CN1889420B - Method for realizing encrypting - Google Patents

Method for realizing encrypting Download PDF

Info

Publication number
CN1889420B
CN1889420B CN 200510080573 CN200510080573A CN1889420B CN 1889420 B CN1889420 B CN 1889420B CN 200510080573 CN200510080573 CN 200510080573 CN 200510080573 A CN200510080573 A CN 200510080573A CN 1889420 B CN1889420 B CN 1889420B
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
encrypted
data
encryption
information
correct
Prior art date
Application number
CN 200510080573
Other languages
Chinese (zh)
Other versions
CN1889420A (en )
Inventor
刘永华
Original Assignee
联想(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

This invention discloses a method for realizing encryption including that a encryption device receives data to be ciphered from an I/O interface and authorization information of encryption operation from a management interface to get correct and complete data to be ciphered, then carries out encryption operation to the data and transmits the ciphered information to a platform, which avoids the situation of imitating signature or juggling its content and is widely used in banks, on-line trading systems related to negotiable securities, cipher systems of electronic payment, electronic stamps fordocuments and post signatures.

Description

一种实现加密的方法 A method of encryption

技术领域 FIELD

[0001] 本发明涉及信息安全技术领域,特别是指适用于具有输入输出接口、执行单元以 [0001] The present invention relates to the field of information security, particularly to input-output interface having a suitable, execution units

及管理接口的加密装置,实现加密的方法。 And a management interface encryption apparatus, encryption method. 背景技术 Background technique

[0002] 现今社会中,网络非常普及,为以下叙述方便,先对几个术语进行描述。 [0002] In today's society, the network is very popular and convenient as described below, the first of several terms described.

[0003]"平台",包括包含数据处理能力装置的任何产品,其中包含数据处理能力装置可 [0003] "platform" includes any product comprising data processing apparatus, wherein the apparatus comprises a data processing capability may be

以是一个或多个封装或者未封装的集成电路。 Be a one or more integrated circuit packages or unpackaged. 各种类型平台的实例包括但不局限于或限定 Examples of various types of platforms include, but are not limited or defined

于计算机,例如:个人数字助理、笔记本、台式机、工作站、服务器;任何与计算机关联的外 Computer, such as: personal digital assistants, laptops, desktops, workstations, servers; associated with any external computer

围设备,例如:打印机、数码相机、数码摄像机;无线通信装置,例如:电话手机、智能手机; Peripheral devices, such as: printers, digital cameras, digital cameras; wireless communication devices, such as: telephone handsets, smart phones;

网络终端,例如:ATM机、P0S机、KIOSK信息查询终端;电视机机顶盒等。 A network terminal, for example: ATM machines, P0S machine, a KIOSK terminal information inquiry; television set-top boxes.

[0004]"链路"被广泛地定义为逻辑的或者物理通信的通道,例如:电线、光纤、线缆、总线(如:USB接口、 1394接口、串行通讯口、并行打印口、内部LPC) 、PS2接口、硬盘接口(ATAPI、 [0004] "link" is broadly defined as a logical or physical channels to communicate, for example: wire, optical fiber, cable, bus (eg: USB interface, a 1394 interface, serial communication ports, parallel printer port, the internal LPC ), PS2 interface, a hard disk interface (ATAPI,

SATA\SCSI),红外线/蓝牙/Zigbee/WLAN、射频(RF)或者其它任何无线信令机构的无线信道。 SATA \ SCSI), infrared wireless channels / Bluetooth / Zigbee / WLAN, a radio frequency (RF) or any other wireless signaling mechanism.

[0005]"公共网络环境",其泛指处于与其它平台存在不可信赖"链路"的情形,包括但不限于局域网络,如:公司内部的以太网络、网吧网络等;因特网,如家用电脑拨号上网、 ADSL/LAN/Cable上网等;手机网络,如GPRS/CDMA/3G等;以及平台的蓝牙/WLAN装置打开的时候。 [0005] "public network environment", which refers not trusted "link" in the case of the presence of other platforms, including but not limited to local area networks, such as: the internal Ethernet network, Internet and other networks; the Internet, such as a home computer dial-up internet access, ADSL / LAN / Cable internet access; phone networks, such as GPRS / CDMA / 3G and the like; Bluetooth / WLAN device and opened when the platform.

[0006] 随着网络、电子商务的普及,推动了电子加密装置及系统的多样化,如电子公文流转相关的电子印章,网络支付相关的专业版证书等。 [0006] With the popularity of Internet, e-commerce, and promote the diversification of electronic encryption devices and systems, such as electronic document circulation related to the electronic seal, online payment related Professional certificate. 其中,"公共网络环境"中的"平台"上, 使用的电子签名装置在关键技术方面,主要集中于带CPU的智能卡。 Among them, the "public network environment" in the "Platform", an electronic signature device used in key technologies, focused on the smart card with the CPU. 基于CPU的智能卡,通常完美地支持公开密钥基础设施(PKI)技术,其安全性得到了广泛的认可和肯定。 Smart card-based CPU, usually perfectly support public key infrastructure (PKI) technology, its safety has been widely recognized and affirmed. 另外,在电脑内的安全芯片(TPM)也具有与智能卡类似的功能。 In addition, the security chip in the computer (TPM) also has a smart card with a similar function. 在此,将所有具有基于CPU智能卡或TPM的芯片统称为加密装置。 Here, all having a CPU based on a smart card or chip referred to as TPM encryption device.

[0007] 现有的加密装置通常有两种结构,参见图1和图2。 [0007] Existing devices typically have two encryption configuration, see FIG 1 and FIG 2.

[0008] 图1所示为现有的一种加密装置的结构示意图。 [0008] FIG. 1 is a schematic view of a conventional structure of an encryption device. 该加密装置中至少包括输入输出接口101和执行单元102。 The encryption apparatus 101 includes at least input-output interface 102 and the execution unit. 其中,输入输出接口IOI是加密装置与平台之间的接口,用于接收来自平台的待加密数据,并将该待加密数据传输给执行单元102 ;或者,接收来自执行单元102的加密后的数据,将该加密后的数据传送给平台;执行单元102则用来对接收到的数据进行加密操作。 Wherein IOI input-output interface is an interface between the encryption device and the internet, for receiving data from the platform to be encrypted, and the encrypted data to be transmitted to the execution unit 102; or receive encrypted data from the execution unit 102 , transmits the data encrypted to the platform; execution unit 102 of the received data used for cryptographic operations. 执行单元内通常包括算法引擎、存储器、密钥生成单元和具有RAM空间的核心处理单元。 Typically includes an algorithm execution unit engine, a memory, and a key generating unit having a core processing unit RAM space. 当然,输入输出接口IOI还可以接收来自平台的个人身份码(PIN码),并将该PIN码传送给执行单元102,执行单元102会首先验证该PIN码是否合法,如果是,再对接收到的待加密数据进行加密操作,否则不做处理或提示输入正确的PIN码。 Of course, IOI O interface may also receive a personal identification code from the internet (PIN), and to the execution unit 102 transmits the PIN code, the execution unit 102 first verifies that the PIN code is valid, and if yes, then the received the data to be encrypted cryptographic operations, processing or otherwise not prompted to enter the correct PIN. [0009] 例如,日常经常用到的USBKey,以及公开号为"CN1509546A",发明名称为"一种用于安全发送授权数据的平台和方法"的中国专利申请中所提到的TPM,就是利用图1所示装 [0009] For example, often used in the USBKey daily, and Publication No. "CN1509546A", Chinese patent application entitled "an internet and a method for secure data transmission authorization" of the TPM mentioned, is the use of 1 apparatus shown in FIG.

4置的具体实现方式。 4 facing the particular implementation.

[0010] 应用图1所示装置执行加密操作时,所有的控制环节均是在平台上完成,而在现有的公共网络环境中,网络中的黑客可以远程监控或记录你在平台上面的一切行为,比如: 按键输入、手写输入、语音输入、屏幕显示,以及平台与加密装置之间的所有通信过程;黑客也有可能远程暗中操作或使用你的平台。 [0010] Figure 1 apparatus when performing an encryption operation, all of the control link are complete the application on the platform view, and the existing public network environment, network hackers can remotely monitor or record your platform above all behavior, such as: a key input, handwriting input, voice input, screen displays, and all communications between the internet and the encryption process apparatus; hacker may also remotely operate or implicitly use your internet. 可见,由于签名操作即加密操作的控制都是在平台完成,在加密装置与平台相连的期间,也就是加密装置插入平台的期间,可能出现冒充用户签名或篡改用户签名内容的情况。 Visible, i.e., because the signature operation control platform cryptographic operations are completed, during the encryption apparatus connected to the platform, i.e. during the encryption device into the platform, where possible tampering with the user or impersonate the user signature signed content appears.

[0011] 图2所示为现有的另一种加密装置的结构示意图,该加密装置中至少包括输入输出接口101、执行单元102和管理接口201。 [0011] Figure 2 is a schematic structural diagram of another conventional encryption apparatus, the encryption means includes at least input-output interface 101, an execution unit 102 and the management interface 201. 该装置中的输入输出接口101、执行单元102的功能与图l所示装置完全相同,该装置中的管理接口201主要用于加密控制,即只有执行单元102接收到来自管理接口201的加密控制信息并验证该加密控制信息正确后,才执行加密操作,否则执行单元102不执行加密操作。 The input-output interface device 101, and the function execution unit 102 shown in FIG apparatus identical to L, the device management interface 201 is mainly used to encrypt the control, i.e., only the implementation of the encryption control unit 102 receives from the management interface 201 of and verifying the encrypted control information is correct, before the encryption operation is performed, otherwise, execution unit 102 does not perform cryptographic operations. 该加密控制信息可以是指纹、或电平信号或密码等。 The encrypted control information may be a fingerprint, or the like or the signal level of the password. 例如,公开号为"CN2609069Y",发明名称为"指纹数字签名器"的中国专利申请中,提出了将指纹传感器、指纹识别装置、加密装置和密钥发生器一体化的加密装置,其即是利用图2所示装置的一种实现方式。 For example Chinese patent application, Publication No. "CN2609069Y", entitled "Fingerprint digital signature" on the, proposed a fingerprint sensor, a fingerprint identification device, the encryption means and the encryption key generator integrated device, i.e., which is using one implementation of the apparatus shown in FIG.

[0012] 应用图2所示装置执行加密操作时,虽然需要输入加密控制信息,加强了控制环节,但由于公共网络环境中的平台是不可信赖的,仍然可能出现冒充用户签名或篡改用户签名内容的情况。 [0012] As shown in Figure 2 apply when performing encryption device, although the need to enter the encryption control information, to strengthen the control link, but the public network environment platform is untrustworthy, still posing as the user tamper with the signature or user signature content may appear Case.

[0013] 另外,无论基于上述哪种加密装置,用户最多只能看到输入的信息,是不可能看到具体的待加密内容的,这样,就有可能在真正加密前,黑客将实际加密的内容进行掉包。 [0013] In addition, based on the above matter what encryption device, users can only see a maximum input of information, it is impossible to see the specific content to be encrypted, so that it is possible prior to the actual encryption, hackers will actually encrypted content substitution. 由此可见,现有的加密方法都不能避免冒充签名或篡改签名内容的情况。 Thus, the existing encryption methods can not avoid posing signature or tamper with the signature content. 而目前还没有解决冒充签名或者篡改签名内容的方法。 And there is no way to tamper with the signature or the signature of the contents to solve posing.

发明内容 SUMMARY

[0014] 有鉴于此,本发明的目的在于提供一种实现加密方法,以防止冒充签名或篡改签名内容的情况。 [0014] In view of this, an object of the present invention is to provide an encryption method, in order to prevent tampering with or posing as a signature signed content.

[0015] 为达到上述目的,本发明的技术方案是这样实现的: [0015] To achieve the above object, the technical solution of the present invention is implemented as follows:

[0016] —种实现加密的方法,用于具有输入输出接口及管理接口的加密装置进行加密的情况,该方法包括以下步骤: [0016] - the kind of encryption method, an encryption device for the case of input-output interface and the management interface is encrypted, the method comprising the steps of:

[0017] 加密装置接收来自输入输出接口的待加密数据,以及来自管理接口的加密操作授权信息后,获取正确且完整的待加密数据,之后,对待加密数据执行加密操作,并将加密后的信息传送给平台;所述平台为包含数据处理能力装置的设备; After the [0017] encryption means for receiving data to be encrypted from the input-output interface, encryption and authorization information from the management interface for the correct and complete data to be encrypted, after the treatment of the encrypted data encryption operation is performed, and the encrypted information transferred to the platform; said platform comprising a data processing capability of the device apparatus;

[0018] 所述来自输入输出接口的待加密数据为部分待加密数据,所述来自管理接口的加密操作授权信息为待加密数据要素; [0018] The output from the input interface for the data to be encrypted partial data to be encrypted, the encryption operation management interface from the authorization information to be encrypted is data elements;

[0019] 所述获取正确且完整的待加密数据的过程包括: [0019] obtaining a correct and complete the data to be encrypted process comprises:

[0020] 从加密操作授权信息中提取出待加密数据要素,将该待加密数据要素与接收到的部分待加密数据进行组合,所合成完整的待加密数据为正确且完整的待加密数据。 [0020] extracted from the encryption operation authorization information element to be encrypted data, the data to be encrypted and the element portion of the received encrypted data to be combined, a complete data to be encrypted is correct and complete encrypted data to be synthesized. [0021] 较佳地,所述来自管理接口的加密操作授权信息进一步包括根据安全需求设置的约束条件;[0022] 所述将该待加密数据要素与接收到的部分待加密数据进行组合之后进一步包括以下步骤: [0021] Preferably, the encrypted authorization information from the operation management interface further includes a constraint condition setting according to the security requirements; then [0022] The elements of the data to be encrypted and the encrypted portion of the received data to be further combined comprising the steps of:

[0023] 根据预设的格式要求判断所合成的完整的待加密数据是否在约束条件所约束的范围之内,如果是,则获得正确且完整的待加密数据,否则不做处理或提示输入正确的待加密数据。 [0023] in the range of constraints of constrained, if so, to obtain a correct and complete data to be encrypted, or not treated according to the complete data to be encrypted is determined whether the preset format requirements or synthesized prompts correct the data to be encrypted.

[0024] 较佳地,所述从加密操作授权信息中提取出待加密数据要素后,进一步包括:将待加密数据要素转换为显示装置所要求的格式后,通过管理接口输出到外部已设置的显示装置; After [0024] Preferably, the element to be extracted from the encrypted data encryption operation authorization information, further comprising: encrypting the data elements to be converted to the format required by the display device, the output to the outside via the management interface is provided display means;

[0025] 在加密装置接收到的来自管理接口的验证信息后,再执行加密操作; [0025] After the encryption device authentication information received from the management interface, and then performing cryptographic operations;

[0026] 所述外部的显示装置为显示器或打印机或扬声器,或者所述三者的任意组合。 The [0026] outside of the display device is a display or a speaker or a printer, or any combination of the three.

[0027] 较佳地,所述获取正确且完整的待加密数据后,进一步包括:将完整的待加密数据 After [0027] Preferably, the obtaining a correct and complete data to be encrypted, further comprising: the data to be encrypted complete

转换为显示装置所要求的格式后,通过管理接口输出到外部已设置的显示装置,在加密装 The display device after converting to the format required by the display means, to the outside through the management interface output has been set, the encryption means

置接收到来自管理接口的验证信息后,再执行加密操作;所述外部的显示装置为显示器或 Post-authentication information received from the management interface, and then performing cryptographic operations; the external display device is a display or

打印机或扬声器,或者所述三者的任意组合。 A speaker or a printer, or any combination of the three.

[0028] 较佳地,进一步包括:所述加密装置接收来自输入输出接口的个人身份码PIN码, [0028] Preferably, further comprising: means for receiving a PIN personal identification code from said encrypted input-output interface,

判断该PIN码与自身预先保存的PIN码是否一致,如一致加密装置再接收来自输入输出接 Determining whether the PIN code with the pre-stored PIN code matching as same encryption means further receives an input from the output connector

口的待加密数据,否则不做处理或提示输入正确的PIN码。 Data to be encrypted port, processing or otherwise not prompted to enter the correct PIN.

[0029] 较佳地,进一步包括:加密装置接收来自管理接口的验证信息, [0029] Preferably, further comprising: means for receiving encrypted authentication information from the management interface,

[0030] 当加密装置获取正确且完整的待加密数据后,进一步包括: [0030] When the encryption means to obtain the correct and complete data to be encrypted, further comprising:

[0031] 加密装置判断接收到的来自管理接口的验证信息是否合法,如果合法,则执行加密操作,加密操作完成后将加密后的数据传送给平台,否则不做处理或提示输入正确的验证信息。 [0031] The encryption apparatus determines whether the received authentication information from the management interfaces are valid, and if valid, the encryption operation is performed, the data transfer after encryption to encrypt internet, without processing or otherwise prompt for the correct authentication information .

[0032] 较佳地,所述验证信息为电平信号; [0032] Preferably, the verification information is a level signal;

[0033] 所述判断接收到的来自管理接口的验证信息是否合法的过程为:判断接收到的电平信号是否为预设的高电平或低电平,如果是,则该验证信息合法,否则不合法。 [0033] Analyzing the authentication information received from the management interface to the legality of the process: determines whether the received signal is a predetermined level of high or low, if so, the authentication information is legitimate, otherwise illegal. [0034] 较佳地,所述验证信息为字符串; [0034] Preferably, the verification information is a character string;

[0035] 所述判断验证信息是否合法的过程为:判断接收到的字符串与自身预先保存的字符串是否相同,如果相同,则该验证信息合法,否则不合法。 [0035] The determining whether the verification information is valid process: determining whether the received string with the pre-stored character strings, if identical, the authentication information is legitimate or illegitimate.

[0036] 较佳地,所述验证信息是否合法,由预先设置的用于表示验证信息是否合法的标志位的状态来指示,所述加密操作是否完毕,由用于表示加密操作是否完毕的标志位的状态来指示。 [0036] Preferably, the authentication information is legitimate, the pre-set authentication information for indicating whether a valid status flag to indicate the encryption operation is completed, a flag for indicating whether the encryption operation completed status bit to indicate.

[0037] 较佳地,所述用于表示验证信息是否合法的标志位和用于表示加密操作是否完毕的标志位的不同状态由两个寄存器的不同状态来表示。 [0037] Preferably, the authentication information for indicating whether valid flag bit for indicating whether the encryption operation completion flag different states are represented by different states of the two registers.

[0038] 本发明提供了一种实现加密的方法,关键是,加密装置接收来自输入输出接口的待加密数据,以及来自管理接口的加密操作授权信息后,获取正确且完整的待加密数据,之后,对待加密数据执行加密操作,并将加密后的信息传送给平台。 [0038] The present invention provides a method of encryption, the key is the encryption device receives the encrypted data to be output from the input interface, as well as the encrypted authorization information from the operation management interface for the correct and complete data to be encrypted, then , treats the encrypted data encryption operation is performed, and transmits the encrypted information to the internet. 应用本发明,防止了冒充签名或篡改签名内容的情况。 Application of the present invention, to prevent tampering or the situation posing signature signed content.

[0039] 来自输入输出接口的待加密数据为是完整的待加密数据,来自管理接口的加密操作授权信息为根据安全需求设置的约束条件;或者,来自输入输出接口的待加密数据为部分待加密数据,来自管理接口的加密操作授权信息为待加密数据要素;或者,来自输入输出接口的待加密数据为部分待加密数据,来自管理接口的加密操作授权信息为根据安全需求设置的约束条件以及待加密数据要素;应用本发明,能够保证黑客不能通过平台篡改待加密数据内容,或能够及时地发现待加密数据被篡改的问题。 [0039] The data to be encrypted input and output from the interface for the complete data to be encrypted, the encryption operation authorization information from the management interface according to the constraints security requirements set; or, from to be encrypted input-output interface data for the part to be encrypted data encryption authorization information from the management interface for the data to be encrypted elements; alternatively, be encrypted data input-output from the partial data to be encrypted, the encryption operation authorization information from the management interface according to the constraints security requirements set and be the encrypted data element; application of the present invention, it is possible to ensure that a hacker can not be tampered with by internet content encrypted data, or encrypted data to be able to identify problems in time has been tampered with.

[0040] 再有,在执行加密操作前,加密装置可以通过再次检查验证信息保证待加密数据的安全。 [0040] Further, before the encryption operation is performed, the encryption device authentication information may be encrypted to ensure security of the data by checking again.

[0041] 另外,在执行加密操作前,用户可以通过输出装置对待加密数据要素或完整的待加密数据再次验证,从而,更进一步地避免了冒充签名或篡改签名内容的情况。 [0041] Further, before the encryption operation is performed, the user data elements may be encrypted data to be encrypted or a complete re-verification by the output device, thereby further avoid the situation posing signatures or signed content tampering. 本发明可以广泛用于银行、证券相关的网上交易系统、电子支付密码系统,以及公文电子签章、邮件签名系统等,其对于加密装置的持有人和加密信息的接收方都是安全可信赖的。 The present invention can be widely used in banking, securities-related e-commerce system, electronic payment systems passwords, documents and electronic signature, e-mail signature system, its holder and the recipient for the encryption device encryption information is trustworthy security of.

附图说明 BRIEF DESCRIPTION

[0042] 图1所示为现有的一种加密装置的结构示意图;[0043] 图2所示为现有的另一种加密装置的结构示意图;[0044] 图3所示为应用本发明的实现加密的流程示意图。 Structural diagram [0042] Figure 1 shows a conventional encryption means; is a schematic of another configuration of a conventional encryption apparatus [0043] As shown in FIG. 2; [0044] FIG 3 shows the application of the present invention the encryption process of FIG.

具体实施方式 Detailed ways

[0045] 下面结合附图及具体实施例对本发明再做进一步地详细说明。 [0045] Specific embodiments of the present invention do further described in detail below in conjunction with the accompanying drawings and. [0046] 图3所示为应用本发明的实现加密的流程示意图。 [0046] FIG. 3 shows the application of the present invention to achieve a schematic flow diagram of the encryption.

[0047] 步骤301 ,加密装置从输入输出接口接收部分待加密数据,从管理接口接收包含待 [0047] Step 301, the encryption device interface for receiving data to be encrypted from the input and output section, comprising receiving from a management interface to be

加密数据要素的加密操作授权信息。 Encryption information encrypted authorization data elements. 上述部分待加密数据通常为明文。 The partial data is typically a plain text to be encrypted.

[0048] 步骤302,加密装置内的执行单元从加密操作授权信息中提取待加密数据要素,将 [0048] Step 302, execution units within the encryption means extracts feature data to be encrypted authorization information from the encryption operation, the

该待加密数据要素与接收到的部分待加密数据组合,合成完整的待加密数据。 The data to be encrypted and the element portion of the received data to be encrypted combination, a complete synthesis of data to be encrypted.

[0049] 当然,在加密操作授权信息中可以进一步包括根据安全需求设置的约束条件,该 [0049] Of course, in the encryption operation may further include authorization information to the constraints set by the security requirements, the

约束条件包括但不限于数据的数值范围或某些特定的文本等,当加密装置内的执行单元根 Constraints include but are not limited to certain range of values ​​or text data and the like, when the execution unit root encryption device

据预设的格式要求,确认加密操作授权信息中包含约束条件后,首先判断该待加密数据要 According to a predetermined format requirements, the encryption operation after confirming the authorization information includes constraints, the data to be encrypted is first determined to be

素是否在约束条件所约束的范围之内,例如是否为约束条件所限定的数据范围和/或是否 Pigment in the range of constraints of constrained, for example, whether the constraints defined by the range of data and / or if

为约束条件所限定的文本等,如果是,再执行合成操作,从而合成完整的待加密数据,否则, As the constraint condition defined text, etc., and if yes, performing a composition operation, data to be encrypted so that the complete synthesis, or,

不做处理或提示输入的该待加密数据要素有误,并结束。 Not treated or prompt for the data to be encrypted elements in error, and ends.

[0050] 步骤303,接收来自管理接口的验证信息,并判断该验证信息是否合法,如果合法则执行步骤304,否则执行步骤305。 [0050] Step 303, receives authentication information from the management interface, and determines whether the authentication information is valid, and if valid then step 304 is performed, otherwise step 305 is performed.

[0051] 如果验证信息为电平信号,则判断验证信息是否合法的过程为:判断接收到的电 [0051] If the authentication information is a level signal, it is judged whether or not the authentication information is legitimate process: determining a received power

平信号是否为预设的高电平或低电平,如果是,则该验证信息合法,否则不合法。 Level signal is a preset high or low, and if so, the authentication information is legitimate or not legitimate.

[0052] 例如,在实际应用时,可预先设置一按钮,并设置该按钮按下的状态所产生的电平 [0052] For example, in practical applications, it can be a pre-set button and the set button is pressed by the state of the level

为验证信息,也就是说,当按钮被按下时,才允许执行步骤304,这样,加密装置通过判断接 To verify the information, that is, when the button is pressed, step 304 is allowed, so that the encryption device is determined by contact

收到的电平是否为预设的电平,即可知道按钮是否被按下。 Whether the received level as the default level, you can know whether the button is pressed. 当然,在实际应用中需要添加一 Of course, in practical applications we need to add a

些防抖动的处理,避免摁一次,加密操作多于一次的问题。 These anti-shake process, to avoid a press, more than one encryption operation problems.

[0053] 如果所述验证信息为字符串,则判断验证信息是否合法的过程为:判断接收到的字符串与预先保存在在存储器内的字符串是否相同,如果相同,则该验证信息合法,否则不 [0053] If the verification information is a string, it is determined whether or not the authentication information is legitimate process: determines whether the received string with the string stored in advance in the memory if the same, if identical, the authentication information is legitimate, otherwise, do not

7合法。 7 legal. 当然,所述字符串是可以更改的。 Of course, the character string can be changed.

[0054] 例如,在实际应用时,可预先设置一密码输入装置,并在加密装置的存储器预设一密码,将该密码作为验证信息,也就是说,只有用户输入正确的密码后,才允许执行步骤303,这样,加密装置通过判断接收到的密码是否与自身存储器中预先保存的密码是否一致,即可知道用户输入的密码是否正确。 [0054] For example, in practical applications, it can be pre-set a password input means, and a default password memory encryption device, and the password as authentication information, that is, only the user enters the correct password, before allowing step 303 is executed, so that the encryption means are the same by determining whether the received code with its own password stored in advance in the memory, the user can know the password entered is correct. 当然,在实际应用中会添加一些防抖动的处理,以避免匹配一次,加密操作多于一次的问题。 Of course, in practical applications will add some anti-shake process, in order to avoid a match, the encryption operation more than once problems.

[0055] 步骤304,设置已预先设置的用于表示验证信息是否合法的标志位为允许加密的状态,然后执行步骤306。 [0055] Step 304, settings set in advance authentication information for indicating whether valid flag to allow encrypted state, then step 306 is performed. 在本实施例中,该用于表示验证信息是否合法的标志位由寄存器来实现,即将该寄存器的状态设置为允许加密的状态,以下为叙述方便,将该寄存器称为加密允许寄存器。 In the present embodiment, the authentication information for indicating whether a valid flag bit is implemented by the register, the status register is set about to allow an encrypted state, the following description for convenience, this is referred to encrypt register enable register.

[0056] 步骤305,设置已预先设置的加密允许寄存器的状态为不允许加密的状态,然后执行步骤306。 [0056] Step 305, the encryption setting has been set in advance to allow the status register is not allowed in an encrypted state, and then step 306 is performed.

[0057] 步骤306,加密装置检测加密允许寄存器的状态,判断是否为允许加密的状态,如果是,执行步骤307,如果是不允许加密的状态,则执行步骤309。 [0057] Step 306, the encrypted encryption means for detecting the state of the enable register, determines whether to allow encrypted state, if yes, perform step 307, if the encrypted state is not allowed, then step 309 is executed.

[0058] 步骤307,清除加密允许寄存器的状态,即将其设置为不允许加密的状态,执行加密操作。 [0058] In step 307, clears the status register to allow encryption, which is about to disallow encrypted state, encryption operation is performed.

[0059] 该加密操作的算法可以是公开密码算法,如RSA算法,椭圆曲线算法,或是对称密码算法,如:DES算法,AES算法,或是杂凑算法,如:SHA1,HMAC,还可以是以上所有算法的任意组合,以上仅是举例,在实际应用中不限与此。 [0059] The encryption algorithm operation may be public encryption algorithm, such as RSA algorithms, elliptic curve algorithm, or the symmetric cryptographic algorithm, such as: DES algorithms, AES algorithms or hash algorithms, such as: SHA1, HMAC, may also be any combination of all the above algorithm, the above example only, with this limitation in practical applications. 另外,由于SHA1算法中没有密码,因此最好不要单独使用。 In addition, due to the SHA1 algorithm without a password, it is best not to use alone.

[0060] 步骤308,加密操作执行完毕后将已预先设置的用于表示加密操作是否完毕的标志位设置为加密完毕的状态,然后将加密后的数据传送给平台,结束。 [0060] Step 308, after the encryption operation has been finished for indicating whether a preset encryption operation completion flag is set to complete the encryption state, and then transmits the encrypted data to the platform, the end.

[0061] 在本实施例中,该用于表示加密操作是否完毕的标志位由另一寄存器来实现,即将该寄存器的状态设置为加密完毕的状态,以下为叙述方便,将该寄存器称为加密状态寄存器,结束。 [0061] In the present embodiment, the encryption operation is completed for indicating whether a flag bit is implemented by another register, i.e. the register is set to the state of the encryption completed state, the following description for convenience, this register is called encryption status register, end.

[0062] 步骤309,将已预先设置的加密状态寄存器设置为等待加密的状态,之后,不做处理,或提示输入正确的验证信息。 [0062] Step 309, the pre-set encryption status register is set to the state of waiting for the encryption, then, no treatment, or prompts the correct authentication information.

[0063] 也就是说,只要加密装置内的执行单元检测到加密允许寄存器的状态为允许加 [0063] That is, as long as the execution unit in the encrypted encryption means detects the state of the enable register to allow plus

密,则将加密状态寄存器设置为不允许加密状态,之后进行加密操作,并在加密完成后将加 Density, will not allow encryption status register is set to an encrypted state, followed by encryption, and encryption is applied upon completion

密状态寄存器设置为加密完毕的状态;而只要加密装置内的执行单元检测到加密允许寄存 Status register is set to secret encryption completed state; as long as an execution unit in the encrypted storage device detects encryption allows

器的状态为不允许加密的状态,则将加密状态寄存器设置为等待加密的状态。 Not to allow the state of an encrypted state, the encryption status register is set to wait encrypted state.

[0064] 当然,在上述实现流程中也可以不设置任何标志位,只要加密装置内的执行单元 [0064] Of course, in the above process may be implemented without setting any flags, execution units within the encryption device as long as

检测出验证信息合法,就对接收到的待加密数据执行加密操作;只要检测到验证信息不合 Detected legitimate authentication information to be encrypted received data to perform an encryption operation; as long as the authentication information detected substandard

法,就不做处理,或提示输入正确的验证信息。 Act, do not deal with, or prompt to enter the correct verification information. 同样地,加密操作结束后,即可直接结束,而 Similarly, after the encryption operation, can be directly end, and

不再设置寄存器的状态。 Status register set longer.

[0065] 在上述实施例中,步骤303是可选的,也就是说,可以没有验证信息而在获得完整 [0065] In the above embodiment, step 303 is optional, that is, can not verify the complete information

且正确的待加密数据后,直接对待加密数据进行加密操作,并继续执行后续操作。 And correct the data to be encrypted, encrypting data to be encrypted directly operate and continue the subsequent operations.

[0066] 在上述实施例中,从输入输出接口接收到的是部分待加密数据,从管理接口接收 [0066] In the embodiment described above, receives from the input-output interface portion is to be encrypted data, received from a management interface

到的是包含待加密数据要素的加密操作授权信息,或者从管理接口接收到的是包含待加密 To the element containing data to be encrypted cryptographic operations authorization information received from the management interface, or to be encrypted comprising

8数据要素以及约束条件的加密操作授权信息。 8 and the encrypted data elements operating authority information constraints. 当然,从输入输出接口接收到的也可以是完整的待加密数据,从管理接口接收到的加密操作授权信息仅仅是根据安全需要设置的约束条件。 Of course, the interface receives from the output to the input can also be a complete encrypted data received from the management interface to a cryptographic operation authorization information only to the constraints set of security requirements. 也既保证黑客不能通过平台篡改待加密数据内容,或能够及时发现待加密数据被篡改即可。 To ensure that a hacker can not only be tampered with by internet content data to be encrypted, or the ability to detect data to be encrypted can be tampered with.

[0067] 如果从输入输出接口接收到的是完整的待加密数据,从管理接口接收到的加密操作授权信息仅仅是根据安全需要设置的约束条件:则加密装置根据预设的格式要求直接判断完整的待加密数据是否在约束条件所约束的范围之内,如果是,则说明来自输入输出接口的待加密数据为正确且完整的待加密数据,可以对该待加密数据执行加密操作,否则不做处理或提示输入正确的待加密数据。 [0067] If received from the input-output interface data to be encrypted is complete, received from the management interface to a cryptographic operation authorization information only to the constraints set of security requirements: the encryption device according to a preset format is determined directly in claim complete whether the data to be encrypted within the constraints of the constrained conditions, if so, then the data to be encrypted from the input-output interface is correct and complete data to be encrypted, the data to be encrypted may perform an encryption operation, or not treatment or prompts the correct data to be encrypted.

[0068] 如果来自输入输出接口的待加密数据为部分待加密数据,来自管理接口的加密操 [0068] If the data to be encrypted from the input-output interface is part of data to be encrypted, the encryption operation from the management interface

作授权信息仅仅为待加密数据要素而不包括约束条件,则加密装置从加密操作授权信息中 Authorization information for the data to be encrypted merely comprises elements without constraint, the operation of the encryption device from the encrypted authorization information

提取出待加密数据要素,将该待加密数据要素与接收到的部分待加密数据进行组合,所合 The encrypted data element to be extracted, the data to be encrypted and the element portion of the received data to be encrypted is combined, the combined

成完整的待加密数据即为正确且完整的待加密数据。 To complete the data to be encrypted is the correct and complete data to be encrypted.

[0069] 另外,还可以存在以下两种情况: [0069] Further, there may be two cases:

[0070] 情况1 :如果存在一个显示装置与加密装置的管理接口直接相连时,则在步骤302 [0070] Case 1: If there is a display device and a management interface encryption apparatus directly connected, then at step 302

中,从加密操作授权信息中提取出待加密数据要素后,进一步包括:在组合成完整的待加密 After the extracted data elements to be encrypted authorization information from the encryption operation, further comprising: to be encrypted into a complete in

数据之后,将待加密数据要素转换为显示装置所要求的格式后,通过管理接口输出到外部 After the data, the encrypted data element to be converted to the format required by the display device, to the outside through the management interface output

已设置的显示装置,由显示装置对待加密数据要素进行显示,然后再执行步骤303 ;或者, The display device is provided, by the treatment of the encrypted data elements of the display device display, then step 303 is performed; or

在步骤302中合成完整的待加密数据后,进一步包括:将完整的待加密数据转换为显示装 After the step of synthesizing the complete data to be encrypted 302, further comprising: the complete data to be encrypted is converted into a display device

置所要求的格式后,通过管理接口输出到外部已设置的显示装置,由显示装置对完整的待 The display device opposed to the format required by the management interface to the outside through the output has been set by the display means to be complete

加密数据进行显示,然后再执行步骤303,这样做的好处是进一步保证了待加密数据的正确 Encrypted data is displayed, then perform step 303, the benefits of doing so is to further ensure that the correct data to be encrypted

性。 Sex. 上述外部的显示装置为显示器或打印机或扬声器,或者所述三者的任意组合。 The external display device is a display or a printer or a speaker, or any combination of the three.

[0071] 如果既存在约束条件,又需执行显示操作,则确定待加密数据在约束条件所要求 [0071] If there are both constraints and the need for performing a display operation, it is determined that the data to be encrypted constraints required

的范围内后,再执行显示操作;如果确定待加密数据不在约束条件所要求的范围内,则不执 Within the range, then performing a display operation; if the encrypted data is determined to be within the scope of the constraint condition is not required, it is not performed

行显示操作,或显示无效数据。 Line display operation, display, or invalid data.

[0072] 情况2 :在加密装置的存储器内可以预先设置有PIN码,加密装置首先接收来自输入输出接口的PIN码,并判断该PIN码与自身存储器内预先保存的PIN码是否一致,如果一致,再执行步骤301,否则不做处理或提示输入正确的PIN码。 [0072] Case 2: in the memory of the encryption device may be provided in advance with a PIN encryption apparatus first receives the PIN code from the input-output interface, and determines whether the PIN code within its own memory pre-stored PIN code matching, if they are consistent and then step 301, processing or otherwise not prompted to enter the correct PIN.

[0073] 上述情况1和情况2可以分别单独存在于上述所有实施例中,也可以同时存在于上述所有实施例中。 [0073] The case 1 and case 2, respectively, may be present alone in all the above embodiments, may also be present in all of the above-described embodiments simultaneously.

[0074] 本发明所述方法可以以硬件、固件、软件或其三者的任意组合来实现。 [0074] The method of the present invention may be implemented in hardware, firmware, software, or any combination thereof to achieve the three.

[0075] 以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精 [0075] The foregoing is only preferred embodiments of the present invention but are not intended to limit the present invention, where the present invention is in fine

神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 Within the spirit and principle, any modification, equivalent replacement, or improvement, should be included within the scope of the present invention.

Claims (10)

  1. 一种实现加密的方法,用于具有输入输出接口及管理接口的加密装置进行加密的情况,其特征在于,该方法包括以下步骤:加密装置接收来自输入输出接口的待加密数据,以及来自管理接口的加密操作授权信息后,获取正确且完整的待加密数据,之后,对待加密数据执行加密操作,并将加密后的信息传送给平台;所述平台为包含数据处理能力装置的设备;所述来自输入输出接口的待加密数据为部分待加密数据,所述来自管理接口的加密操作授权信息为待加密数据要素;所述获取正确且完整的待加密数据的过程包括:从加密操作授权信息中提取出待加密数据要素,将该待加密数据要素与接收到的部分待加密数据进行组合,所合成完整的待加密数据为正确且完整的待加密数据。 An encryption method implemented, having means for encrypting input-output interface and the management interface of the encryption is performed, wherein, the method comprising the steps of: encrypting means for receiving data to be encrypted from the input and output interface, and a management interface from the encrypted operating authority information, to obtain the correct and complete data to be encrypted, after the treatment of the encrypted data encryption operation is performed, and transmits the encrypted information to the platform; said platform comprising a data processing capability of the device apparatus; from the input and output interfaces for the data to be encrypted partial data to be encrypted, the encrypted data element to be encrypted operating authority information from the management interface; obtaining a correct and complete the data to be encrypted process comprising: extracting from the encryption operation authorization information the data elements to be encrypted, the data to be encrypted and the element portion of the received encrypted data to be combined, a complete data to be encrypted is correct and complete encrypted data to be synthesized.
  2. 2. 根据权利要求1所述的方法,其特征在于,所述来自管理接口的加密操作授权信息进一步包括根据安全需求设置的约束条件;所述将该待加密数据要素与接收到的部分待加密数据进行组合之后进一步包括以下步骤:根据预设的格式要求判断所合成的完整的待加密数据是否在约束条件所约束的范围之内,如果是,则获得正确且完整的待加密数据,否则不做处理或提示输入正确的待加密数据。 2. The method according to claim 1, wherein said encrypted authorization information from the operation management interface further includes a constraint condition setting according to the security requirements; the elements of the data to be encrypted with the encryption section to be received after combining the data further comprising the step of: according to a preset format requires a complete determination of the synthesized data to be encrypted in the range of constraints of constrained, if so, to obtain a correct and complete data to be encrypted, or not handle or prompts to enter the correct data to be encrypted.
  3. 3. 根据权利要求1或2所述的方法,其特征在于,所述从加密操作授权信息中提取出待加密数据要素后,进一步包括:将待加密数据要素转换为显示装置所要求的格式后,通过管理接口输出到外部已设置的显示装置;在加密装置接收到的来自管理接口的验证信息后,再执行加密操作;所述外部的显示装置为显示器或打印机或扬声器,或者所述三者的任意组合。 3. The method of claim 1 or claim 2, wherein said data elements to be extracted from the encrypted authorization information after the encryption operation, further comprising: encrypting the data elements to be converted to the format required by the display means , through the management interface output to the external display device is provided; after encryption device authentication information received from the management interface, and then performing cryptographic operations; the external display device is a display or a printer or a speaker, or the three any combination.
  4. 4. 根据权利要求1或2所述的方法,其特征在于,所述获取正确且完整的待加密数据后,进一步包括:将完整的待加密数据转换为显示装置所要求的格式后,通过管理接口输出到外部已设置的显示装置,在加密装置接收到来自管理接口的验证信息后,再执行加密操作;所述外部的显示装置为显示器或打印机或扬声器,或者所述三者的任意组合。 4. The method of claim 1 or claim 2, wherein said obtaining a correct and complete data to be encrypted, further comprising: the complete data to be encrypted converted to the format required by the display means, management by interface output to the external display device is provided, after receiving authentication information from a management interface in the encryption device, then encryption operation is performed; the external display device is a display or a printer or a speaker, or any combination of the three.
  5. 5. 根据权利要求1所述的方法,其特征在于,进一步包括:所述加密装置接收来自输入输出接口的个人身份码PIN码,判断该PIN码与自身预先保存的PIN码是否一致,如一致加密装置再接收来自输入输出接口的待加密数据,否则不做处理或提示输入正确的PIN码。 5. The method according to claim 1, characterized in that, further comprising: means for receiving said personal identification code encrypted PIN code output from the input interface determines whether the PIN code with the pre-stored PIN code matching, as consistent encryption means further receives the encrypted data to be output from the input interface, not treated or otherwise prompt for the correct PIN.
  6. 6. 根据权利要求1或2所述的方法,其特征在于,进一步包括:加密装置接收来自管理接口的验证信息,当加密装置获取正确且完整的待加密数据后,进一步包括:加密装置判断接收到的来自管理接口的验证信息是否合法,如果合法,则执行加密操作,加密操作完成后将加密后的数据传送给平台,否则不做处理或提示输入正确的验证信息。 The method according to claim 1 or claim 2, characterized in that, further comprising: means for receiving encrypted authentication information from the management interface, when the encryption means to obtain the correct and complete data to be encrypted, further comprising: an encryption determination means receiving to verify information from the management interface is legitimate, if legitimate, perform cryptographic operations, encrypted data transfer operation is completed after the encryption to the platform, not treated or otherwise prompt to enter the correct verification information.
  7. 7. 根据权利要求6所述的方法,其特征在于,所述验证信息为电平信号;所述判断接收到的来自管理接口的验证信息是否合法的过程为:判断接收到的电平信号是否为预设的高电平或低电平,如果是,则该验证信息合法,否则不合法。 7. The method according to claim 6, wherein the verification information is a level signal; determining the authentication information received from the management interface to the legality of the process: determines whether the received level of the signal is a preset high or low, and if so, the authentication information is legitimate or not legitimate.
  8. 8. 根据权利要求6所述的方法,其特征在于,所述验证信息为字符串;所述判断验证信息是否合法的过程为:判断接收到的字符串与自身预先保存的字符串是否相同,如果相同,则该验证信息合法,否则不合法。 8. The method according to claim 6, wherein the verification information is a character string; the process of determining whether the verification information is valid: determining whether the received string with the pre-stored character strings, If so, then the authentication information legitimate or not legitimate.
  9. 9 根据权利要求6所述的方法,其特征在于,所述验证信息是否合法,由预先设置的用于表示验证信息是否合法的标志位的状态来指示,所述加密操作是否完毕,由用于表示加密操作是否完毕的标志位的状态来指示。 9 The method according to claim 6, wherein the authentication information is legitimate, whether authentication information is valid for the status flag set in advance by the representation to indicate the encryption operation is completed, the used state indicates whether the encryption operation completion flag to indicate.
  10. 10. 根据权利要求9所述的方法,其特征在于,所述用于表示验证信息是否合法的标志位和用于表示加密操作是否完毕的标志位的不同状态由两个寄存器的不同状态来表示。 10. The method according to claim 9, wherein the verification information for indicating whether valid flag bit for indicating whether the encryption operation completion flag different states are represented by different states of the two registers .
CN 200510080573 2005-06-30 2005-06-30 Method for realizing encrypting CN1889420B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200510080573 CN1889420B (en) 2005-06-30 2005-06-30 Method for realizing encrypting

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200510080573 CN1889420B (en) 2005-06-30 2005-06-30 Method for realizing encrypting

Publications (2)

Publication Number Publication Date
CN1889420A true CN1889420A (en) 2007-01-03
CN1889420B true CN1889420B (en) 2010-05-05

Family

ID=37578681

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200510080573 CN1889420B (en) 2005-06-30 2005-06-30 Method for realizing encrypting

Country Status (1)

Country Link
CN (1) CN1889420B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101335611B (en) 2007-06-29 2011-06-22 联想(北京)有限公司 Safe press-key inputting system, apparatus and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1200853A (en) 1995-08-28 1998-12-02 奥弗拉·费尔德鲍 Apparatus and method for authenticating the dispatch and contents of documents
CN2609069Y (en) 2002-04-03 2004-03-31 杭州中正生物认证技术有限公司 Fingerprint digital autograph device
CN1509546A (en) 2000-12-27 2004-06-30 英特尔公司 Platform and method for securely transmitting authorization data
CN1606027A (en) 2003-10-10 2005-04-13 深圳市派思数码科技有限公司 Method for software copyright protection by utilizing fingerprint and application apparatus thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1200853A (en) 1995-08-28 1998-12-02 奥弗拉·费尔德鲍 Apparatus and method for authenticating the dispatch and contents of documents
CN1509546A (en) 2000-12-27 2004-06-30 英特尔公司 Platform and method for securely transmitting authorization data
CN2609069Y (en) 2002-04-03 2004-03-31 杭州中正生物认证技术有限公司 Fingerprint digital autograph device
CN1606027A (en) 2003-10-10 2005-04-13 深圳市派思数码科技有限公司 Method for software copyright protection by utilizing fingerprint and application apparatus thereof

Also Published As

Publication number Publication date Type
CN1889420A (en) 2007-01-03 application

Similar Documents

Publication Publication Date Title
US20090265776A1 (en) Authentication of data communications
US20060085844A1 (en) User authentication system
US8171531B2 (en) Universal authentication token
US20140189359A1 (en) Remote authentication and transaction signatures
US20070223685A1 (en) Secure system and method of providing same
US20030009687A1 (en) Method and apparatus for validating integrity of software
US20100042848A1 (en) Personalized I/O Device as Trusted Data Source
US20050105734A1 (en) Proximity authentication system
US8112787B2 (en) System and method for securing a credential via user and server verification
US20090031408A1 (en) Integrity protected smart card transaction
US20110173684A1 (en) Anytime validation for verification tokens
US20110265156A1 (en) Portable security device protection against keystroke loggers
US20130198519A1 (en) Strong authentication token with visual output of pki signatures
EP2098985A2 (en) Secure financial reader architecture
US20110246757A1 (en) Unattended secure remote pc client wake, boot and remote login using smart phone
US20070241182A1 (en) System and method for binding a smartcard and a smartcard reader
US20060133604A1 (en) System and method for securing data from a remote input device
US20140215589A1 (en) Method for generating a soft token, computer program product and service computer system
US20090158033A1 (en) Method and apparatus for performing secure communication using one time password
US20130301830A1 (en) Device, system, and method of secure entry and handling of passwords
US7254705B2 (en) Service providing system in which services are provided from service provider apparatus to service user apparatus via network
CN101350723A (en) USB Key equipment and method for implementing verification thereof
US20090222383A1 (en) Secure Financial Reader Architecture
CN101465019A (en) Method and system for implementing network authentication
CN101373528A (en) Electronic payment system, device and method based on position authentication

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted