CN113595727B - Key safety system based on key separate storage and hardware binding - Google Patents
Key safety system based on key separate storage and hardware binding Download PDFInfo
- Publication number
- CN113595727B CN113595727B CN202111125930.6A CN202111125930A CN113595727B CN 113595727 B CN113595727 B CN 113595727B CN 202111125930 A CN202111125930 A CN 202111125930A CN 113595727 B CN113595727 B CN 113595727B
- Authority
- CN
- China
- Prior art keywords
- key
- value
- complete
- characters
- mobile client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a key safety system based on key separate storage and hardware binding, which is used for solving the problems of inconvenient use, easy leakage and low safety of the existing key storage safety, and comprises a mobile client and a server, wherein the mobile client is used for sending request content to the server and receiving a fed-back real-name verification instruction; receiving and storing the hash of the first partial key and the complete key fed back by the server; the invention does not persistently store the complete key by the mobile client, even if part of the locally stored key is leaked, the key can not be used on other terminals, and meanwhile, the server does not store the complete key, thereby preventing the key from being leaked due to the attack of the server.
Description
Technical Field
The invention relates to the technical field of key security storage, in particular to a key security system based on key storage and hardware binding.
Background
The distributed digital identity utilizes a DPKI system to realize the safe storage of the identity and the verification of the signature, and the safety of a secret key is the key of the safety of the whole system. There are traditionally two main types of key storage schemes: firstly, secret key storage and data encryption, signature and signature verification are realized through a special hardware wallet; secondly, the user key is stored through a file, and data encryption, signature and signature verification are realized through software; however, both storage schemes have disadvantages, and the hardware key wallet can meet the requirement of security level, but has high cost and inconvenient use, and particularly needs the support of a bottom hardware manufacturer and an operating system in a mobile application scenario. The security is low through a file storage key; the file storage key has low cost, convenient use, easy leakage and low safety;
therefore, a key security system based on key storage and hardware binding is designed, so that the security of the key can be guaranteed to a certain extent, and the key security system can be easily implemented in a general mobile terminal.
Disclosure of Invention
The invention aims to provide a key security system based on key storage and hardware binding, aiming at solving the problems of inconvenient use, easy leakage and low security of the existing key storage security.
The purpose of the invention can be realized by the following technical scheme: a key security system based on key storage and hardware binding comprises a mobile client and a server, wherein the mobile client and the server are in communication connection by adopting an SSL/TLS secure transmission channel;
the mobile client is used for sending request content to the server and receiving a fed-back real-name verification instruction, performing real-name verification after the real-name verification instruction is received, detecting hardware information of the mobile client after the verification is successful, generating a hash according to the hardware information, and sending the hardware information and the corresponding hash to the server; receiving and storing the hash of the first partial key and the complete key fed back by the server; the request content comprises a first request and a second request; the first request is a new user registration; the second request is to request a second partial key;
the server is used for receiving and processing the request content sent by the mobile client, and the specific processing process is as follows:
when the received request content is a first request, generating a real-name verification instruction corresponding to the request content, when receiving hardware information and Hash of the mobile client, generating a complete key of the mobile client and Hash corresponding to the complete key, processing the hardware information to obtain a segmentation value of the key, segmenting the complete key according to the segmentation value to obtain a first partial key and a second partial key, storing the second partial key, performing association binding on the first partial key and the received Hash, obtaining an association relation certificate between the first partial key and the received Hash, and sending the association relation certificate to a block chain; sending the hash of the first partial key and the complete key to the mobile client;
and when the received request content is a second request, generating a real-name verification instruction corresponding to the request content and sending the real-name verification instruction to the mobile client, returning a second part of keys to the mobile client after verification is passed, combining the first part of keys locally stored by the second part of keys by the mobile client to obtain a complete key, verifying the hash of the complete key, caching the complete key in the memory after verification is passed, and deleting the complete key in the memory after the complete key is used.
As a preferred embodiment of the present invention, the hardware information includes an IMEI, an MEID, a processor model, an operating memory, a download rate, and an upload rate; the specific processing process of the server side for processing the hardware information comprises the following steps: processing the processor model, the running memory, the downloading rate and the uploading rate, and setting all the processor models to correspond to a preprocessing value; matching the processor model in the hardware information with all the processor models to obtain a corresponding preprocessing value, carrying out normalization processing on the preprocessing value obtained by matching and an operating memory, taking the numerical values of the preprocessing value and the operating memory after normalization processing, and respectively marking the numerical values of the preprocessing value and the operating memory after normalization processing as CY1 and CY 2; obtaining a key decryption value YJ by using a formula YJ = CY1 × sf1+ CY2 × sf 2; wherein sf1 and sf2 are preset weight coefficients of a preset value and a corresponding numerical value of the running memory; analyzing the download rate and the upload rate, and marking the rate values in the download rate as X1, X2, … … and Xj; summing all the speed values and averaging to obtain a download mean value XP; using formulas
Obtaining a download basic value XF; wherein q is a positive integer greater than two; ks1 and ks2 are preset weighting factors; processing the uploading rate in the same way to obtain an uploading base value DF; normalizing the download basic value and the upload basic value and taking the values of the download basic value and the upload basic value after normalization; obtaining a key general value YT by using a formula YT = XF × sf3+ DF × sf 4; sf3 and sf4 are preset weight coefficients corresponding to the downloading base value and the uploading base value; substituting the key decoding value and the key passing value into the information algorithm model, and outputting a segmentation value through the information algorithm model; wherein the information algorithm model is
B1 and b2 are preset modelsThe fixed value, λ, is the correction factor.
As a preferred embodiment of the present invention, the specific process of segmenting the complete key according to the segmentation value is as follows: setting FGi a plurality of segmentation operations, i being positive integers; each splitting operation FGi corresponds to a range of values; matching the segmentation value with a numerical range corresponding to the segmentation operation FGi, marking the segmentation operation FGi of the segmentation value in the numerical range as the segmentation operation FGb matched with the segmentation value, and belonging to i; dividing n complete keys through a dividing operation FGb, combining m complete keys according to a sequence to obtain a first partial key, combining the remaining n-m complete keys according to a sequence to obtain a second partial key, simultaneously generating a sequence combined code of the first partial key and the second partial key, and adding the sequence combined code of the first partial key and the second partial key into the hash of the complete key, wherein the sequence combined code is used for recording the positions of characters in the first partial key and the second partial key in the complete key, n is a value obtained by dividing a key solution value by a preset fixed value and rounding, and n is more than or equal to 2; m is a value obtained by dividing the key-pass value by a preset fixed value and rounding, and m is less than or equal to n-1.
As a preferred embodiment of the present invention, when the number of division operations is three, i.e., the maximum value of i is three;
when the splitting operation FG1 is applied, the specific process of splitting the complete key is: counting the number of characters of the complete key, dividing the number of characters by the number of segmented parts n to obtain the number of each part, sequentially segmenting the complete key from front to back according to the number of each part to obtain each segmented character, separating two adjacent segmented characters to obtain two groups of segmented characters, extracting any one group of segmented characters according to the sequence, wherein the extracted number is m, further obtaining a first part of key, and combining all the rest segmented characters to obtain a second part of key;
when the splitting operation FG2 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out sequence skipping and division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the sequence skipping characters is one; dividing two adjacent divided characters to obtain two groups of divided characters, extracting any one group of divided characters in sequence, wherein the number of the extracted divided characters is m, further obtaining a first part of key, and combining all the rest divided characters to obtain a second part of key;
when the splitting operation FG3 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out order skipping division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the order skipping characters is two; and separating two adjacent parts of the segmentation characters to obtain two groups of separated segmentation characters, extracting any one group of separated segmentation characters according to the sequence, wherein the extraction number is m, further obtaining a first part of key, and combining all the rest segmentation characters to obtain a second part of key.
As a preferred embodiment of the present invention, a data acquisition unit and a storage analysis unit are disposed in the mobile client; the data acquisition unit is used for acquiring hardware information and storage information of the mobile client and sending the hardware information and the storage information to the storage analysis unit; the storage analysis unit analyzes the storage information after receiving the hardware information and the storage information to obtain a correction factor of the mobile client, wherein the storage information comprises the total memory capacity of the mobile client, the time for cleaning the memory and the residual memory capacity;
the specific process of analyzing the storage information by the storage analysis unit is as follows: sequencing the memory cleaning moments according to time, sequentially calculating the time difference between two adjacent memory cleaning moments to obtain cleaning interval duration, summing all the cleaning interval durations and averaging to obtain interval average duration; normalizing the interval average duration, the total memory capacity and the residual memory capacity, taking the normalized values of the interval average duration, the total memory capacity and the residual memory capacity, and respectively marking the normalized values of the interval average duration, the total memory capacity and the residual memory capacity as QL1, QL2 and QL 3; obtaining a correction factor lambda by using a formula lambda = QL1 × td1+ QL2 × td2+ QL3 × td 3; and td1, td2 and td3 are the weight ratio of the interval average time length, the total memory capacity and the residual memory capacity.
As a preferred embodiment of the present invention, the mobile client is further configured to send a registered user a key update request to the server, after receiving the key update request, the server generates a real-name verification instruction corresponding to the key update request and feeds back the instruction to the mobile client for real-name verification, and after the verification succeeds, regenerates a complete key of the mobile client and a hash corresponding to the complete key according to hardware information and the hash of the mobile client, and feeds back a new first partial key and the hash of the complete key.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention enables the server side to generate the complete key of the mobile client side and the hash corresponding to the complete key when receiving the hardware information and the hash of the mobile client side, processes the hardware information to obtain a first part of key and a second part of key, and sends the hash of the first part of key and the complete key to the mobile client side for storage; the mobile client does not persistently store the complete key, so that even if part of the locally stored key is leaked, the locally stored key cannot be used on other terminals, and meanwhile, the server does not store the complete key, so that the key leakage caused by the server being attacked is prevented;
2. the mobile client sends the hash of the local hardware information to the server, the server returns a second part of keys after passing the verification, the mobile client combines the second part of keys returned by the server with a first part of keys stored locally and verifies the hash of the complete key, the second part of keys is cached in a memory after passing the verification so as to be used in business scenes such as encryption and decryption, signature and the like, and the complete key and the second part of keys in the memory are discarded after the mobile client program exits.
Drawings
In order to facilitate understanding for those skilled in the art, the present invention will be further described with reference to the accompanying drawings.
FIG. 1 is a schematic block diagram of the overall principle of the present invention;
fig. 2 is a schematic block diagram of a second partial key processing principle of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a key security system based on key storage and hardware binding includes a mobile client and a server, where the mobile client and the server perform data transmission through an SSL/TLS secure transmission channel;
the mobile client is an intelligent mobile phone terminal or an intelligent tablet terminal, and a user sends a new user registration or second part key or key updating request to the server through the mobile client; after receiving a new user registration or second part key or key updating request, the server side feeds back a real-name verification instruction to the mobile client side, and the mobile client side performs real-name verification after receiving the real-name verification instruction, wherein the real-name verification can be performed by adopting living body detection and face recognition; after the verification is successful, acquiring hardware information of the mobile client, wherein the hardware information comprises an IMEI (international mobile equipment identity), an MEID (mobile equipment identity), a processor model, an operating memory, a downloading rate and an uploading rate, generating a hash according to the IMEI or the MEID or the combination of the IMEI and the MEID in the hardware information, and then sending the hardware information and the corresponding hash to the server; when the server receives the hardware information and the hash of the mobile client, a complete key of the mobile client and the hash corresponding to the complete key are generated, and the hardware information is processed, which specifically comprises the following steps:
setting all processor models to correspond to a preprocessing value; matching the processor model in the hardware information with all the processor models to obtain a corresponding preprocessing value, carrying out normalization processing on the preprocessing value obtained by matching and an operating memory, taking the numerical values of the preprocessing value and the operating memory after normalization processing, and respectively marking the numerical values of the preprocessing value and the operating memory after normalization processing as CY1 and CY 2; obtaining a key decryption value YJ by using a formula YJ = CY1 × sf1+ CY2 × sf 2; wherein sf1 and sf2 are preset weight coefficients of a preset value and a corresponding value of the operating memory, and the values are 0.64 and 0.36; the key decoding value is a quantized value used for evaluating the comprehensive performance of the processor and the running memory of the mobile client, so that keys are reasonably distributed according to the performance of the processor and the running memory, the number of the keys distributed to the mobile client is large, the processing time of the keys analyzed and combined into a complete key by the mobile client is long, and the waiting time of the user for key verification is further prolonged;
analyzing the download rate and the upload rate, and marking the rate values in the download rate as X1, X2, … … and Xj; j represents the number of speed values, and the value is a positive integer; summing all the speed values and averaging to obtain a download mean value XP; using formulas
Obtaining a download basic value XF; wherein q is a positive integer greater than two; ks1 and ks2 are preset weighting factors; ks1 and ks2 can be 0.52 and 0.48; processing the uploading rate in the same way to obtain an uploading base value DF;
normalizing the download basic value and the upload basic value and taking the values of the download basic value and the upload basic value after normalization; obtaining a key general value YT by using a formula YT = XF × sf3+ DF × sf 4; sf3 and sf4 are preset weight coefficients corresponding to the downloading base value and the uploading base value, and take values of 0.37 and 0.45;
substituting the key-off value and the key-on value into the information algorithm model
Outputting a segmentation value through an information algorithm model; b1 and b2 are preset fixed values of the model, and lambda is a correction factor;
the mobile client also comprises a data acquisition unit and a storage analysis unit;
the data acquisition unit acquires hardware information and storage information of the mobile client and sends the hardware information and the storage information to the storage analysis unit; the storage information comprises the total memory capacity of the mobile client, the time for cleaning the memory and the residual memory capacity;
the storage analysis unit analyzes the storage information after receiving the hardware information and the storage information to obtain a correction factor of the mobile client; the specific process is as follows: sequencing the memory cleaning moments according to time, sequentially calculating the time difference between two adjacent memory cleaning moments to obtain cleaning interval duration, summing all the cleaning interval durations and averaging to obtain interval average duration; normalizing the interval average duration, the total memory capacity and the residual memory capacity, taking the normalized values of the interval average duration, the total memory capacity and the residual memory capacity, and respectively marking the normalized values of the interval average duration, the total memory capacity and the residual memory capacity as QL1, QL2 and QL 3; obtaining a correction factor lambda by using a formula lambda = QL1 × td1+ QL2 × td2+ QL3 × td 3; td1, td2 and td3 are weight ratios corresponding to the interval average time length, the total memory capacity and the residual memory capacity; the values are respectively 0.74, 0.98 and 0.85;
the server side divides the complete key according to the dividing value to obtain a first partial key and a second partial key; the specific segmentation operation is as follows:
setting FGi a plurality of segmentation operations, i being positive integers; each splitting operation FGi corresponds to a range of values; matching the segmentation value with a numerical range corresponding to the segmentation operation FGi, marking the segmentation operation FGi of the segmentation value in the numerical range as the segmentation operation FGb matched with the segmentation value, and belonging to i; dividing n complete keys through a dividing operation FGb, combining m complete keys according to a sequence to obtain a first partial key, combining the remaining n-m complete keys according to a sequence to obtain a second partial key, simultaneously generating a sequence combination code of the first partial key and the second partial key, and adding the sequence combination code of the first partial key and the second partial key into the hash of the complete key, wherein the sequence combination code is used for recording the positions of characters in the first partial key and the second partial key in the complete key so as to facilitate the mobile client to recover the character sequence corresponding to the complete key according to the sequence combination code, n is a value obtained by dividing a key solution value by a preset fixed value and rounding, and n is more than or equal to 2; m is a numerical value obtained by dividing the key flux value by a preset fixed value and rounding, and m is less than or equal to n-1; the number of the shares and the number of the first part of keys are obtained through key decoding value and key passing value analysis, so that the complexity of key analysis and the storage of part of keys are reasonable for the mobile client;
when the number of the division operations is three, i.e., the maximum value of i is three;
when the splitting operation FG1 is applied, the specific process of splitting the complete key is: counting the number of characters of the complete key, dividing the number of characters by the number of segmented parts n to obtain the number of each part, sequentially segmenting the complete key from front to back according to the number of each part to obtain each segmented character, separating two adjacent segmented characters to obtain two groups of segmented characters, extracting any one group of segmented characters according to the sequence, wherein the extracted number is m, further obtaining a first part of key, and combining all the rest segmented characters to obtain a second part of key;
for example, the integrity key is DQ45FDDEELT4XDEKZPY0KD1L5JTA8TWH03Z1V4CL3JQG7 HND; the value of n is 8, and the value of m is 3; the number of characters of the complete key is 48; dividing by n to obtain the quantity of each portion as 6; namely, each segmentation character is DQ45FD, DEELT4, XDEKZP, Y0KD1L, 5JTA8T, WH03Z1, V4CL3J, QG7 HND; separating two adjacent segmentation characters, wherein the first separated group is as follows: DQ45FD, XDEKZP, 5JTA8T, V4CL 3J; the second group is: v4CL3J, Y0KD1L, WH03Z1, QG7 HND; sequentially extracting any one group of separated segmented characters, such as a first group of 3 segmented characters, namely DQ45FD, XDEKZP, 5JTA8T, to obtain a first partial key residual V4CL3J, V4CL3J, Y0KD1L, WH03Z1, and QG7HND, to obtain a second partial key;
when the splitting operation FG2 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out sequence skipping and division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the sequence skipping characters is one; dividing two adjacent divided characters to obtain two groups of divided characters, extracting any one group of divided characters in sequence, wherein the number of the extracted divided characters is m, further obtaining a first part of key, and combining all the rest divided characters to obtain a second part of key;
for example, the integrity key is DQ45FDDEELT4XDEKZPY0KD1L5JTA8TWH03Z1V4CL3JQG7 HND; the value of n is 8, and the value of m is 3; the number of characters of the complete key is 48; dividing by n to obtain the quantity of each portion as 6; skipping an order and dividing to obtain each divided character as D4FDET, XEZYK1, 5T8W0Z, VC3Q7N, Q5DEL4, DKP0DL, JATH31 and 4 LJGHD;
separating two adjacent segmentation characters, wherein the first separated group is as follows: d4FDET, 5T8W0Z, Q5DEL4, JATH 31; the second group is: XEZYK1, VC3Q7N, DKP0DL, 4 LJGHD; sequentially extracting any one group of separated segmented characters, such as a first group of 3 segmented characters, namely D4FDET, 5T8W0Z and Q5DEL4, and combining to obtain residual JATH31, XEZYK1, VC3Q7N, DKP0DL and 4LJGHD of the first partial key; combining to obtain a second partial key;
when the splitting operation FG3 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out order skipping division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the order skipping characters is two; dividing two adjacent divided characters to obtain two groups of divided characters, extracting any one group of divided characters in sequence, wherein the number of the extracted divided characters is m, further obtaining a first part of key, and combining all the rest divided characters to obtain a second part of key;
for example, the integrity key is DQ45FDDEELT4XDEKZPY0KD1L5JTA8TWH03Z1V4CL3JQG7 HND; the value of n is 8, and the value of m is 3; the number of characters of the complete key is 48; dividing by n to obtain the quantity of each portion as 6; performing two-step segmentation to obtain each segmented character as D5DLXK, YD5AW3, VLQHQD, TE0L80, 4JN4EZ, 1T1GFD, JZ7EKC and 4HPDT 3;
separating two adjacent segmentation characters, wherein the first separated group is as follows: d5DLXK, VLQHQD, 4JN4EZ,
JZ7 EKC; the second group is: YD5AW3, TE0L80, 1T1GFD, 4HPDT 3; extracting any one group of separated segmented characters in sequence, for example, taking the first group of 3 segmented characters, namely D5DLXK, VLQHQD, 4JN4EZ, and combining to obtain the residual JZ7EKC, YD5AW3, TE0L80, 1T1GFD and 4HPDT3 of the first partial key; combining to obtain a second partial key;
the server stores the second part of the key, performs association binding on the first part of the key and the received hash, obtains an association relation certificate between the first part of the key and the hash, and sends the association relation certificate to the block chain; sending the hash of the first partial key and the complete key to the mobile client;
referring to fig. 2, when the received request content is a request of a second partial key, a real-name verification instruction corresponding to the request content is generated and sent to the mobile client, the second partial key is returned to the mobile client after verification is passed, the mobile client combines the first partial keys locally stored in the second partial key to obtain a complete key, verifies the hash of the complete key, caches the complete key in the memory after verification is passed, and deletes the complete key in the memory after the complete key is used;
after receiving the key updating request, the server generates a real-name verification instruction corresponding to the key updating request and feeds the instruction back to the mobile client for real-name verification, and after the verification is successful, the server regenerates a complete key of the mobile client and a hash corresponding to the complete key according to hardware information and the hash of the mobile client and feeds back a new first partial key and the hash of the complete key;
the working principle of the invention is as follows: a user sends a new user registration request to a server through a mobile client, the server receives the new user registration request, checks a fed-back real name checking instruction to the mobile client, after the check is successful, the mobile client acquires hardware information and generates hash of the hardware information, then the information and the corresponding hash are sent to the server, when the server receives the hardware information and the hash of the mobile client, a complete key of the mobile client and the hash corresponding to the complete key are generated, the hardware information is processed to obtain a first partial key and a second partial key, and the first partial key and the hash of the complete key are sent to the mobile client for storage; the mobile client does not persistently store the complete key, so that even if part of the locally stored key is leaked, the locally stored key cannot be used on other terminals, and meanwhile, the server does not store the complete key, so that the key leakage caused by the server being attacked is prevented; the mobile client sends the hash of the local hardware information to the server, the server returns a second part of keys after passing the verification, the mobile client combines the second part of keys returned by the server with a first part of keys stored locally and verifies the hash of the complete key, the second part of keys is cached in a memory after passing the verification so as to be used in business scenes such as encryption, decryption and signature, and the complete key and the second part of keys in the memory are discarded after the mobile client exits from the program.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise forms disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (6)
1. A key safety system based on key separate storage and hardware binding comprises a mobile client and a server, and is characterized in that the mobile client is used for sending request content to the server and receiving a fed-back real-name verification instruction, real-name verification is carried out after the real-name verification instruction is received, hardware information of the mobile client is detected after verification is successful, Hash is generated according to the hardware information, and then the hardware information and the corresponding Hash are sent to the server; receiving and storing the hash of the first partial key and the complete key fed back by the server;
the server is used for receiving and processing the request content sent by the mobile client, and the specific processing process is as follows:
when the received request content is a first request, generating a real-name verification instruction corresponding to the request content, when receiving hardware information and Hash of the mobile client, generating a complete key of the mobile client and Hash corresponding to the complete key, processing the hardware information to obtain a segmentation value of the key, segmenting the complete key according to the segmentation value to obtain a first partial key and a second partial key, storing the second partial key, performing association binding on the first partial key and the received Hash, obtaining an association relation certificate between the first partial key and the received Hash, and sending the association relation certificate to a block chain; sending the hash of the first partial key and the complete key to the mobile client;
and when the received request content is a second request, generating a real-name verification instruction corresponding to the request content and sending the real-name verification instruction to the mobile client, returning a second part of key to the mobile client after verification is passed, combining the second part of key with a first part of key stored locally by the mobile client to obtain a complete key, verifying the hash of the complete key, caching the complete key in the memory after verification is passed, and deleting the complete key in the memory after the complete key is used.
2. The key security system based on key storage and hardware binding of claim 1, wherein the specific processing procedure of the server side for processing the hardware information is as follows: processing the processor model, the running memory, the downloading rate and the uploading rate, and setting all the processor models to correspond to a preprocessing value; matching the processor model in the hardware information with all the processor models to obtain a corresponding preprocessing value, carrying out normalization processing on the preprocessing value obtained by matching and an operating memory, taking the numerical values of the preprocessing value and the operating memory after normalization processing, and respectively marking the numerical values of the preprocessing value and the operating memory after normalization processing as CY1 and CY 2; obtaining a key decryption value YJ by using a formula YJ = CY1 × sf1+ CY2 × sf 2; wherein sf1 and sf2 are preset weight coefficients of a preset value and a corresponding numerical value of the running memory; analyzing the download rate and the upload rate, and marking the rate values in the download rate as X1, X2, … … and Xj; summing all the speed values and averaging to obtain a download mean value XP; using formulas
Obtaining a download basic value XF; wherein q is a positive integer greater than two; ks1 and ks2 are preset weightsA factor; processing the uploading rate in the same way to obtain an uploading base value DF; normalizing the download basic value and the upload basic value and taking the values of the download basic value and the upload basic value after normalization; obtaining a key general value YT by using a formula YT = XF × sf3+ DF × sf 4; sf3 and sf4 are preset weight coefficients corresponding to the downloading base value and the uploading base value; substituting the key decoding value and the key passing value into the information algorithm model, and outputting a segmentation value through the information algorithm model; wherein the information algorithm model is
B1 and b2 are preset fixed values of the model, and lambda is a correction factor.
3. The key security system based on key storage and hardware binding of claim 2, wherein the specific process of partitioning the complete key according to the partition value is as follows: setting FGi a plurality of segmentation operations, i being positive integers; each splitting operation FGi corresponds to a range of values; matching the segmentation value with a numerical range corresponding to the segmentation operation FGi, marking the segmentation operation FGi of the segmentation value in the numerical range as the segmentation operation FGb matched with the segmentation value, and belonging to i; dividing n complete keys through a dividing operation FGb, combining m complete keys according to a sequence to obtain a first partial key, combining the remaining n-m complete keys according to a sequence to obtain a second partial key, simultaneously generating a sequence combined code of the first partial key and the second partial key, and adding the sequence combined code of the first partial key and the second partial key to the hash of the complete key, wherein the sequence combined code is used for recording the positions of characters in the first partial key and the second partial key in the complete key, n is a value obtained by dividing a key solution value by a preset fixed value and rounding, and n is more than or equal to 2; m is a value obtained by dividing the key-pass value by a preset fixed value and rounding, and m is less than or equal to n-1.
4. A key security system based on key storage and hardware binding according to claim 3, characterized in that when the number of splitting operations is three, i.e. the maximum value of i is three;
when the splitting operation FG1 is applied, the specific process of splitting the complete key is: counting the number of characters of the complete key, dividing the number of characters by the number n of divided parts to obtain the number of each part, sequentially dividing the complete key from front to back according to the number of each part to obtain each divided character, dividing two adjacent parts of divided characters to obtain two groups of divided characters, extracting any one group of divided characters according to the sequence, wherein the extracted number is m, further obtaining a first part of key, and combining all the rest divided characters to obtain a second part of key;
when the splitting operation FG2 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out order skipping division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the order skipping characters is one; dividing two adjacent divided characters to obtain two groups of divided characters, extracting any one group of divided characters in sequence, wherein the number of the extracted divided characters is m, further obtaining a first part of key, and combining all the rest divided characters to obtain a second part of key;
when the splitting operation FG3 is applied, the specific process of splitting the complete key is: dividing the number of characters of the complete key by the number n of the divided parts to obtain the number of each part, and sequentially carrying out order skipping division on the complete key from front to back according to the number of each part to obtain each part of divided characters, wherein the number of the order skipping characters is two; and separating two adjacent parts of the segmentation characters to obtain two groups of separated segmentation characters, extracting any one group of separated segmentation characters according to the sequence, wherein the extraction number is m, further obtaining a first part of key, and combining all the rest segmentation characters to obtain a second part of key.
5. The key security system based on key storage and hardware binding of claim 1, wherein a data acquisition unit and a storage analysis unit are arranged in the mobile client; the data acquisition unit is used for acquiring hardware information and storage information of the mobile client and sending the hardware information and the storage information to the storage analysis unit; the storage analysis unit analyzes the storage information after receiving the hardware information and the storage information to obtain a correction factor of the mobile client, and the specific process is as follows: sequencing the memory cleaning moments according to time, sequentially calculating the time difference between two adjacent memory cleaning moments to obtain cleaning interval duration, summing all the cleaning interval durations and averaging to obtain interval average duration; and normalizing the interval average time length, the total memory capacity and the residual memory capacity, taking the values of the interval average time length, the total memory capacity and the residual memory capacity after normalization, and analyzing the values of the interval average time length, the total memory capacity and the residual memory capacity after normalization to obtain the correction factor.
6. The key security system based on key storage and hardware binding of claim 5, wherein the mobile client is further configured to send a key update request to the server, the server generates a real-name verification instruction corresponding to the key update request and feeds back the real-name verification instruction to the mobile client for real-name verification after receiving the key update request, and regenerates the complete key of the mobile client and the hash corresponding to the complete key according to the hardware information and the hash of the mobile client and feeds back the new first partial key and the hash of the complete key after the verification succeeds.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111125930.6A CN113595727B (en) | 2021-09-26 | 2021-09-26 | Key safety system based on key separate storage and hardware binding |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111125930.6A CN113595727B (en) | 2021-09-26 | 2021-09-26 | Key safety system based on key separate storage and hardware binding |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113595727A CN113595727A (en) | 2021-11-02 |
| CN113595727B true CN113595727B (en) | 2021-12-21 |
Family
ID=78242297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111125930.6A Active CN113595727B (en) | 2021-09-26 | 2021-09-26 | Key safety system based on key separate storage and hardware binding |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595727B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008133521A1 (en) * | 2007-04-26 | 2008-11-06 | Conax As | Method for signing and encrypting digital data |
| CN109922027A (en) * | 2017-12-13 | 2019-06-21 | 中国移动通信集团公司 | A kind of trusted identity authentication method, terminal and storage medium |
| CN111404682A (en) * | 2020-03-17 | 2020-07-10 | 江苏恒宝智能系统技术有限公司 | Android environment key segmentation processing method and device |
| CN111953675A (en) * | 2020-08-10 | 2020-11-17 | 四川阵风科技有限公司 | Key management method based on hardware equipment |
| CN112966229A (en) * | 2021-05-14 | 2021-06-15 | 支付宝(杭州)信息技术有限公司 | Method and device for safely operating SDK |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105229980B (en) * | 2013-04-11 | 2018-11-16 | 马维尔以色列(M.I.S.L.)有限公司 | Utilize the method and apparatus of the exact-match lookup of variable keyword size |
| CN108400868B (en) * | 2018-01-17 | 2021-06-15 | 深圳市文鼎创数据科技有限公司 | Seed key storage method and device and mobile terminal |
-
2021
- 2021-09-26 CN CN202111125930.6A patent/CN113595727B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008133521A1 (en) * | 2007-04-26 | 2008-11-06 | Conax As | Method for signing and encrypting digital data |
| CN109922027A (en) * | 2017-12-13 | 2019-06-21 | 中国移动通信集团公司 | A kind of trusted identity authentication method, terminal and storage medium |
| CN111404682A (en) * | 2020-03-17 | 2020-07-10 | 江苏恒宝智能系统技术有限公司 | Android environment key segmentation processing method and device |
| CN111953675A (en) * | 2020-08-10 | 2020-11-17 | 四川阵风科技有限公司 | Key management method based on hardware equipment |
| CN112966229A (en) * | 2021-05-14 | 2021-06-15 | 支付宝(杭州)信息技术有限公司 | Method and device for safely operating SDK |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113595727A (en) | 2021-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20190036919A1 (en) | SYSTEMS AND METHODS FOR PROVIDING BLOCK CHAIN-BASED MULTlFACTOR PERSONAL IDENTITY VERIFICATION | |
| CN104980278B (en) | The method and apparatus for verifying the availability of biometric image | |
| CN109905247A (en) | Digital signature method, device, equipment and storage medium based on block chain | |
| CN111339040B (en) | Cloud storage method, device and equipment for data files and storage medium | |
| CN114285575B (en) | Image encryption and decryption method and device, storage medium and electronic device | |
| CN111475690B (en) | Character string matching method and device, data detection method and server | |
| RU2018104435A (en) | System and method for deciding on data compromise | |
| CN110704855B (en) | Request identifier generation method, request identifier verification method and computer equipment | |
| CN113595727B (en) | Key safety system based on key separate storage and hardware binding | |
| CN110941854A (en) | Method and device for saving and recovering private data based on secure multi-party computing | |
| CN112162726A (en) | Target user determination method, device, equipment and storage medium | |
| CN117390657A (en) | Data encryption method, device, computer equipment and storage medium | |
| CN112765570B (en) | Identity-based provable data holding method supporting data transfer | |
| CN114513331B (en) | Mining Trojan detection method, device and equipment based on application layer communication protocol | |
| CN109660676B (en) | Abnormal object identification method, device and equipment | |
| CN115987625A (en) | Malicious traffic detection method and device and electronic equipment | |
| CN116629379A (en) | Federal learning aggregation method and device, storage medium and electronic equipment | |
| CN110751033B (en) | Offline login method and related product | |
| CN109086624A (en) | login method and device | |
| CN107979596A (en) | It is a kind of it is live in prevent the method and system of brush popularity behavior | |
| CN114745181A (en) | Data processing method and device | |
| CN110049054B (en) | Plaintext shared data auditing method and system supporting privacy information hiding | |
| CN113806800A (en) | Privacy protection method and system for improving communication efficiency and reasonably distributing rewards | |
| CN108848086B (en) | Authentication method, device, equipment and storage medium for unmanned equipment communication network | |
| CN112446021A (en) | Fingerprint authentication method and device based on SM9 encryption and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |