TW201818288A - Key sharing system and method thereof wherein a mobile device is used as the key sharing system - Google Patents

Abstract

The present invention provides a key sharing system using a mobile device and a method thereof, which controls access right of important resources through an access token, wherein the access token, after being encrypted, is stored in a token database of an authorizing element in a resource management and control device, and the corresponding original keys used for decrypting the access token are divided into a plurality sets of sharing keys by a key sharing calculation method and stored in a plurality of mobile devices. When important resources are to be accessed and stored, sharing keys must be collected to reach a number greater than a threshold value and the sharing keys are transmitted to a key management element inside the resource management and control device through network transmission or near field communication, and then transmitted to the authorizing element after being reversed to the original key in order to decrypt the corresponding encrypted access token in the existing token database. After the token is obtained, the corresponding resource to be managed and controlled is accessed through the resource access device.

Description

   Key sharing system and method   

The invention relates to a key sharing system and a method thereof, in particular to a key sharing system and a method thereof that can reduce the risk of illegal invasion or use of important resources.

At present, more and more important files or data are stored in electronic form in various electronic devices. These electronic devices or important central control hosts are important resources strictly controlled by companies or groups. Traditionally, these are controlled and controlled. The way of important resources is to log in with the administrator's account password. However, as the Internet becomes more developed and information flows more convenient, many unscrupulous people use various methods to crack account passwords or login information to illegally obtain the right to use important resources. For illegal purposes.

As one of the known technologies, it is proposed that the authentication information is carried on a carry-on item by means of key sharing, one-time code or three-way handshake, and other protected devices are controlled by a local machine, and more than two are required for local machine authentication The use of protected electronic equipment is only allowed when the personal belongings are certified. However, this technology does not guarantee the safety of the belongings. If the belongings are lost or stolen, important resources still have the risk of being misappropriated. And this technology restricts carry-on items to be authenticated within a certain range of the machine.

As another conventional technique, a technology and system for key sharing between devices is proposed. After a primary mobile device communicates with a central server, key sharing is performed on a secondary device to restrict resource access. However, in this technology, it is only restricted whether the primary device can copy the shared key to the secondary device, but the primary or secondary device that separately holds any shared key can independently unlock and access the controlled resources, Risk of misappropriation with insufficient security.

In view of the problems of the above-mentioned conventional techniques, an object of the present invention is to provide a key sharing system and method for providing better security and controllability to important resources.

The key sharing system of the present invention includes a resource access device and a resource management and control device; the resource access device accepts a request from a mobile device to access a controlled resource; the resource management and control device is connected to the resource access device and according to the controlled resource Generate an access token, then generate an original key based on the access token, and then generate multiple sub-keys based on the original key, and store the sub-keys in the mobile devices.

The key sharing method of the present invention includes the following steps: generating an access token according to a controlled resource; generating an original key according to the access token; generating a plurality of sharing keys based on the original key; and storing the sharing key Key on multiple mobile devices.

As mentioned above, the key sharing system and method according to the present invention may have one or more of the following advantages:

1. The original key is stored in several mobile devices in the form of key sharing, and is held by different users to enhance the access security of managed resources.

2. The mobile device will effectively confirm the person holding the sub-shared key through biometric identification, PIN code, gesture graphic code and other methods, reducing the risk of the sub-shared key being stolen.

3. Only users with a quantity greater than the threshold can simultaneously restore the original key, and the access token that decrypts important resources with the original key can access important resources and enhance important resources. Manageability.

4. Network communication can be used to transmit the shared key and to access and control important resources, to get rid of the distance limitation of the traditional key sharing system and improve the convenience of the system.

110‧‧‧ mobile device

111‧‧‧shared key control element

112‧‧‧share key

120‧‧‧Resource Access Device

130‧‧‧Resource Management Device

131‧‧‧Key Management Element

132‧‧‧Authorized components

133‧‧‧Scepter Database

140‧‧‧ regulated resources

200‧‧‧ regulated resources

210‧‧‧Resource Management Device

211‧‧‧Key Management Element

212‧‧‧Authorized components

213‧‧‧Scepter Database

220‧‧‧ mobile device

221‧‧‧shared key control element

222‧‧‧share key

S301 ~ S313‧‧‧step flow

S401 ~ S407‧‧‧step flow

FIG. 1 is a schematic diagram of a system architecture of a key sharing system of the present invention.

FIG. 2 is a schematic diagram of key sharing of the key sharing system of the present invention.

FIG. 3 is a flowchart of a key sharing method according to the present invention.

FIG. 4 is another flowchart of the key sharing method of the present invention.

The present invention provides a system and method for sharing keys with a mobile device as a key. The main purpose is to design a system and method for controlling and controlling important resources (such as a central control host, confidential files, etc.) to provide higher security. And controllability to reduce the risk of unauthorized access or use of important resources.

The system and method provided by the present invention include at least the following steps: Step 1. Generate an access token for an important resource to be controlled, and encrypt it and store it in a token database of authorized components in the resource management device; Step 2: The key management component divides the corresponding original key used by the encrypted access token into a plurality of shareholding keys using a key sharing algorithm, and stores the shareholding keys separately in the possession of several important persons Mobile device; step three, if you want to use the protected important resources, you need to seek the consent of the important people above the threshold value, and use the mobile device ’s shared key control component to authenticate the user ’s identity and present their shared key , Which is sent to the key management component in the resource management and control device via the network for restoration; step four, the restored original key is sent to the authorized component for comparison with the encrypted access token in the token database that it holds. Decryption; Step 5: After successful decryption, use the access token to obtain the access rights corresponding to important resources, and access and use the important resources through the resource access device.

Under this system architecture, a mobile device is used as the vehicle for the sharing key, and the mobile device needs to authenticate the user's identity before being allowed to access the sharing key, and the sharing key can be sent to the resource through the network Compared with the traditional key sharing system, the management and control device can restore the convenience and security. And through the method of key sharing, combined with the key control component of the mobile device, and the limit of the number of thresholds required to restore the original key, the controllability of the managed resources will be improved. Finally, important resources controlled by access tokens can be secure unless there is a shareholding key greater than the threshold, and they are secure, even if externally connected resource management devices are illegal Invasion, intruders also cannot access important resources because they cannot obtain the original key required to decrypt the access token. Compared with the traditional method of protecting important resources with account passwords, the present invention significantly Improve system security.

A system and method for using the mobile device as a key sharing system that can achieve the above-mentioned object of the invention includes several sub-shared key control elements, which are mounted on the mobile device to store and manage the sub-shared keys; Resource management and control device, which is responsible for communicating with the decentralized key control component and resource access device in the mobile device, and controls important resources; and at least one resource access device for accessing, displaying, and controlling after obtaining authorization Managed resources.

The above-mentioned split key control element further includes a split key. When the split key is used, the split key control element will authenticate the user. The authentication method may include biometric identification, PIN code identification, A gesture graphic code or a combination of the foregoing, but is not limited thereto.

The aforementioned resource management and control device further includes a key management element and an authorization element. The key management component is used to split and restore the original key; the authorization component contains a token database that stores the encrypted encrypted access tokens of the controlled resources, and the authorized component is responsible for decrypting the original key to obtain the correspondence The access token of the resource, and use the access token to gain access to the managed resource.

The above-mentioned resource access device is a user-operable device and has the ability to connect with the resource management and control device, receive and send the user's access request to the resource under control and can be stored remotely through the resource management and control device Access to controlled resources.

<Example>

A schematic diagram of the technical operation of a preferred embodiment of the present invention is shown in FIG. 1 and FIG. 2. FIG. 1 is a system architecture diagram of a system and a method for key sharing in a mobile device according to the present invention. This system architecture is such that the user of the mobile device 110 brings his mobile device 110 to the resource access device 120, and wants to access the controlled resource 140 through the resource access device 120. The resource management and control device 130 will confirm the access restrictions of this resource: if the number and threshold of the sub-shared key 112 are sent, a centralized request for the sub-shared key 112 will be sent to the mobile device (which can be plural) 110 holding the sub-shared key 112 . If the centralized sub-shared key 112 reaches the threshold, it attempts to restore the original key; if the quantity is insufficient, it refuses to authorize the user to access the controlled resource 140.

The mobile device 110 held by each user holds a share holding key 112. The resource management and control device 130 uses the mobile device 110 held by each user to indicate that the resource will be accessed through the identification code of the controlled resource 140 and other identifiable information. Separate keys are requested centrally. The sub-shared key 112 held by each user is protected by the sub-shared key control element 111. To extract the sub-shared key 112, an identity authentication procedure must be performed first to prove that the user is a legitimate user of the sub-shared key 112. . The shared key control element 111 requires each user to perform an identity authentication process. After the identity authentication is completed with information that can identify the user, the shared key 112 is taken out and transmitted to the key management element 131. If the identity authentication process fails, No shared key 112 is provided.

The key management element 131 needs to collect a certain number of shared keys 112 for original key restoration. Once it is confirmed that the number of the divided holding keys 112 reaches the threshold, the original key restoration operation is performed to generate an original key. Submit an access token access request to the authorized component 132; if the threshold is not reached, continue to wait for an adjustable time; if the number of shared keys 112 does not reach the threshold within the time limit, access the device through the resource 120 informs the user that the controlled resource 140 cannot be accessed. The authorization component 132 queries the token database 133 for the encrypted access token with the identification code of the controlled resource 140. If the original key can successfully decrypt the encrypted access token, the authorization component 132 uses the access right The user can extract the controlled resource 140, and the user can use the controlled resource 140 in the resource access device 120, such as reviewing confidential files or accessing important protected systems; if the original key cannot be encrypted, After the access token is decrypted, the controlled resource 140 is refused to be provided.

Figure 2 is a schematic diagram of key sharing of the system. The controlled resource 200 is controlled and set by the resource management and control device 210. The authorized component 212 generates an identification code and an access token for the controlled resource 200, and sets the number of sub-shared keys and the access threshold. At the same time, it calls the key management. The component 211 makes an original key production request. The obtained original key will encrypt the access token, and save the encrypted access token to the token database 213. After the key management component generates the original key, it performs a key sharing operation on the original key, and generates a corresponding shared key according to the number and threshold of the shared key set by the authorized component 212 for the controlled resource 200. 222, and sends it to each mobile device 220, and the shared key control component stores the shared key 222 in an internal storage space.

FIG. 3 is a flowchart of a method according to the present invention, and is a flowchart of an operation of accessing a managed resource. The flow starts at step S301. A user operates a resource access device and sends an access request including an identifier of a resource under control. In step S302, after the resource management and control device obtains the identification code, it sends a centralized key request to the mobile device of each user. After receiving the request, each mobile device must first request the user's identity, such as step S303, and step S304 must use the PIN code or biometric information to identify himself, and the user is allowed to remove the share key if successful. If step S306; if the identification cannot be completed, the user is denied access to the share key. After extracting the sub-shared key, proceed to step S307. The mobile device sends the sub-shared key to the resource management and control device, and the key management component checks whether the number of sub-shared keys meets the requirements, such as step S308, and if the threshold is reached, the original key is performed. The original key is restored as in step S309; if the threshold is not reached, the user is denied access. In step S310, the key management component decrypts the encrypted access token in the token database with the original key, and passes the authorization component to determine whether the decryption is successful as in step S311. If the decryption is successful, step S312 is performed. After the resource management and control device uses the access token to operate the controlled resource, the resource management device provides the resource to the resource access device as step S313. The user can access this resource through the resource access device; if the decryption fails, the user is denied access to the controlled resource.

FIG. 4 is a flowchart of the method of the present invention, which is a flowchart of the production and distribution of a sub-key. The process starts by setting access restrictions on the controlled resources, such as step S401, requiring the authorized component to generate a corresponding access token, such as step S403, and simultaneously generating the original key from the key management component at step S402. The original key is provided to the authorized component to encrypt the access token to generate an encrypted access token (step S404), and the encrypted access token is stored in a token database (step S405). The original key generated in step S402 is subjected to the share key calculation in step S406 and distributed to each mobile device in step S407 to complete the process of producing and issuing the share key.

In summary, the key sharing system and method of the present invention can be applied to the management of a variety of public or private commercial and non-commercial confidential important resources. High controllability. Through the authentication of the identity of the key control component and the threshold of key restoration and reconstruction, the risk of key theft or fraud can be effectively reduced to achieve higher security; in addition, by adding The network communication mechanism between the shared key control element and the resource management and control device can get rid of the distance limitation of the traditional key share system and improve the convenience of the system.

The above description is exemplary only, and not restrictive. Any equivalent modification or change made without departing from the spirit and scope of the present invention shall be included in the scope of the attached patent application.

Claims (10)

    A key sharing system includes: a resource access device that accepts requests from a plurality of mobile devices to access a managed resource; and a resource management device that connects the resource access device and according to the managed resource An access token is generated, and an original key is generated according to the access token. Then, a plurality of sub-keys are generated according to the original key, and the sub-keys are stored in the mobile devices.         The key sharing system according to item 1 of the scope of patent application, wherein the resource management and control device further includes: a key management element that generates the original key and the sharing key; and an authorized element that stores the storage Scepter in a scepter database.         According to the key sharing system described in item 2 of the scope of patent application, the plurality of mobile devices each further include a sub-shared key control element, and the sub-shared key control elements further access the device according to the resource. One of the sent share key requests to perform an identity authentication step collectively. If the identity authentication step is authenticated, the part hold keys are provided to the resource management and control device.         According to the key sharing system described in item 3 of the scope of patent application, wherein the key management element further determines whether the number of the sharing keys is not less than a threshold value based on the received sharing keys. If the number of the sub-shared keys is not less than the threshold, the key management element generates the original key based on the received sub-shared keys.         The key sharing system according to item 4 of the scope of patent application, wherein the authorized component further decrypts the access token based on the restored key, and the resource management and control device further accesses the subject based on the access token The controlled resources are provided to the resource access device.         A key sharing method includes: generating an access token according to a controlled resource; generating an original key according to the access token; generating a plurality of split keys according to the original key; and storing the key These share keys are held in multiple mobile devices.         The key sharing method described in item 6 of the patent application scope further includes the following steps: sending a centralized key sharing request to each of the mobile devices; and each mobile device performing a centralized key holding request according to the centralized key sharing request. Identity verification steps.         For example, the key sharing method described in item 7 of the scope of patent application, further includes the following steps: If the identity authentication step is authenticated, then the share key is provided; if the identity authentication step is authenticated, the key is not provided. Some shareholding keys; and determining whether the number of these shareholding keys is not less than a threshold.         According to the key sharing method described in item 8 of the scope of patent application, the method further includes the following steps: if the number of the sharing keys is not less than a threshold value, generating the original key based on the sharing keys; If the number of the sub-shared keys is not less than the threshold, the original key is not generated; and the access token is decrypted according to the original key.         The key sharing method described in item 9 of the scope of patent application, further includes the following steps: accessing the controlled resource according to the decrypted access token.