CN112787996A - Password equipment management method and system - Google Patents
Password equipment management method and system Download PDFInfo
- Publication number
- CN112787996A CN112787996A CN202011566065.4A CN202011566065A CN112787996A CN 112787996 A CN112787996 A CN 112787996A CN 202011566065 A CN202011566065 A CN 202011566065A CN 112787996 A CN112787996 A CN 112787996A
- Authority
- CN
- China
- Prior art keywords
- key
- password
- user
- ciphertext
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a password device management method and a password device management system. The method comprises the following steps: a user adding process, a user login process and a key management process; the user adding process comprises the following steps: the user intelligent password key sends public key reading request information to the password equipment; after receiving the public key reading request information, the password device generates public key information d _ pub and private key information d _ pri and returns the public key information d _ pub to the user intelligent password key; the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a first ciphertext, and sends the first ciphertext to the password device; after the password equipment decrypts the first ciphertext through the private key information d _ pri, the equipment type and the equipment number of the user intelligent password key are written into the password equipment locally, and a key is generated; then, encrypting the key by using the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key; and the user intelligent password key decrypts the second ciphertext through the private key information u _ pri of the user intelligent password key to obtain the key and stores the key.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a password device management method and system.
Background
With the rapid development of the information industry, information security has become a focus of human attention, once information is leaked and tampered, serious consequences are caused, and in order to improve the security of information transmission, storage and the like, password equipment is commonly added to guarantee the information security at present; the password device is a security device capable of providing password services such as data encryption and decryption, digital signature, signature verification and the like, common password devices include a password machine, a password card, a password terminal and the like, and various key information, files, user information and the like are stored in the password device, so that the security of the password device is particularly important.
At present, authentication is performed by setting users of different levels for security management of password devices, and different users are set with different service authorities, however, security of the existing technology in a manner of managing users of password devices still needs to be improved.
Disclosure of Invention
Aiming at the problem of insufficient security of the existing password management method, the invention provides a password device management method and system, which can realize the security management of the password device through intelligent password keys of different users, and prevent illegal users from accessing the password device and stealing the key information of the password device.
In one aspect, the present invention provides a cryptographic device management method, including: a user adding process, a user login process and a key management process; the user adding process specifically comprises:
the user intelligent password key sends public key reading request information to the password equipment;
after receiving the public key reading request information, the password device generates public key information d _ pub and private key information d _ pri, and returns the public key information d _ pub to the user intelligent password key;
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a first ciphertext, and sends the first ciphertext to the password device;
after the password device decrypts the first ciphertext through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the password device locally, and a key is generated; then encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key;
and the user intelligent password key decrypts the second ciphertext through the private key information u _ pri of the user intelligent password key to obtain the key and stores the key.
Further, the users of the password device include a plurality of administrators and an operator; in the user adding process, when the password device is not added with any user, only adding administrator operation is supported; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment.
Further, the user login process specifically includes:
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a third ciphertext, and sends the third ciphertext to the password device;
after the password device decrypts the third ciphertext through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the locally stored device number and the locally stored device type for verification, and a random number r is generated; then encrypting the random number r by public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key;
the user intelligent password key decrypts the fourth ciphertext through the private key information u _ pri of the user intelligent password key to obtain a random number m, encrypts the random number m through a locally stored key to generate a fifth ciphertext, and sends the fifth ciphertext to the password equipment;
the password device decrypts the fifth ciphertext through a locally generated key to obtain a random number m, compares the random number m with the random number r, and if the random number m is consistent with the random number r, allows login; otherwise, login is prohibited.
Further, the key management process specifically includes:
when more than half of the administrator intelligent password keys successfully log in the password equipment, acquiring administrator authority;
generating and storing a device protection key in the cryptographic device; generating a user key and a key encryption key in the password equipment, and encrypting and storing the user key and the key encryption key in the password equipment through the equipment protection key; generating or importing a key backup key in the password device, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys in each administrator intelligent password key; generating or importing a session key in the cryptographic device;
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment;
when the key is restored, the key components in the intelligent password keys of the administrators are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the password equipment after being encrypted by using the equipment protection keys.
In another aspect, the present invention provides a password device management system, including a user intelligent password key and a password device;
the user intelligent password key is used for sending public key reading request information to the password equipment so as to obtain public key information d _ pub returned by the password equipment; encrypting the device type, the device number and the public key information u _ pub of the user through the public key information d _ pub to generate a first ciphertext, and sending the first ciphertext to the password device; receiving a second ciphertext sent by the password device; decrypting the second ciphertext through the private key information u _ pri of the user to obtain a key and storing the key;
the password device is used for generating public key information d _ pub and private key information d _ pri after receiving public key reading request information sent by the user intelligent password key, and returning the public key information d _ pub to the user intelligent password key; receiving a first ciphertext sent by an intelligent password key of a user; after the first ciphertext is decrypted through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the local device, and a key is generated; and encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key.
Further, the users of the password device at least comprise a plurality of administrators and an operator, and when the password device does not add a user, only the operation of adding an administrator is supported; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment.
Further, the user intelligent password key is further configured to encrypt the device type, the device number, and the public key information u _ pub of the user intelligent password key by using the public key information d _ pub to generate a third ciphertext, and send the third ciphertext to the password device; receiving a fourth ciphertext sent by the password device; decrypting the fourth ciphertext through the private key information u _ pri of the fourth ciphertext to obtain a random number m, encrypting the random number m through a locally stored key to generate a fifth ciphertext, and sending the fifth ciphertext to the password device;
the password device is also used for receiving a third ciphertext sent by the user intelligent password key; after the third ciphertext is decrypted through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the device number and the device type stored locally, and a random number r is generated; encrypting the random number r by using public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key; receiving a fifth ciphertext sent by the user intelligent password key; and decrypting the fifth ciphertext through the locally generated key to obtain a random number m, comparing the random number m with the random number r, if the random number m is consistent with the random number r, allowing login, and otherwise, forbidding login.
Further, the cryptographic device is configured to generate and store a device protection key, generate a user key and a key encryption key, and store the user key and the key encryption key in the cryptographic device through encryption of the device protection key; generating or importing a key backup key, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys into each administrator intelligent password key; generating or importing a session key; and the number of the first and second groups,
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment; and the number of the first and second groups,
when the key is restored, the key components in the intelligent cipher keys of the administrator users are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the cipher equipment after being encrypted by using the equipment protection keys.
Further, the administrator smart key supports key management, user management, and file management; the operator smart key supports viewing of cryptographic device status and key status.
Further, the cryptographic device is provided with a key management interface for generating, importing, exporting, backing up and recovering a key; the device management interface is used for acquiring the working state of the device; and a user management interface is arranged and used for initializing the user intelligent password key and the password equipment, adding the user and logging in the user.
The invention has the beneficial effects that:
(1) the password adding device is provided with a plurality of administrators and an operator, when no user is added to the password device, only the operation of the administrator is supported, the addition of the operator needs to acquire administrator authority, and the administrator authority is acquired by logging in more than half of administrators, so that the adding safety of the administrators and the operator can be ensured;
(2) in the process of adding and logging in by a user, the invention carries out encryption transmission on the equipment type, the equipment card number and the public key information of the user, can prevent information leakage, realizes the binding of the user information and the password equipment, carries out encryption and decryption transmission on the random number, confirms whether the random number is consistent, forbids logging in and accessing for illegal users, and can promote the user safety management of the password equipment;
(3) on the basis of possessing the administrator authority, the invention carries out the hierarchical protection, backup and recovery operation on various key information in the password equipment, and can ensure the key safety management of the password equipment;
(4) the password device is provided with the key management interface, the device management interface and the user management interface, and can realize key management, device management and user management of the password device.
Drawings
Fig. 1 is a schematic flowchart of a user adding process in a password device management method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a user login process in a password device management method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a key management principle in a cryptographic device management method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a cryptographic device management system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
The embodiment of the invention provides a password device management method, which comprises the following steps: a user adding process, a user login process and a key management process; as shown in fig. 1, the user adding process specifically includes:
the user intelligent password key sends public key reading request information to the password equipment;
after receiving the public key reading request information, the password device generates public key information d _ pub and private key information d _ pri, and returns the public key information d _ pub to the user intelligent password key;
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a first ciphertext, and sends the first ciphertext to the password device;
after the password device decrypts the first ciphertext through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the password device locally, and a key is generated; then encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key;
and the user intelligent password key decrypts the second ciphertext through the private key information u _ pri of the user intelligent password key to obtain the key and stores the key.
Specifically, the user of the password device includes a plurality of administrators and one operator. It should be noted that, in the user adding process, when the password device does not add any user, only the operation of adding the administrator is supported, generally speaking, the administrator can add 3 or more, and 5 at most; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment. The identities of the administrator and the operator are authenticated by the intelligent password key in a double-factor mode. In this embodiment, the administrator rights include: key management, user management and file management, wherein the key management comprises generation, import, export, backup and recovery of keys; user management includes user addition and user login. Operator privileges include: cryptographic service, view cryptographic device status and key status.
As shown in fig. 2, the user login process specifically includes:
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a third ciphertext, and sends the third ciphertext to the password device;
after the password device decrypts the third ciphertext through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the locally stored device number and the locally stored device type for verification, and a random number r is generated; then encrypting the random number r by public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key;
the user intelligent password key decrypts the fourth ciphertext through the private key information u _ pri of the user intelligent password key to obtain a random number m, encrypts the random number m through a locally stored key to generate a fifth ciphertext, and sends the fifth ciphertext to the password equipment;
the password device decrypts the fifth ciphertext through a locally generated key to obtain a random number m, compares the random number m with the random number r, and if the random number m is consistent with the random number r, allows login; otherwise, login is prohibited.
It should be noted that the login status of the administrator and the operator is cleared when the password device is powered on again.
In practical applications, as shown in fig. 3, the cryptographic device further supports a device protection key, a key backup key, a user key, a key encryption key, and a session key, and correspondingly, the key management process specifically includes: when more than half of the administrator intelligent password keys successfully log in the password equipment, acquiring administrator authority;
specifically, the key management belongs to the administrator authority, and therefore, the administrator authority needs to be acquired first when the key management is performed.
Generating and storing a device protection key in the cryptographic device; generating a user key and a key encryption key in the password equipment, and encrypting and storing the user key and the key encryption key in the password equipment through the equipment protection key; generating or importing a key backup key in the password device, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys in each administrator intelligent password key; generating or importing a session key in the cryptographic device;
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment;
when the key is restored, the key components in the intelligent password keys of the administrators are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the password equipment after being encrypted by using the equipment protection keys.
Example 2
In order to implement the user adding process, as shown in fig. 4, an embodiment of the present invention provides a password device management system, which includes a user intelligent password key and a password device; wherein:
the user intelligent password key is used for sending public key reading request information to the password equipment so as to obtain public key information d _ pub returned by the password equipment; encrypting the device type, the device number and the public key information u _ pub of the user through the public key information d _ pub to generate a first ciphertext, and sending the first ciphertext to the password device; receiving a second ciphertext sent by the password device; decrypting the second ciphertext through the private key information u _ pri of the user to obtain a key and storing the key;
the password device is used for generating public key information d _ pub and private key information d _ pri after receiving public key reading request information sent by the user intelligent password key, and returning the public key information d _ pub to the user intelligent password key; receiving a first ciphertext sent by an intelligent password key of a user; after the first ciphertext is decrypted through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the local device, and a key is generated; and encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key.
Specifically, the user of the password device at least comprises a plurality of administrators and an operator, and when the password device does not add a user, only the operation of adding the administrators is supported; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment.
Further, in order to implement a user login process, the user intelligent password key is further configured to encrypt the device type, the device number, and the public key information u _ pub of the user intelligent password key by using the public key information d _ pub to generate a third ciphertext, and send the third ciphertext to the password device; receiving a fourth ciphertext sent by the password device; decrypting the fourth ciphertext through the private key information u _ pri of the fourth ciphertext to obtain a random number m, encrypting the random number m through a locally stored key to generate a fifth ciphertext, and sending the fifth ciphertext to the password device;
the password device is also used for receiving a third ciphertext sent by the user intelligent password key; after the third ciphertext is decrypted through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the device number and the device type stored locally, and a random number r is generated; encrypting the random number r by using public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key; receiving a fifth ciphertext sent by the user intelligent password key; and decrypting the fifth ciphertext through the locally generated key to obtain a random number m, comparing the random number m with the random number r, if the random number m is consistent with the random number r, allowing login, and otherwise, forbidding login.
Further, in order to implement a key management process, the cryptographic device is configured to generate and store a device protection key, generate a user key and a key encryption key, and store the user key and the key encryption key in the cryptographic device through encryption of the device protection key; generating or importing a key backup key, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys into each administrator intelligent password key; generating or importing a session key; and the number of the first and second groups,
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment; and the number of the first and second groups,
when the key is restored, the key components in the intelligent cipher keys of the administrator users are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the cipher equipment after being encrypted by using the equipment protection keys.
Administrator privileges include: key management, user management, and file management; accordingly, the administrator smart cryptographic key supports key management, user management, and file management; operator privileges include: the password service checks the password equipment state and the key state; accordingly, the operator smart key supports viewing cryptographic device status and key status.
In order to realize the key management process, as an implementation mode, the cryptographic device is provided with a key management interface for generating, importing, exporting, backing up and recovering keys; the system is also provided with an equipment management interface used for acquiring the working state of the equipment, including the working state of the intelligent password key of the user and the working state of the password equipment; and a user management interface is arranged and used for initializing the user intelligent password key and the password equipment, adding the user and logging in the user.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A cryptographic device management method, comprising: a user adding process, a user login process and a key management process; the user adding process specifically comprises:
the user intelligent password key sends public key reading request information to the password equipment;
after receiving the public key reading request information, the password device generates public key information d _ pub and private key information d _ pri, and returns the public key information d _ pub to the user intelligent password key;
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a first ciphertext, and sends the first ciphertext to the password device;
after the password device decrypts the first ciphertext through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the password device locally, and a key is generated; then encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key;
and the user intelligent password key decrypts the second ciphertext through the private key information u _ pri of the user intelligent password key to obtain the key and stores the key.
2. The password device management method according to claim 1, wherein the user of the password device includes a plurality of administrators and one operator; in the user adding process, when the password device is not added with any user, only adding administrator operation is supported; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment.
3. The password device management method according to claim 1, wherein the user login process specifically includes:
the user intelligent password key encrypts the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a third ciphertext, and sends the third ciphertext to the password device;
after the password device decrypts the third ciphertext through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the locally stored device number and the locally stored device type for verification, and a random number r is generated; then encrypting the random number r by public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key;
the user intelligent password key decrypts the fourth ciphertext through the private key information u _ pri of the user intelligent password key to obtain a random number m, encrypts the random number m through a locally stored key to generate a fifth ciphertext, and sends the fifth ciphertext to the password equipment;
the password device decrypts the fifth ciphertext through a locally generated key to obtain a random number m, compares the random number m with the random number r, and if the random number m is consistent with the random number r, allows login; otherwise, login is prohibited.
4. The cryptographic device management method according to claim 1, wherein the key management process specifically includes:
when more than half of the administrator intelligent password keys successfully log in the password equipment, acquiring administrator authority;
generating and storing a device protection key in the cryptographic device; generating a user key and a key encryption key in the password equipment, and encrypting and storing the user key and the key encryption key in the password equipment through the equipment protection key; generating or importing a key backup key in the password device, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys in each administrator intelligent password key; generating or importing a session key in the cryptographic device;
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment;
when the key is restored, the key components in the intelligent password keys of the administrators are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the password equipment after being encrypted by using the equipment protection keys.
5. A password device management system is characterized by comprising a user intelligent password key and password devices;
the user intelligent password key is used for sending public key reading request information to the password equipment so as to obtain public key information d _ pub returned by the password equipment; encrypting the device type, the device number and the public key information u _ pub of the user through the public key information d _ pub to generate a first ciphertext, and sending the first ciphertext to the password device; receiving a second ciphertext sent by the password device; decrypting the second ciphertext through the private key information u _ pri of the user to obtain a key and storing the key;
the password device is used for generating public key information d _ pub and private key information d _ pri after receiving public key reading request information sent by the user intelligent password key, and returning the public key information d _ pub to the user intelligent password key; receiving a first ciphertext sent by an intelligent password key of a user; after the first ciphertext is decrypted through the private key information d _ pri, the device type and the device number of the user intelligent password key are written into the local device, and a key is generated; and encrypting the key through the public key information u _ pub to generate a second ciphertext, and sending the second ciphertext to the user intelligent password key.
6. The password device management system according to claim 5, wherein the user of the password device includes at least a plurality of administrators and one operator, and when the password device does not add a user, only an add administrator operation is supported; after the administrator authority of the password equipment is obtained, the operation of adding an operator is supported; and the administrator authority is obtained by more than half of administrators logging in the password equipment.
7. The cryptographic device management system of claim 5,
the user intelligent password key is further used for encrypting the device type, the device number and the public key information u _ pub of the user intelligent password key through the public key information d _ pub to generate a third ciphertext and sending the third ciphertext to the password device; receiving a fourth ciphertext sent by the password device; decrypting the fourth ciphertext through the private key information u _ pri of the fourth ciphertext to obtain a random number m, encrypting the random number m through a locally stored key to generate a fifth ciphertext, and sending the fifth ciphertext to the password device;
the password device is also used for receiving a third ciphertext sent by the user intelligent password key; after the third ciphertext is decrypted through the private key information d _ pri, the device number and the device type obtained through decryption are respectively compared with the device number and the device type stored locally, and a random number r is generated; encrypting the random number r by using public key information u _ pub obtained by decryption to generate a fourth ciphertext, and sending the fourth ciphertext to the user intelligent password key; receiving a fifth ciphertext sent by the user intelligent password key; and decrypting the fifth ciphertext through the locally generated key to obtain a random number m, comparing the random number m with the random number r, if the random number m is consistent with the random number r, allowing login, and otherwise, forbidding login.
8. The cryptographic device management system of claim 5,
the password device is used for generating and storing a device protection key, generating a user key and a key encryption key, and storing the user key and the key encryption key in the password device through the device protection key in an encryption manner; generating or importing a key backup key, dividing the key backup key into a plurality of keys by using a threshold algorithm, and storing the keys into each administrator intelligent password key; generating or importing a session key; and the number of the first and second groups,
when key backup is carried out, key components in each administrator intelligent password key are read in sequence, a key backup key is restored by using a threshold algorithm, the user key and the key encryption key are encrypted by using the key backup key, and the user key and the key encryption key are led out to the outside of the password equipment; and the number of the first and second groups,
when the key is restored, the key components in the intelligent cipher keys of the administrator users are sequentially read, the key backup keys are restored by using a threshold algorithm, the user keys and the key encryption keys are obtained by using the key backup keys for decryption, and the user keys and the key encryption keys are stored in the cipher equipment after being encrypted by using the equipment protection keys.
9. The cryptographic device management system of claim 5, wherein the administrator smart cryptographic key supports key management, user management, and file management; the operator smart key supports viewing of cryptographic device status and key status.
10. The cryptographic device management system according to claim 5, wherein the cryptographic device is provided with a key management interface for generation, import, export, backup, and restoration of a key; the device management interface is used for acquiring the working state of the device; and a user management interface is arranged and used for initializing the user intelligent password key and the password equipment, adding the user and logging in the user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011566065.4A CN112787996B (en) | 2020-12-25 | 2020-12-25 | Password equipment management method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011566065.4A CN112787996B (en) | 2020-12-25 | 2020-12-25 | Password equipment management method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112787996A true CN112787996A (en) | 2021-05-11 |
CN112787996B CN112787996B (en) | 2022-03-15 |
Family
ID=75752702
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011566065.4A Active CN112787996B (en) | 2020-12-25 | 2020-12-25 | Password equipment management method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112787996B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114267100A (en) * | 2021-11-11 | 2022-04-01 | 北京智芯微电子科技有限公司 | Unlocking authentication method and device, security chip and electronic key management system |
CN114726521A (en) * | 2022-04-14 | 2022-07-08 | 广东好太太智能家居有限公司 | Intelligent lock temporary password generation method and electronic equipment |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101164273A (en) * | 2005-04-21 | 2008-04-16 | 温科尼克斯多夫国际有限公司 | Method for key administration for cryptography modules |
CN101676925A (en) * | 2008-09-16 | 2010-03-24 | 联想(北京)有限公司 | Computer system and method of setting authentication information in security chip |
CN102255732A (en) * | 2011-08-31 | 2011-11-23 | 公安部第三研究所 | Safe certificate issuing method based on USB (Universal Serial Bus) key |
CN105450395A (en) * | 2015-12-30 | 2016-03-30 | 中科创达软件股份有限公司 | Information encryption and decryption processing method and system |
CN105656621A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Safety management method for cryptographic device |
US20180091509A1 (en) * | 2015-06-16 | 2018-03-29 | Feitian Technologies Co., Ltd. | Work method for smart key device |
CN108650210A (en) * | 2018-03-14 | 2018-10-12 | 深圳市中易通安全芯科技有限公司 | A kind of Verification System and method |
CN110968878A (en) * | 2018-09-28 | 2020-04-07 | 北京京东金融科技控股有限公司 | Information transmission method, system, electronic device and readable medium |
CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
CN112100586A (en) * | 2020-08-21 | 2020-12-18 | 郑州信大捷安信息技术股份有限公司 | System and method for accessing different password devices |
-
2020
- 2020-12-25 CN CN202011566065.4A patent/CN112787996B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101164273A (en) * | 2005-04-21 | 2008-04-16 | 温科尼克斯多夫国际有限公司 | Method for key administration for cryptography modules |
CN101676925A (en) * | 2008-09-16 | 2010-03-24 | 联想(北京)有限公司 | Computer system and method of setting authentication information in security chip |
CN102255732A (en) * | 2011-08-31 | 2011-11-23 | 公安部第三研究所 | Safe certificate issuing method based on USB (Universal Serial Bus) key |
CN105656621A (en) * | 2014-11-12 | 2016-06-08 | 江苏威盾网络科技有限公司 | Safety management method for cryptographic device |
US20180091509A1 (en) * | 2015-06-16 | 2018-03-29 | Feitian Technologies Co., Ltd. | Work method for smart key device |
CN105450395A (en) * | 2015-12-30 | 2016-03-30 | 中科创达软件股份有限公司 | Information encryption and decryption processing method and system |
CN108650210A (en) * | 2018-03-14 | 2018-10-12 | 深圳市中易通安全芯科技有限公司 | A kind of Verification System and method |
CN110968878A (en) * | 2018-09-28 | 2020-04-07 | 北京京东金融科技控股有限公司 | Information transmission method, system, electronic device and readable medium |
CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
CN112100586A (en) * | 2020-08-21 | 2020-12-18 | 郑州信大捷安信息技术股份有限公司 | System and method for accessing different password devices |
Non-Patent Citations (2)
Title |
---|
HIROFUMI YAMAKI; FUMIHIRO MORI; MOMOKO AOYAMA: "Performance Analysis of Bidirectional Private Policy Matching Protocol Based on Additively Homomorphic Encryption Systems", 《2013 INTERNATIONAL CONFERENCE ON SIGNAL-IMAGE TECHNOLOGY & INTERNET-BASED SYSTEMS》 * |
欧阳璠: "智能密码钥匙安全机制的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114267100A (en) * | 2021-11-11 | 2022-04-01 | 北京智芯微电子科技有限公司 | Unlocking authentication method and device, security chip and electronic key management system |
CN114267100B (en) * | 2021-11-11 | 2024-05-14 | 北京智芯微电子科技有限公司 | Unlocking authentication method and device, security chip and electronic key management system |
CN114726521A (en) * | 2022-04-14 | 2022-07-08 | 广东好太太智能家居有限公司 | Intelligent lock temporary password generation method and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN112787996B (en) | 2022-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106330868B (en) | A kind of high speed network encryption storage key management system and method | |
CN112000975B (en) | Key management system | |
CN109361668A (en) | A kind of data trusted transmission method | |
US20100005318A1 (en) | Process for securing data in a storage unit | |
US20050160049A1 (en) | Method and arrangement for protecting software | |
CN105103488A (en) | Policy enforcement with associated data | |
JP2009103774A (en) | Secret sharing system | |
CN1773994A (en) | Method for realizing data safety storing business | |
CN101359991A (en) | Public key cipher system private key escrowing system based on identification | |
CN106953732B (en) | Key management system and method for chip card | |
CN105426775A (en) | Method and system for protecting information security of smartphone | |
CN109981255A (en) | The update method and system of pool of keys | |
CN113472793A (en) | Personal data protection system based on hardware password equipment | |
CN112787996B (en) | Password equipment management method and system | |
CN112685786A (en) | Financial data encryption and decryption method, system, equipment and storage medium | |
JP2024511236A (en) | Computer file security encryption method, decryption method and readable storage medium | |
TWI476629B (en) | Data security and security systems and methods | |
CN110233729B (en) | Encrypted solid-state disk key management method based on PUF | |
CN110837634B (en) | Electronic signature method based on hardware encryption machine | |
CN112989320B (en) | User state management system and method for password equipment | |
CN108173880B (en) | File encryption system based on third party key management | |
CN102270182A (en) | Encrypted mobile storage equipment based on synchronous user and host machine authentication | |
CN113342896B (en) | Scientific research data safety protection system based on cloud fusion and working method thereof | |
CN115412236A (en) | Method for key management and password calculation, encryption method and device | |
CN115913560A (en) | Confidential paper authorization and use system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |