CN113014393A - Password safe box system based on hardware encryption and application method - Google Patents

Password safe box system based on hardware encryption and application method Download PDF

Info

Publication number
CN113014393A
CN113014393A CN202110193077.5A CN202110193077A CN113014393A CN 113014393 A CN113014393 A CN 113014393A CN 202110193077 A CN202110193077 A CN 202110193077A CN 113014393 A CN113014393 A CN 113014393A
Authority
CN
China
Prior art keywords
password
key
ukey
security chip
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110193077.5A
Other languages
Chinese (zh)
Other versions
CN113014393B (en
Inventor
刘俊
刘睿
荆鸿远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongyitong Technology Co ltd
Original Assignee
Zhongyitong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongyitong Technology Co ltd filed Critical Zhongyitong Technology Co ltd
Priority to CN202110193077.5A priority Critical patent/CN113014393B/en
Publication of CN113014393A publication Critical patent/CN113014393A/en
Application granted granted Critical
Publication of CN113014393B publication Critical patent/CN113014393B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a password safe box system based on hardware encryption and an application method thereof, wherein the system comprises a mobile terminal, a security chip and a service system, wherein: the mobile terminal comprises a program end arranged on the mobile terminal; the UKey device is connected with the mobile terminal through the USB-HID; the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for a back-end system supporting UKey production and daily management; and the key management system is deployed at the rear end of the server, needs a cipher machine for supporting and provides service for the UKey production management system. The invention has the beneficial effects that: the user password is encrypted, transmitted, stored in the security chip, extracted and automatically input into the target password box, and the protection key cannot be obtained or leaked.

Description

Password safe box system based on hardware encryption and application method
Technical Field
The invention relates to the technical field of information and data security, in particular to a password safe box system based on hardware encryption and an application method.
Background
Under the rapid development of the internet and the mobile internet, more and more mobile application software appears, and almost every application software needs the password of the user as protection, which also brings the trouble of remembering a plurality of passwords to the user. Passwords are important and extremely sensitive private information for users, so the users need assistant software for remembering more passwords
Similar password helper software existing in the market has some obvious potential safety hazards and defects, and the main performance of the similar password helper software is as follows:
the software directly carries out simple encryption storage on the cipher plaintext input by the user by adopting a fixed key only by means of soft encryption, and the encryption and decryption key is fixed on the software or exists in system storage equipment, so that the software is very easy to be intercepted by hijacking software or a local horse, extract the decryption key through the decompilation processing of the software, carry out external decryption on the cipher ciphertext and cause password leakage.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to carry out safe communication by combining a safety chip integrated on a UKey with a software APP, construct a password transmission, storage and HID keyboard input based on hardware encryption by utilizing a state encryption algorithm through hardware encryption, randomly generate a symmetric protection key and a transmission public and private key of the password during initialization and setting, and only manage the management key of the UKey by a production management system. Finally, the encryption transmission of the user password, the safe extraction of the user password stored in the safety chip of the UKey and the safe automatic input of the user password into the target password box can be achieved, and the protection of the secret key cannot be obtained or revealed by software developers. The technical scheme is as follows.
The invention provides a mobile intelligent password safe box system based on hardware encryption protection, which comprises a UKey of an integrated security chip, a password safe box APP, a key management system, a hardware password machine and a UKey production management system. The key management system needs a hardware cipher machine to be used for storage and calculation of a UKey and a management key of the system, and the unique management key of the UKey is initialized through interaction of the UKey production management system and a crypto-management system, wherein the unique management key comprises a symmetric key and an asymmetric key, and the UKey safety chip is initialized and produced. The UKey has a USB interface supporting the type of a mobile phone, the USB interface can be connected to a mobile phone end, a user sets a password which needs to be protected by the user after setting a user identity confirmation mode such as a safe password or a fingerprint and the like for the UKey through a password safe APP, and the inside of a safety chip transmitted to a UKey device is protected by a random asymmetric public key mode inside the UKey safety chip and converted into a symmetric key for encryption processing and then stored. When a user needs to extract an appointed password, after the user identity is confirmed to be correct, the password can be extracted by inputting a target frame in an HID keyboard input mode after the user identity is decrypted in the security chip.
A password safe box system based on hardware encryption comprises a mobile terminal, a security chip and a service system, wherein:
the mobile terminal comprises a program end arranged on the mobile terminal, wherein the program end is used for initializing and managing a security password of a user and the function of a UKey device, and simultaneously binding a service monitoring processing and floating window when the mobile terminal inserts the UKey;
the UKey device is used for installing a security chip and is connected with the mobile terminal through a USB-HID;
the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for a back-end system supporting UKey production and daily management;
and the key management system is deployed at the rear end of the server, needs a cipher machine for supporting and provides service for the UKey production management system.
Preferably, the key generated by the UKey device includes a working key and a management key, the working key is a working key used by the UKey device for transmitting a password set by a user and for internally encrypting and storing the password, the working key is generated inside the security chip and cannot be derived, and the management key is used for legality authentication of the UKey device and maintenance and security password maintenance of the UKey device.
Preferably, the working key includes an asymmetric key for cipher transmission, a symmetric key for cipher protection, and a UKey public key list, where:
the asymmetric key is used for transmitting a password set by a user, a private key of the asymmetric key is supported and controlled by the inside of the security chip, and a public key part of the asymmetric key can be derived;
the key stored in the password of the symmetric key is decrypted by the private key of the asymmetric key and then is converted into the symmetric key for encryption and then cold storage, the symmetric key is generated during initialization and is permanently stored in the security chip until the UKey device is destroyed.
Preferably, the management key includes: the identity authentication asymmetric public and private keys, the UKey device maintenance symmetric key and the security password maintenance symmetric key, wherein:
the identity authentication asymmetric public and private keys are generated inside a UKey device during production, are registered into a production management system and establish a corresponding relation for subsequent legality identification;
the UKey device maintenance symmetric key is derived according to the serial number of the UKey device and then written into the UKey device, and is used for protecting a safe password and maintaining the symmetric key during updating or writing;
the security password maintenance symmetric key is a key for encrypting and protecting a password when a user updates the security password or sets the security password, and is derived by the key management system according to the serial number of the UKey device and then written into the UKey device.
Preferably, the public key list of the UKey is a table of correspondence between public keys and serial numbers registered and warehoused by the published UKey.
An application method of a password safe box system, the application method comprises a method for setting a password, and the method comprises the following steps:
step 1, after the security chip is connected with the mobile terminal, prompting by a program end: inputting a password;
step 2, the security chip verifies the identity, if the identity passes, the step 3 is entered, and if the identity does not pass, the process is ended;
step 3, after the verification is passed, the security chip randomly generates a temporary asymmetric public and private key and responds to public key data;
and 4, prompting by a program end: inputting a password identification, password description information and a password, encrypting the information by using a public key responded by the security chip and sending the information to the security chip;
step 5, decrypting the encrypted information by using a temporary asymmetric public and private key in the security chip, checking the validity of the data format, entering step 6 if the encrypted information passes the check, and ending the flow if the encrypted information does not pass the check;
step 6, after passing, the security chip extracts the encrypted information, and the encrypted information is encrypted by a password protection symmetric key and then is stored in a cold mode;
step 7, the security chip generates Hash sha1 data by using the password and responds with the password identification;
and 8, after receiving the corresponding data, the program end checks the hash sha1 data and the password identification, prompts a user according to the result and ends the process.
Preferably, the application method further includes a method for extracting a "password" for password input of the target application, and includes the following steps:
step 1, when the mobile terminal is accessed to the security chip, a program segment starts a bound floating window, and the floating window prompts to input a security password or a fingerprint password;
step 2, opening an authority identification of identity authentication if the security chip passes the authentication;
step 3, displaying and reading a password identification list in the security chip through the floating window and displaying the password identification list;
step 4, organizing and extracting the password data of the password identification by the floating window according to the selection of a user;
step 5, after the security chip passes the checking authority, internally decrypting the corresponding 'password' data;
and 6, starting a USB-HID input data mode by the security chip, receiving password input by the mobile terminal, completing password input and verification confirmation of the target application, and ending the process.
The invention has the beneficial effects that: by utilizing hardware password equipment such as a security chip, a password machine and the like, through the combination of national password symmetry and asymmetric algorithm, a symmetric key for internally storing a password of an encryption and decryption user is randomly generated, transmission during setting is encrypted by an asymmetric public key, and the public key and the private key are temporarily disposable, so that the public key and the private key cannot be known by software developers in advance. The data communication process adopts asymmetric algorithm encryption, thereby preventing man-in-the-middle attack and replay attack, ensuring the confidentiality, integrity and resistance to denial of communication and solving the problem of safe transmission of passwords. When a user extracts the password, the user only needs to insert the UKey, the floating window is automatically popped up, and the user identity is verified and then the password is input by using the USB-HID without manual input of the user.
Drawings
FIG. 1 is a block diagram of a safe system according to an embodiment of the present invention.
FIG. 2 is a diagram of the key and relationship structure required by the safe of the embodiment of the present invention.
Fig. 3 is a functional diagram of a security chip of a UKey device in the production process of a UKey production system according to an embodiment of the present invention.
Fig. 4 is a basic management function diagram of a program end to a UKey device in the embodiment of the present invention.
Fig. 5 is a flowchart of initializing a UKey device by a program end according to an embodiment of the present invention.
Fig. 6 is a flowchart of setting a password to be protected between a program side and a UKey device according to an embodiment of the present invention.
Fig. 7 is a flowchart of an application method for extracting a password of a UKey device by a user according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment of the invention:
UKey device: the hardware for bearing the safety chip is provided with a USB interface of the mobile phone.
HID: abbreviated as USB-UID, Universal Serial Bus-Human Interface Device, is a Device that interacts directly with Human, such as a keyboard, mouse, joystick, etc.
A program end: the application software refers to APP on a mobile phone, and in the embodiment of the invention, the APP is applied to a password safe box.
Fig. 1 is a block diagram illustrating the general structure of a mobile smart password safe system based on hardware encryption protection.
The integral mobile password box system mainly comprises four parts, namely a mobile terminal (namely a mobile phone); the program end is a password safe APP installed on the mobile terminal, a UKey device (including a secure encryption chip), a UKey production management system and a key management system.
Program side, i.e. password safe APP: the method is used for initializing and managing the security password of the user and the function of the UKey device, and simultaneously binding the service monitoring processing and the floating window when the mobile phone inserts the UKey device with a specific model. When initializing, a user needs to initialize a "security password" or a "fingerprint password", where the security password is a way to confirm the identity of the user, and the security password can also be replaced by the fingerprint password (determined according to the hardware condition of the UKey device). After the user completes identity confirmation, the program end can set the user's password to the security chip of the UKey device, and add, delete, check, modify and the like functions. When a UKey device with a specific model is accessed, a floating window of a program end is monitored and opened through a service, and the floating window is arranged on the top layer of other applications and used for prompting a user to input a password or touch a fingerprint and subsequently displaying a password identification list for the user to select and other interactive functions.
UKey device: the carrier of the safety chip is provided with a USB interface which is adapted to the mobile phone, and can simulate USB-HID functional service according to scene requirements. Other verification function modules such as a fingerprint sensor and a touch switch are integrated according to the actual model, and the system has the capability of an internal operating system which is processed independently. And receiving an instruction from a program end (password safe APP) on the mobile terminal through the USB interface to perform corresponding processing and response results.
UKey production management system: the system supports a back-end system for UKey production and daily management, and provides functions of initializing a security maintenance key, registering a serial number, managing a state and the like of a security chip of a UKey device.
A key management system: the safe heat distribution is arranged at the rear end of the server and needs to be supported by a hardware cipher machine. Services such as initialization, updating, destroying, calculating and the like of the key are provided only for an internal system, namely a UKey production management system, without directly opening the services to the outside.
Fig. 2 is a diagram showing a key and relationship structure required by the mobile smart password safe system based on hardware encryption protection, in which fig. 2:
the security chip key structure of UKey device: the method is divided into two parts of a work key and a management key, wherein the work key is used for transmitting a password set by a user and internally encrypting and storing the password by a UKey device. The 'working key' is a key which is extremely sensitive and important, so the invention puts the generation of the 'working key' inside the security chip and has no interface or way to derive. The "management key" is used for validity authentication of the UKey device, maintenance of the UKey device and security password maintenance.
Cipher transmission asymmetric key: the invention defines the mode of transmitting the password set by the user as an asymmetric public key, the private key is internally supported and controlled, only the public key is exported, and the public key is a disposable temporary public and private key pair, and the public key is lost when the UKey device is powered off or reset.
Password protection symmetric key: the invention defines the stored secret key in the password as a symmetric secret key, the secret key is encrypted and then stored after being decrypted by a transmitted private key, the secret key is generated during initialization and is permanently stored in the security chip until the UKey device is destroyed.
Identity authentication asymmetric public and private keys: the 'identity authentication asymmetric public and private key' is used for legality authentication, and is generated in a UKey device during production, only a public key is exported and registered in a production management system, and a corresponding relation is established for subsequent legality authentication.
UKey maintains key symmetric key: during production, a 'key management system' derives and writes in a UKey device according to a serial number of the UKey device, and is used for protecting a 'safe password maintenance symmetric key' during updating or writing.
The secure password maintains a symmetric key: the key is used for encrypting the key for protecting the password when a user updates the security password or sets the security password, and is derived by a key management system according to the serial number of the UKey device and then written into the UKey device.
Key management system key structure: this part is generated internally by the hardware crypto-engine and does not allow external exportation.
UKey maintains a symmetric key master key: the subkey is used for deriving a function corresponding to the UKey device serial number;
the secure password maintains a symmetric key: the subkey is used for deriving a function corresponding to the UKey device serial number;
UKey public Key List: the public key is a relation table of public keys and serial numbers registered and put in storage for issued UKey, and the public keys belong to public data, so the public keys are stored in a common relational database.
Note): the invention generates the work key in the safety chip to ensure the safety, and the management key is regularly generated by the system and then written into the safety chip to ensure the controllability.
Fig. 3 shows the functions of the security chip of the UKey in the production process of the UKey production system, where the production of the UKey is completed before the user holds the UKey and the user does not need to participate in the production process.
The method comprises the following steps: when the UKey device is produced, an 'identity authentication asymmetric public and private key pair' is randomly generated inside the UKey device to be stored inside a security chip, only a public key is exported, and the public key and a serial number are reported to a UKey production management system;
secondly, the step of: the UKey production management system puts the reported UKey device serial number and public key data into a warehouse to establish a corresponding relation table;
③: the UKey production management system uses the serial number of the UKey device to derive a corresponding 'UKey maintenance key sub-key' and uses a maintenance key which is defaulted by the UKey device to encrypt and protect and then sends the key;
fourthly, the method comprises the following steps: and replacing the default maintenance key of the UKey device with the 'UKey maintenance key subkey'.
Fifthly: the UKey production management system uses the UKey device serial number to derive a corresponding 'safe password maintenance key sub-key' and uses the 'UKey maintenance key sub-key' derived in the last step to encrypt and protect and then issue the key;
sixthly, the method comprises the following steps: and replacing the default safe password maintenance key of the UKey device with the 'safe password maintenance key subkey'.
As shown in fig. 4, the basic management functions of the program side (password safe APP) on the UKey device include:
the basic function of a program side (password safe APP) on a UKey device is the daily management of the UKey device and a password, and the UKey device and the password can be used only after the production stage is completed.
User authentication: the invention reserves various modes for user authentication, and can be preset 'safety password' or 'fingerprint password' and 'touch switch' and the like.
Modify "secure password" or fingerprint password: the function of modifying the set 'safety password' or 'finger spinning password' needs the user to complete the verification to use.
Modify "set password": the set user 'password' is modified, the function can display an existing 'password identifier' list only after the user completes verification, and the user selects the 'password identifier' to be modified to modify.
View "set password": the set user 'password' is checked, the function can display an existing 'password identification' list only after the user completes verification, and the selected identification displays information such as set date, time, application and the like.
Delete "set password": the set user 'password' is deleted, the function can display the existing 'password identification' list only after the user completes verification, and the identification is selected for deletion.
And (4) complete destruction: the set password of UKey is completely destroyed without affecting data such as 'secret key' and 'working key'.
As shown in fig. 5, the process is a process of initializing a UKey by a password safe APP, where initialization of the UKey is a processing procedure of configuring and registering basic information of the UKey when a user first holds and uses the UKey.
The method comprises the following steps: after a UKey device is accessed into a mobile phone for the first time, a program end reads a serial number of the UKey device, and obtains data signed by an 'identity authentication asymmetric public and private key' inside a safety chip of the UKey device and a 'safety password' set by a user and then sends the data to a UKey production management system;
step two: the UKey production management system acquires corresponding public key data according to the serial number of the UKey device to verify the validity of the UKey;
step three: the UKey production management system requests the key management system to derive a sub-key of a 'UKey safe password maintenance key' according to the serial number of the UKey device and encrypts a 'safe password' response;
step IV: after receiving the response, the program side initiates UKey internal decryption 'safety password' data, and sets 'safety password' or fingerprint password after the format is correct;
step five: the internal security chip of the UKey device randomly generates a password protection symmetric key and stores the password protection symmetric key into an internal storage.
Fig. 6 is a flowchart showing a password flow for setting a password to be protected between the APP and the UKey of the password safe, and a detailed process of setting the "password" of the user after the user has initialized the UKey and has set the "security password" or the "fingerprint password".
S1: a user accesses the UKey device to the mobile terminal;
s2: the program end prompts the user to input a 'safety password' or a 'fingerprint password';
s3: the identity of a user is verified inside the UKey device security chip, error information and codes are responded to enter S4 to finish the process when the user does not pass the authentication, and the process enters S5 when the user passes the authentication;
s4: the program end prompts the user that the identity authentication is not passed and the operation authority is not satisfied;
s5: the UKey device randomly generates a temporary asymmetric public and private key after passing the authentication and responds to public key data;
s6: the program end prompts a user to input a password identification, password description information and a password, and encrypts the information by using a public key responded by the UKey device and sends the information to the UKeyy device;
s7: the inside of the UKey device security chip is decrypted by using a temporary asymmetric public and private key randomly generated by S5, the validity of a data format is checked, when the key is incorrect, error information and codes are responded, the process is finished by S8, and when the key is incorrect, the process is finished by S9;
s8: the program end prompts the illegal error information of the user data;
s9: the data format is correct, the UKey device extracts that a user inputs a password identifier, password description information and a password in S6, and the password is encrypted by a password protection symmetric key and then is stored in a cold mode;
s10: after the UKey device finishes cold storage, generating Hash 1 data by using a password, and responding with a password identifier;
s11: and after receiving the response, the program end checks the hash sha1 data and the password identification, and prompts the user to end the process according to the result.
As shown in fig. 7, the flowchart of user extraction of the password of the UKey device, after the user has set "password" to the UKey device, the user extracts "password" for the detailed process of password input of the target application.
S21: the user opens the target application and moves the cursor to the place where the password needs to be input;
s22: accessing a UKey device;
s23: the system of the mobile terminal triggers a bound floating window, and the floating window is contained in the program end;
s24: displaying a floating window at a program end to prompt a user to input a 'security password' or a 'fingerprint password';
s25: if the identity authentication of the UKey device does not pass, the process goes to the S26, and if the identity authentication of the UKey device passes, the process goes to the S27;
s26: the floating window prompts that the user fails to pass the authentication and does not meet the operation authority, and the process is ended;
s27: the UKey device passes the authentication, and the UKey device opens the authority identification of the authentication;
s28: a floating window (generated by a password safe APP) reads and displays a password identification list inside a UKey device;
s29: the user selects the needed 'password identification', and the password data of the 'password identification' is organized and extracted by a floating window (password safe APP);
s30: after the UKey device passes the checking authority, internally decrypting corresponding 'password' data;
s31: the UKey device starts a USB-HID input data mode, and after input is finished, a confirmation key of 'carriage return' is supplemented at the tail;
s32: the mobile terminal receives the password input by the USB-HID service, completes the password input and the verification confirmation of the target application, and ends the process.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (8)

1. A password safe box system based on hardware encryption is characterized by comprising a mobile terminal, a security chip and a service system, wherein:
the mobile terminal comprises a program end arranged on the mobile terminal, wherein the program end is used for initializing and managing a security password of a user and the function of a UKey device, and simultaneously binding a service monitoring processing and floating window when the mobile terminal inserts the UKey;
the UKey device is used for installing a security chip and is connected with the mobile terminal through a USB-HID;
the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for a back-end system supporting UKey production and daily management;
and the key management system is deployed at the rear end of the server, needs a cipher machine for supporting and provides service for the UKey production management system.
2. The password safe system of claim 1, wherein the key generated by the UKey device comprises a working key and a management key, the working key is used by the UKey device to transmit the password set by the user and to store the password by internal encryption, the working key is generated inside the security chip and cannot be derived, and the management key is used to authenticate the legality of the UKey device and maintain the UKey device and the security password.
3. The cryptographic safe system of claim 2, wherein the working keys comprise an asymmetric key for cryptographic transmission, a symmetric key for cryptographic protection, and a UKey public key list, wherein:
the asymmetric key is used for transmitting a password set by a user, a private key of the asymmetric key is supported and controlled by the inside of the security chip, and a public key part of the asymmetric key can be derived;
the key stored in the password of the symmetric key is decrypted by the private key of the asymmetric key and then is converted into the symmetric key for encryption and then cold storage, the symmetric key is generated during initialization and is permanently stored in the security chip until the UKey device is destroyed.
4. The password insurance system of claim 2, wherein the management key comprises: the identity authentication asymmetric public and private keys, the UKey device maintenance symmetric key and the security password maintenance symmetric key, wherein:
the identity authentication asymmetric public and private keys are generated inside a UKey device during production, are registered into a production management system and establish a corresponding relation for subsequent legality identification;
the UKey device maintenance symmetric key is derived according to the serial number of the UKey device and then written into the UKey device, and is used for protecting a safe password and maintaining the symmetric key during updating or writing;
the security password maintenance symmetric key is a key for encrypting and protecting a password when a user updates the security password or sets the security password, and is derived by the key management system according to the serial number of the UKey device and then written into the UKey device.
5. The password insurance system of claim 3, wherein the UKey public key list is a table of correspondence between public keys and serial numbers that have been published for UKey registration warehousing.
6. A method of applying a password safe, the method acting on a password safe system as claimed in any one of claims 1 to 5.
7. The method of claim 6, wherein the method of applying comprises a method of setting a password, comprising the steps of:
step 1, after the security chip is connected with the mobile terminal, prompting by a program end: inputting a password;
step 2, the security chip verifies the identity, if the identity passes, the step 3 is entered, and if the identity does not pass, the process is ended;
step 3, after the verification is passed, the security chip randomly generates a temporary asymmetric public and private key and responds to public key data;
and 4, prompting by a program end: inputting a password identification, password description information and a password, encrypting the information by using a public key responded by the security chip and sending the information to the security chip;
step 5, decrypting the encrypted information by using a temporary asymmetric public and private key in the security chip, checking the validity of the data format, entering step 6 if the encrypted information passes the check, and ending the flow if the encrypted information does not pass the check;
step 6, after passing, the security chip extracts the encrypted information, and the encrypted information is encrypted by a password protection symmetric key and then is stored in a cold mode;
step 7, the security chip generates Hash sha1 data by using the password and responds with the password identification;
and 8, after receiving the corresponding data, the program end checks the hash sha1 data and the password identification, prompts a user according to the result and ends the process.
8. The method of claim 6, comprising a method of extracting a "password" for password entry for a target application, comprising the steps of:
step 1, when the mobile terminal is accessed to the security chip, a program segment starts a bound floating window, and the floating window prompts to input a security password or a fingerprint password;
step 2, opening an authority identification of identity authentication if the security chip passes the authentication;
step 3, displaying and reading a password identification list in the security chip through the floating window and displaying the password identification list;
step 4, organizing and extracting the password data of the password identification by the floating window according to the selection of a user;
step 5, after the security chip passes the checking authority, internally decrypting the corresponding 'password' data;
and 6, starting a USB-HID input data mode by the security chip, receiving password input by the mobile terminal, completing password input and verification confirmation of the target application, and ending the process.
CN202110193077.5A 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method Active CN113014393B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110193077.5A CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110193077.5A CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Publications (2)

Publication Number Publication Date
CN113014393A true CN113014393A (en) 2021-06-22
CN113014393B CN113014393B (en) 2023-04-28

Family

ID=76404321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110193077.5A Active CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Country Status (1)

Country Link
CN (1) CN113014393B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472793A (en) * 2021-07-01 2021-10-01 中易通科技股份有限公司 Personal data protection system based on hardware password equipment
CN113668961A (en) * 2021-08-17 2021-11-19 苏州双项信息科技有限公司 Key distribution device convenient to operate and method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553662A (en) * 2014-10-29 2016-05-04 航天信息股份有限公司 Dynamic digital right management method and system based on identification password
US20170359185A1 (en) * 2014-12-30 2017-12-14 Beijing Qihoo Technology Company Limited Method for loading website security information and browser apparatus
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN111901304A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Registration method and device of mobile security equipment, storage medium and electronic device
CN112383914A (en) * 2020-11-13 2021-02-19 广东工业大学 Password management method based on secure hardware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553662A (en) * 2014-10-29 2016-05-04 航天信息股份有限公司 Dynamic digital right management method and system based on identification password
US20170359185A1 (en) * 2014-12-30 2017-12-14 Beijing Qihoo Technology Company Limited Method for loading website security information and browser apparatus
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN111901304A (en) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 Registration method and device of mobile security equipment, storage medium and electronic device
CN112383914A (en) * 2020-11-13 2021-02-19 广东工业大学 Password management method based on secure hardware

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
施明泰: "基于USBKey认证技术的文档安全防护系统", 《电力信息化》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472793A (en) * 2021-07-01 2021-10-01 中易通科技股份有限公司 Personal data protection system based on hardware password equipment
CN113668961A (en) * 2021-08-17 2021-11-19 苏州双项信息科技有限公司 Key distribution device convenient to operate and method thereof

Also Published As

Publication number Publication date
CN113014393B (en) 2023-04-28

Similar Documents

Publication Publication Date Title
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
CN110677418B (en) Trusted voiceprint authentication method and device, electronic equipment and storage medium
US6044154A (en) Remote generated, device identifier key for use with a dual-key reflexive encryption security system
JP3754004B2 (en) Data update method
CN102624699B (en) Method and system for protecting data
CN103390124B (en) Safety input and the equipment, system and method for processing password
CN101350718B (en) Method for protecting play content authority range base on user identification module
WO2013182154A1 (en) Method, system and terminal for encrypting/decrypting application program on communication terminal
CN101965574A (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
CN105247833B (en) Self-certified apparatus and method for
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN103746801A (en) Method for protecting dynamic password seed key on smart phone or tablet personal computer
CN112787813B (en) Identity authentication method based on trusted execution environment
CN113014393B (en) Password safe box system based on hardware encryption and application method
CN106789024A (en) A kind of remote de-locking method, device and system
CN111614698A (en) Method and device for erasing terminal data
CN108965943A (en) Method of the Android intelligent television to serial ports access cipher control
CN101785238A (en) User authentication system and method
CN113722741A (en) Data encryption method and device and data decryption method and device
JP4587688B2 (en) Encryption key management server, encryption key management program, encryption key acquisition terminal, encryption key acquisition program, encryption key management system, and encryption key management method
EP2985712B1 (en) Application encryption processing method, apparatus, and terminal
CN107493167B (en) Terminal key distribution system and terminal key distribution method thereof
KR101996317B1 (en) Block chain based user authentication system using authentication variable and method thereof
CN110287725A (en) A kind of equipment and its authority control method, computer readable storage medium
CN115730339A (en) Method and system for protecting plug-in code and preventing leakage based on IDE source code

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant