳)科技有限公司 | A kind of Internet of Things security certification system and authentication method based on national secret algorithm |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113992383A (en) * | 2021-10-22 | 2022-01-28 | 上海瓶钵信息科技有限公司 | Symmetric key production line method and system based on asymmetric key protection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111490876B (en) | 2021-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11652644B1 (en) | Quantum-resistant double signature system | |
| CN109309565B (en) | Security authentication method and device | |
| US10142107B2 (en) | Token binding using trust module protected keys | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| US11374975B2 (en) | TLS integration of post quantum cryptographic algorithms | |
| US11716206B2 (en) | Certificate based security using post quantum cryptography | |
| EP3387576B1 (en) | Apparatus and method for certificate enrollment | |
| US20170012774A1 (en) | Method and system for improving the data security during a communication process | |
| CN111371549A (en) | Message data transmission method, device and system | |
| CN111639325B (en) | Merchant authentication method, device, equipment and storage medium based on open platform | |
| Kumar et al. | TPA auditing to enhance the privacy and security in cloud systems | |
| Gupta et al. | Compendium of data security in cloud storage by applying hybridization of encryption algorithm | |
| CN115276978A (en) | Data processing method and related device | |
| CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN111490876B (en) | Communication method based on USB KEY and USB KEY | |
| CN109492359B (en) | Secure network middleware for identity authentication and implementation method and device thereof | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| CN111651740B (en) | Trusted platform sharing system for distributed intelligent embedded system | |
| JP5932709B2 (en) | Transmission side device and reception side device | |
| CN111723405A (en) | Decentralized multiple digital signature/electronic signature method | |
| CN116866029B (en) | Random number encryption data transmission method, device, computer equipment and storage medium | |
| Khan et al. | In-Depth Analysis of Cryptographic Algorithms for Cloud-Database Security | |
| CN116226932A (en) | Service data verification method and device, computer medium and electronic equipment | |
| Aslan | Performance evaluation of iot data security on cloud computing | |
| CN117716666A (en) | Method for providing autonomous identity cloud service to user, cloud service method, cloud server, autonomous identity method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |