CN113285950B - 一种基于加密卡的密钥传输和存储方法 - Google Patents

一种基于加密卡的密钥传输和存储方法 Download PDF

Info

Publication number
CN113285950B
CN113285950B CN202110560623.4A CN202110560623A CN113285950B CN 113285950 B CN113285950 B CN 113285950B CN 202110560623 A CN202110560623 A CN 202110560623A CN 113285950 B CN113285950 B CN 113285950B
Authority
CN
China
Prior art keywords
key
management module
encryption card
token
cipher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110560623.4A
Other languages
English (en)
Other versions
CN113285950A (zh
Inventor
陈继
庞文俊
王永
李小超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingchuang Wangyu Hefei Technology Co ltd
Original Assignee
Qingchuang Wangyu Hefei Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingchuang Wangyu Hefei Technology Co ltd filed Critical Qingchuang Wangyu Hefei Technology Co ltd
Priority to CN202110560623.4A priority Critical patent/CN113285950B/zh
Publication of CN113285950A publication Critical patent/CN113285950A/zh
Application granted granted Critical
Publication of CN113285950B publication Critical patent/CN113285950B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于加密卡的密钥传输和存储方法,加密卡包括加密卡模块和密钥管理模块,本方法包括如下步骤:S1:令牌申请,S2:密钥倒入,通过OwerPub对密钥KEY进行加密并签名,加密的密文和签名值分别为Cipher、SK;通过加密卡身份CardPub对令牌R签名,签名值为SR;通过CardPub解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中;S3:密钥激活。采用密钥卡模块、密钥管理模块和主机侧实现信息传输,无需通过网络传输,保证密钥存储的安全。每次交互需进行令牌申请,确保数据交互的唯一性。加密卡和所有者分别具备身份信息,需分别认证身份的可靠性,传输过程采用非对称加密,保证数据的安全性。

Description

一种基于加密卡的密钥传输和存储方法
技术领域
本发明涉及信息安全传输技术领域,更具体地说,设计一种基于加密卡的密钥传输和存储方法。
背景技术
敏感信息安全传输是指对密钥或者敏感信息进行安全可靠的传输,解决当前针对敏感信息安全传输和存储的问题。当前加密的安全传输都是基于https的,主要适用在网络中进行传输,针对于硬件接口之间的安全传输并不适用。
发明内容
本发明的目的在于提供一种基于加密卡的密钥传输和存储方法,密钥的安全存储是通过安全的硬件模块实现,在硬件上阻止和保护了一些物理攻击。芯片之间的传输采用可靠的加密算法完成,实现了密钥封闭和安全性,用以解决上述背景技术中存在的技术问题。
本发明技术方案一种基于加密卡的密钥传输和存储方法,加密卡包括加密卡模块和密钥管理模块,本方法包括如下步骤:
S1:令牌申请,通过主机侧生成令牌的上半部随机数R1并签名,然后通过密钥管理模块验证,通过密钥管理模块生成令牌的下半部随机数R2并签名,然后通过验证主机侧OwerPri验证,将R1和R2合成令牌R;
S2:密钥导入,所有者公钥OwerPub对密钥KEY进行加密并签名,加密的密文和签名值分别为Cipher、SK;通过加密卡模块公钥CardPub对令牌R签名,签名值为SR;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中;
S3:密钥激活,加密卡模块生成临时密钥并将临时密钥对中的公钥TmpPub发送至密钥管理模块;密钥管理模块读取密钥KEY并通过TmpPub对密钥进行加密Cipher;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中备用。
在一个优选地实施例中,令牌R1的签名和验证包括如下骤:
A1:主机侧使用加密卡模块公钥CardPub对R1签名,签名值为SR1;
A2:主机侧将R1+SR1通过加密卡发送到密钥管理模块,密钥管理模块通过CardPri验证R1+SR1的完整性。
在一个优选地实施例中,令牌R2的签名和验证包括如下骤:
B1:密钥管理模块通过所有者公钥OwerPub对R2签名,签名值为SR2;
B2:密钥管理模块通过加密卡模块把R2+SR2发送到主机侧,并通过主机侧OwerPri验证R2+SR2的完整性。
在一个优选地实施例中,CardPub解密Cipher得到密钥KEY的过程为:
C1:将R+SR+Cipher+SK发送到密钥管理模块;
C2:密钥管理模块通过CardPub验证R+SR的完整性,并解密Cipher得到密钥KEY;
C3:通过KEY+SK验证密钥KEY的完整性。
本发明技术方案的有益效果是:
采用密钥卡模块、密钥管理模块和主机侧实现信息传输,无需通过网络传输,保证密钥存储的安全。每次交互需进行令牌申请,确保数据交互的唯一性。加密卡和所有者分别具备身份信息,需分别认证身份的可靠性,传输过程采用非对称加密,保证数据的安全性。
附图说明
图1为本发明令牌申请流程图,
图2为本发明密钥导入流程图,
图3为本发明密钥激活流程图。
具体实施方式
下面结合附图和具体实施方式对本发明作进一步详细的说明。本发明的实施例是为了示例和描述起见而给出的,而并不是无遗漏的或者将本发明限于所公开的形式。很多修改和变化对于本领域的普通技术人员而言是显而易见的。选择和描述实施例是为了更好说明本发明的原理和实际应用,并且使本领域的普通技术人员能够理解本发明从而设计适于特定用途的带有各种修改的各种实施例。
为了更好理解文本内容,下面对下文出现的名称进行解释:OwerPub:所有者公钥;OwerPri:所有者私钥;CardPub:加密卡模块公钥;CardPri:加密卡模块私钥;R1:令牌上半部随机数;R2:令牌下半部随机数;SR1:令牌上半部随机数签名;SR2:令牌下半部随机数签名;R:令牌上半部和下半部组合;SR:令牌R的签名;KEY:要存储的密钥信息;Cipher:密钥的密文;SK:密钥明文的签名值;TmpPub:临时密钥对的公钥;TmpPri:临时密钥对的私钥。
Host:Host是主机侧程序,是所有者或者调用者。加密卡模块:加密卡模块是提供加密卡服务的硬件设备,提供加解密相关的服务。密钥管理模块:密钥管理模块是集成在加密卡上的一个小芯片,是提供对身份信息获取,敏感信息存储的一个芯片。
参照图1-图3,本发明技术方案一种基于加密卡的密钥传输和存储方法,加密卡包括加密卡模块和密钥管理模块,加密卡与主机侧实现信息传递。
本方法包括如下步骤:
S1:令牌申请,通过主机侧生成令牌的上半部随机数R1并签名,然后通过密钥管理模块验证,通过密钥管理模块生成令牌的下半部随机数R2并签名,然后通过验证主机侧OwerPri验证,将R1和R2合成令牌R。申请的令牌R只在本次操作中有效。
令牌R1的签名和验证包括如下骤:A1:主机侧使用加密卡模块公钥CardPub对R1签名,签名值为SR1;A2:主机侧将R1+SR1通过加密卡发送到密钥管理模块,密钥管理模块通过CardPri验证R1+SR1的完整性。验证完整性是为了保证信息传递过程的安全性,只有在验证信息完整的情况下才可进行后续处理。若验证信息存在不完整则需要重新申请并签名。
令牌R2的签名和验证包括如下骤:B1:密钥管理模块通过所有者公钥OwerPub对R2签名,签名值为SR2;B2:密钥管理模块通过加密卡模块把R2+SR2发送到主机侧,并通过主机侧OwerPri验证R2+SR2的完整性。
在R1+SR1通过验证之后,再由密钥管理模块生成令牌下半部R2,当R2+SR2也通过验证后,最终将R1和R2合成令牌R。合成后的令牌R供后续密钥导入和密钥激活使用。
S2:密钥导入,所有者公钥OwerPub对密钥KEY进行加密并签名,加密的密文和签名值分别为Cipher、SK;通过加密卡模块公钥CardPub对令牌R签名,签名值为SR;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中。
CardPub解密Cipher得到密钥KEY的过程为:C1:将R+SR+Cipher+SK发送到密钥管理模块;C2:密钥管理模块通过CardPub验证R+SR的完整性,并解密Cipher得到密钥KEY;C3:通过KEY+SK验证密钥KEY的完整性。
S3:密钥激活,加密卡模块生成临时密钥并将临时密钥对中的公钥TmpPub发送至密钥管理模块;密钥管理模块读取密钥KEY并通过TmpPub对密钥进行加密Cipher;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中备用。
临时密钥对为:公钥TmpPub,私钥TmpPri,临时密钥对用以配合验证传输信息的身份的合法性,并使密钥KEY处于备用状态。
显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域及相关领域的普通技术人员在没有作出创造性劳动的前提下所获得的所有其他实施例,都应属于本发明保护的范围。本发明中未具体描述和解释说明的结构、装置以及操作方法,如无特别说明和限定,均按照本领域的常规手段进行实施。

Claims (3)

1.一种基于加密卡的密钥传输和存储方法,其特征在于,加密卡包括加密卡模块和密钥管理模块,本方法包括如下步骤:
S1:令牌申请,通过主机侧生成令牌的上半部随机数R1并签名,然后通过密钥管理模块验证,通过密钥管理模块生成令牌的下半部随机数R2并签名,然后通过验证主机侧OwerPri验证,将R1和R2合成令牌R;
S2:密钥导入,所有者公钥OwerPub对密钥KEY进行加密并签名,加密的密文和签名值分别为Cipher、SK;通过加密卡模块公钥CardPub对令牌R签名,签名值为SR;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中;
S3:密钥激活,加密卡模块生成临时密钥并将临时密钥对中的公钥TmpPub发送至密钥管理模块;密钥管理模块读取密钥KEY并通过TmpPub对密钥进行加密Cipher;通过密钥管理模块解密Cipher得到密钥KEY,并将密钥KEY存储到密钥管理模块中备用;
CardPub解密Cipher得到密钥KEY的过程为:
C1:将R+SR+Cipher+SK发送到密钥管理模块;
C2:密钥管理模块通过CardPub验证R+SR的完整性,并解密Cipher得到密钥KEY;
C3:通过KEY+SK验证密钥KEY的完整性。
2.根据权利要求1所述的基于加密卡的密钥传输和存储方法,其特征在于,令牌R1的签名和验证包括如下骤:
A1:主机侧使用加密卡模块公钥CardPub对R1签名,签名值为SR1;
A2:主机侧将R1+SR1通过加密卡发送到密钥管理模块,密钥管理模块通过CardPri验证R1+SR1的完整性。
3.根据权利要求1所述的基于加密卡的密钥传输和存储方法,其特征在于,令牌R2的签名和验证包括如下骤:
B1:密钥管理模块通过所有者公钥OwerPub对R2签名,签名值为SR2;
B2:密钥管理模块通过加密卡模块把R2+SR2发送到主机侧,并通过主机侧OwerPri验证R2+SR2的完整性。
CN202110560623.4A 2021-05-21 2021-05-21 一种基于加密卡的密钥传输和存储方法 Active CN113285950B (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110560623.4A CN113285950B (zh) 2021-05-21 2021-05-21 一种基于加密卡的密钥传输和存储方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110560623.4A CN113285950B (zh) 2021-05-21 2021-05-21 一种基于加密卡的密钥传输和存储方法

Publications (2)

Publication Number Publication Date
CN113285950A CN113285950A (zh) 2021-08-20
CN113285950B true CN113285950B (zh) 2023-02-24

Family

ID=77280899

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110560623.4A Active CN113285950B (zh) 2021-05-21 2021-05-21 一种基于加密卡的密钥传输和存储方法

Country Status (1)

Country Link
CN (1) CN113285950B (zh)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134076A (zh) * 2022-06-30 2022-09-30 支付宝(杭州)信息技术有限公司 数据处理方法及系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989991A (zh) * 2010-11-24 2011-03-23 北京天地融科技有限公司 安全导入密钥的方法及电子签名工具、认证设备及系统
KR20160071999A (ko) * 2014-12-12 2016-06-22 한국정보통신주식회사 Pos 단말 장치, 카드리더 모듈, 그를 이용한 암호키 배포 시스템 및 그 방법
CN106326757A (zh) * 2016-08-26 2017-01-11 浪潮(北京)电子信息产业有限公司 一种存储系统的数据加密装置
CN111654372A (zh) * 2019-11-29 2020-09-11 江苏芯盛智能科技有限公司 密钥管理方法及相关装置
CN112000975A (zh) * 2020-10-28 2020-11-27 湖南天琛信息科技有限公司 一种密钥管理系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989991A (zh) * 2010-11-24 2011-03-23 北京天地融科技有限公司 安全导入密钥的方法及电子签名工具、认证设备及系统
KR20160071999A (ko) * 2014-12-12 2016-06-22 한국정보통신주식회사 Pos 단말 장치, 카드리더 모듈, 그를 이용한 암호키 배포 시스템 및 그 방법
CN106326757A (zh) * 2016-08-26 2017-01-11 浪潮(北京)电子信息产业有限公司 一种存储系统的数据加密装置
CN111654372A (zh) * 2019-11-29 2020-09-11 江苏芯盛智能科技有限公司 密钥管理方法及相关装置
CN112000975A (zh) * 2020-10-28 2020-11-27 湖南天琛信息科技有限公司 一种密钥管理系统

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于AES的硬盘加密卡密钥管理方案;骆建军等;《杭州电子科技大学学报(自然科学版)》;20180515(第03期);全文 *
基于轻量级加密技术建立物联网感知层信息安全的解决方案;胡祥义等;《网络安全技术与应用》;20130315(第03期);全文 *

Also Published As

Publication number Publication date
CN113285950A (zh) 2021-08-20

Similar Documents

Publication Publication Date Title
CN107896147B (zh) 一种基于国密算法协商临时会话密钥的方法及其系统
EP2991267B1 (en) Apparatus for providing puf-based hardware otp and method for authenticating 2-factor using same
US6189098B1 (en) Client/server protocol for proving authenticity
WO2021120683A1 (zh) 基于身份认证的安全通讯方法及装置
CN100468438C (zh) 实现硬件和软件绑定的加密和解密方法
CN109379387B (zh) 一种物联网设备间的安全认证和数据通信系统
CN106953732B (zh) 芯片卡的密钥管理系统及方法
US10044684B2 (en) Server for authenticating smart chip and method thereof
CN108323230B (zh) 一种传输密钥的方法、接收终端和分发终端
US10693645B2 (en) Security management system for performing a secure transmission of data from a token to a service provider server by means of an identity provider server
CN109903052A (zh) 一种区块链签名方法和移动设备
CN103544453A (zh) 一种基于usb key的虚拟桌面文件保护方法及装置
CN111884814B (zh) 一种用于智能终端防伪造的方法和系统
CN114650173A (zh) 一种加密通讯方法及系统
CN111835510A (zh) 一种etc安全管理方法
CN110233729A (zh) 一种基于puf的加密固态盘密钥管理方法
US20060053288A1 (en) Interface method and device for the on-line exchange of content data in a secure manner
CN113239343B (zh) 内部认证的加密方法、智能卡、内部认证方法以及读卡器
CN113285950B (zh) 一种基于加密卡的密钥传输和存储方法
WO2013138867A1 (en) Secure nfc apparatus and method
US9876774B2 (en) Communication security system and method
CN115529591B (zh) 基于令牌的认证方法、装置、设备及存储介质
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
CN113592484B (zh) 一种账户的开立方法、系统及装置
CN107276961A (zh) 一种基于密码算法加密和解密数据的方法及装置

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant