TWI255121B - Method for protecting digital secrecy - Google Patents

Abstract

The present invention provides a method for protecting digital secrecy, and objects and system thereof. Described contents hereby are novel technique and system for protecting verifiable digital secrecy such as encryption keys and identification codes based on the partition and recovery processes of digital secrecy. Implementations of the technique in the present invention may be implemented, for example, to offer individuals a personalized tool for protecting confidential data and to provide enhanced security. The partition and recovery of secrecy may be carried out at a same computer or at different computers.

Description

修修修 玖 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 发明 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本 本Refers to a system for protecting electricity,/networks, other information and communication systems, and the secrets required for the implementation of IT, ,, 仃 矾 矾 · · · · · · · · · · · · · · · · · · Its system. Method and [prior art] Press, most information systems such as computer networks use secret information to

Perform the required security functions, including individual authentication and decryption, authenticity protection during data exchange, or other security services, but are not limited to this. For example, a passcode or a personal identification number (PerS0nal Identificati〇nNumber, piN) is used as a secret data for authenticating the input value Yuan$; and a pass code selected by the holder or authorized user. And the personal identification number, can be said to be the earliest secret data type for security services. However, such user-selected secrets are generally considered to be more vulnerable because they are often guessed and difficult to defend against known attacks—especially in the context of the Internet or other computer networks. This is the case. 1255121 i : ... 乂' -Λ. 'S ' .;: y;· :,:;. ^ ' ..... . ...» and 5 'right only uses the secret selected by the system user Not enough to successfully implement the required security services in most cases, according to which security services will further use different types of secret information to achieve the required security requirements; secret data not selected by the user For example, including the private key used in the PubllC-Key Infrastructure (ρκι) environment, a longer PIN provided by the bank or institution for authenticating an account or membership, The decryption key provided by the operator for decryption, the symmetric secret key for generating the message confirmation code (3) "(10) Authentication Code, MAC), the communication period key for ensuring the confidentiality of data exchange (sessi〇n Key) and other secret information, but not limited to the examples cited here. The above secrets are not selected by the user, but generated by computer programs, so this type of secret is called the secret of the computer (c〇 Mputer Generated secret. In the general Internet and computer network environment, it is more and more important and difficult to achieve the secret of protecting the computer and the secret of the human choice (human_ch〇sen secret). The secrets generated by computers are usually longer than the secrets chosen by people, and they do not contain statements that are meaningful to humans. Because of the nature of the statement that does not contain the meaning of thinking, it is almost impossible for people to remember the secrets generated by computers only by the human brain. Therefore, there are two different development needs for individuals to hold secret information security applications. One is to use human beings to meet the needs of human beings, such as passcodes, and the other is to meet system requirements. Second, the secrets generated by computers, such as cryptographic keys. In the Internet period of the past few decades, many solutions that enable information systems to meet the above two requirements have been developed. However, only this same day It is a practical solution for women to protect the secrets generated by computers and the secrets chosen by people. In a solution that has been proposed In the solution, the secret generated by the computer will be transmitted through the network, and generated, reproduced or replied at the user's side with the help of the secret chosen by the user plus other computing devices; among them, the client (client) This is the network workstation that performs the operation and communicates with other devices on the network, the counting device, etc., and the device on the network used to assist the client to complete the security service is called the server. R· Perlman and C· Kaufman I have studied many methods that use server-side assistance to generate secrets, and in 1999, "Secure password-Based for downloading private keys."

Protocol for Downloading a Private Key), published a literature-discussed paper on the proc. 1999 Network and Distributed System Security Symposium, Internet Society; and Bellovin and Merritt The introduction of the Encrypted Key Exchange protocol (EEK, 1 992) is also included. The EKE Agreement is also detailed in 7 papers by Bellovin and Merritt "EKE: Passcode Agreement for Secure Defense against Dictionary Attacks (Encrypted Key) Exchange: Password-Based Protocols Secure Against Dictionary Attacks), see In Proceedings of the IEEE Symposium on Security and Privacy. This encryption key exchange The agreement allows a client to share the same passcode with a server to generate a key for confidentiality protection and authentication during message delivery; the invention invented the inventions of US invention numbers 5,241,599 and 5,440,635 However, the above and other security services that use server assistance are Performance may be limited, in part because the server itself represents a major weakness or it has an overly complex communication and message authentication with the client. In the method proposed by Kali Ski in 2001, the client is allowed. With the help of the server, the secrets (stronger secret data) generated by the computer are recreated by the secrets selected by the person (the more fragile secret information), and the server can still resist external attacks. Among them, the strong secret Words such as (str〇叩secret) and weaker secrets appear in Kaliski's invention application file. "Use the weaker secret to reconstruct a stronger secret with the help of the server (Server - assisted regeneration of a Strong secret from a weak 1^55121 a- η 匕: open number is secret), the public application examples of the invention are as follows: one, the input value, the other, the re-made such as the public cryptography The stronger secret is the system 2001 0055388 that uses the same secret generation method. The secret of the primary re-creation of this invention will be used as a decryption key as a decryption key for the user to obtain the secret data of the secret key. Therefore, it is generated by the method of the invention, not from the other. In another solution, the secret generated by the computer is stored in a female hardware device. The hardware device accesses the stored data (ie, the secret generated by the computer) by the user's computer that is actually connected to the user's terminal. Electronic chip cards are a typical example of such a secure hardware device. The electronic chip card is a device with two-factor authentication capability (two — fact〇r authenticat〇r), which is authenticated by using the card itself and the personal identification code to make the stored secret more secure, an identification code, or a comparison. The short personal identification number is chosen by the original cardholder and is used to authenticate whether the holder has access to a secret generated by a computer such as the private key 4 stored on the card. The electronic chip card has a tamper-resistant memory that is safe and resistant to stealing or destroying functions to store secrets. In some operational examples, the electronic chip card has a built-in processor that allows the card itself to perform the main computational work while preventing the disclosure of protected secrets in the card; for example, an action to perform a digital signature operation It can be done directly by a card that stores the private key of the signature. This added functionality effectively protects sensitive information with high sensitivity. In such solutions that require the use of physical devices, protected secrets can be generated by a variety of different computer programs for generating secret data, so that methods using physical devices can be used to satisfy many of the security that are currently in use or will be developed in the future. Service needs. The use of electronic chip cards to protect the secrets generated by computers requires additional hardware costs due to the use of wafer cards, card readers and other devices such as card-making equipment, as well as the current reading of the V. It is still not popular, so the use of a wafer card will cause inconvenience to the user. Use other memory devices or save in the machine to store 5, such as the USB Serial Disk or the label of the private radio frequency identification system (Radio Frequency Identification + tmcatlon tag, rfid, both The data is more convenient and cost-effective, and the data is easy to copy. Therefore, the label of a line or a helmet line frequency identification system or a magnetic... friend can be said to be an unsafe identification object. , ...; class (4) devices, etc., all of which are stored in these media will often be used as a method of using the passcode as the encryption key:: passcode or its verification data y Therefore, + (for example, a pass The value of the code must be pre-stored somewhere to verify that the verification function is the main type of secret (4). In addition, "wide drink or right attacker can get 10 12^121 the secret of the courier"丨 猜 猜 猜 猜 猜 猜 猜 猜 猜 猜 猜 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨 丨According to the related information, the present inventors have redesigned the shortcomings of the above-mentioned conventional techniques in practical use, and the main purpose of the present invention is Providing a tank for protecting digital secrets, "it has a more complete and efficient way to protect the secrets of /, & production, and allows users to access the server, ~ Use the secret chosen by a to reproduce or reply to "the secret of computer production." In order to give the new method a right-handedness I, there is greater practicality, the protected secret brain process == some specific The input data of the security service or the specific electric segment system == achieves the aforementioned object of the invention, the technical hand used by the present invention, the method for protecting the digital secret and the number of objects thereof: the secret may include: using symmetric Cryptography technology to ciphers, 1 and unlock the weight of the key, ΡΚΙ 、, open private key pair of private: Do not be smart: the establishment provides a longer account for authentication account or membership =: other computers Secret generated These secrets have a special: - verifiability. In some cases, 1 "the person chooses or replies to the "computer generated secret" must meet certain must be in the ::::δ brother' for a specific purpose "The secret generated by the computer" ....... Performs a rework or reply on the client or the specified device. Therefore, the function of recreating or replying to the "computer generated secret" by the pass code and other data is added. A more flexible approach is needed, and additional information is added as an additional constraint in the process of copying or replying to a secret. In an embodiment of the present application, a method of combining secret splitting and replying procedures is used to protect A "digital secret." In the process of secret segmentation, an authorized user or secret owner decides in advance a "personalized input" (persicized input), this "personalization" is converted through the first conversion The function is converted into a part that is not related to the digital secret. Next, the "digital secret irrelevant part" and "digital secret" are input to the second conversion function 'to generate a "digital secret related part", which hides the original "digital secret" . After the "number (four) secret correlation part" is generated, "digital secret irrelevant part" and "digital secret" are deleted in the computer's memory. In the secret reply procedure, the user who initiated the reply is requested to provide two digit data as input: (1) "digital secret related part", and (2) "personalized input"; the calculation of the execution reply procedure is used. The input of the two items, the first input is the input value of the request in response to the user's "digital secret related part" and the second input is the input value of the monthly response in response to the user "digital secret irrelevant part" . This program produces an output to the user. This output will reveal the "digital secret" to the user when the first entry matches the correct "digital secret related part" and the second entry matches the correct "personalized input". 12 one

I smell: i2iT inherits the process of 'secret segmentation' consisting of a first transfer function π and a second transfer function f2, while the secret reply process is performed by the same first transfer function and another The third conversion function f 3 is composed of. The first conversion function converts a "personalization round" into a "digital secret irrelevant part". The second conversion function has two inputs, one is the "digital secret-independent part" obtained by the first conversion function, and the other is the "digital secret", and the second conversion function converts the two inputs into one "Digital secret related parts". The third conversion function also has two rounds. If the same "digital secret irrelevant part" is given as 1 /, T one input ', then the third conversion function has a reversible relationship with the second conversion function. Personalized input can be personalized and presented as a unique feature.

The passcode selected by the owner of the protected secret or the authorized Junyi I-like user may be treated as all or part of a "personalized input". In some cases, the 'personalized input' is a "selected input" (selected input), which is described by "selected passcode" and "device-specified code" (device-speeifie pure). The device-specific code can be limited to be obtained only by the specified device. In general, some of the information selected as the aforementioned personal input may include: passcode, random number, personal device identification number, location or identification information. It is said that in one embodiment of the present application, any 13 exemption "digital secret" is attacked on the network, and the kk can be traversed. For example, the number (four) is _ 4" is stored in a portable storage device, and then the "private part of the relevant part" is deleted from the temporary storage memory on the computer, and then the portable and liver storage devices are separated from the network. Such a procedure makes it impossible to use the "digital secret related part" on the network.

In an embodiment of the present application, when the secret owner or an authorized user makes a secret reply request, the calculation of the "digital secret" reply processing will be executed in the client device, and then, The replied secret is verified on the same client device ten, and the verification data required for the verification work can be obtained by the client. The invention utilizes the above technical means, and has the following advantages after implementation: 1. A personalization tool capable of providing a user with secret data protection function, which is convenient for the user to perform the tool by using the personal passcode on the user side of the network. 'It is not necessary to store the information derived from the passcode and the passcode in the persistent memory, and it is not necessary for the server to obtain the information derived from the passcode and the passcode. Second, the user is allowed to use the "secret selected by the person" to reply to the "secret generated by the computer", wherein the "secret selected by the person" may be a passcode' and the entire reply procedure can be performed entirely on the computing device of the client. 14 1255121 ··~,·一.—.一一一··,.'-, 3, _Invasion': 正替鉴-....... 谈丨鸣 j [Embodiment]: The present invention The method and system for protecting digital secrets can cover a variety of applications, for example, accepting the secrets generated by existing digital security systems as protection targets. The protection targets applicable to the techniques described in the application of the present invention may be of different types and are not limited to the secret example of a particular type. The security label may be general, including in a network environment. The secrets generated by the computers used by various security services. In various applications, the protection target must be kept _ remain confidential and cannot be changed after the expiration or even the effective period. The protection target itself is a "digital secret", that is, it can be a binary serial or it can be converted to a positive integer via a standard integer representation function. A binary +H2afmV"a. The standard integer representation can be defined as 1X2(7) +... 1 ^ 0 In the implementation of the present application, the protection target must be verifiable in order to fully utilize the potential of the described technique. The secrets generated by most computers used for security services are verifiable. If a secret whose value _ is correct can be verified, then this secret is called "verifiable". Digital secrets are usually verified by means of verification data; for example, a hash value of a longer PIN can usually be used to verify the PIN (4) certificate data; as well as the key of the 'in-to-public key and private key 鍮In the case of the public money, the verification data is correct using the green key private key value. In some examples of the application of the present invention, a number of 15 years in a computer network

The device acts as a client device for generating or returning "digital secrets". In some applications of the present application, a client or client device refers to a network I station that can perform computational work. Or device that has the ability to communicate with other networked workstations or devices. In many applications, a client can provide resources on a personal access network, and may have other uses or functions. The client can be divided into two categories: (1) a client computer, such as a personal computer or a computer mainly for personal use, and (2) a portable user processor, such as a personal digital assistant (PDA, Pers(10)d).

Digital Assistants) or several wireless talkers. A client computer or a portable user processor may include computing facilities, network facilities, and exemptions. A client-side health device may include a peripheral device of fixed or portable persistent memory, wherein the information stored in the portable peripheral memory must be accessible by the processor of the client. In the application of the present invention, the technique of dividing the number of digits is divided into two digit parts by using a different method: one is a "digital secret related part", and one is "a digital secret has nothing to do." The same - a secret can also be replied in a computational manner. When there is a demand, use the two digits to reply. Therefore, the technique described here uses two different handlers: split and reply. In the example described here, the secret segmentation process starts with a 16-point portion. The first option is to select a "personalized input". Secondly, the "personalized input" is calculated by counting differently. Partially, a "digital secret related part" is calculated by calculating "digital secret" and "digital secret unrelated part". At the end of the program, the "digitally secret storage device with persistent memory. The "personalized input" used to generate the unrelated part of the digital secret" is used by the secret owner or an authorized user. Decide or choose. "Personalized input" is confidential and is known only to the secret owner or authorized user. The "personalized input" here is highly personalized '纟 unique in some cases' to facilitate the owner or authorized users to remember their input, in addition to improving the guess by others The difficulty of getting there. The so-called "secret-independent part" is called "secret-independent" because the choice of "personalized input" has nothing to do with "digital secrets". For example, a "passcode" can be considered as a "personalized loser." Personalized rounds can also use information other than the pass code. The passcode is usually considered to be a thin (four) secret, because (4) can be guessed by a computer program; but regardless of the reason, the appropriate (four) passcode can provide a natural and friendly connection for human users. It can be used as the "personal input" - part: optional information, including the second or more passcodes, random numbers, personal sigh identifiers, location names or identification information. In some cases, the secret of dealing with and protecting the same computer 17

Secret, the secret segmentation handler can be executed repeatedly, for example, when the secret owner or an authorized user wants to change the "personalized input" or update the "digital secret related part", then the secret segmentation handler Need to be executed again. The "digital secret" that is split again can be taken from where it originated or via a reply handler.

The secret reply handler described herein, starting from receiving an input 'received input' is considered to be the second selected as the split processing program: personalization input. After that, the reply program will use the received input value to calculate: a "temporary value", i will take out the "digital secret related port P injury" from the storage medium and then use the temporary value and the digital secret related part. The party will reply to the original "digital secret". If the received input is correct, the temporary value is "digital secret-independent part"; in other words, the received input is equivalent to the correct "personal input. A verification work is immediately after the reply work. The verification method is this. A fairly significant feature of the technique described in the invention. Typed input 1 such as the type of the pass code 'is not verified immediately after typing is correct = the correct object is the secret of the reply, so the used Verification of the (5) (4) verification strategy; &, the code derived from the passcode or passcode (for example, the passcode hash value or the passcode encrypted ciphertext) is not stored as the verified data. Here, the verification process The verification data in the A may open the key and the hash value. In order to verify the private key of a reply, 18 the public key corresponding to the correct private key is treated as a verified data. In order to verify a longer individual with a reply The identification code, the correct personal identification, and the hash value can be used as the verification data. The preparation of the verification data can be used to initialize the program' The initialized program can execute the secret splitting process together with the secret splitting program to use the two transfer functions, the function one function f 2 to generate the "digital secret phase and the closed part" and the "digital secret none" ( 1) "Digital secret unrelated part" = fl (Y), where γ is the "representative value" of "personalized input" and the choice of γ has nothing to do with "number: secret solid". (2) "Digital secret related part" = f2(fl(Y), s), where, ibid.: is a representative value of the protected "digital secret": The secret reply handler contains - the same as above Function _ f and another function three f 3 : ί 1 (1) s= ί 3 (fl(Y) , ν) , i , γ is in c α Π , , , , , , , , , , , , , , , , , , , , , , In the definition, γ is "child u ~ table value. _ &# "post-secret related parts" of a generation has three conversion functions fl and a secret reply of the bog gp n & "f 3, the secret split, put the different # ^ φ into the two conversion functions of the public application of the invention, the technical innovation can be used to use the Yumen 4 knowledge. These three transfer functions are different function forms to achieve, also μ It is achieved by selecting the 19 ~ Ppnr characteristic type for a specific purpose. Regardless of this, how to select these three (four) commutative functions < σ and must meet the following attributes · (1) digital secret-independent part of the calculation and & characteristics of impedance; to mathematics ~: two: no collision or collision number ΓΡ β to DD 5, fl function or one-to-one function (疋 no collision function) or 疋 杈 杈 impedance function, therefore, it is not a J (if there is no collision function) m number m "number" or less 迠 (if it is a collision impedance function) u different "personal Turn the secret ΛΛ ” value to calculate the difference to the same “digit

A value in the ", and off part". (2) Given the numerical value s of the digital secret generated by a computer, the composite conversion function used to calculate the "digital secret correlation part" has the characteristics of ang collision or collision impedance. This composite conversion function is sequentially ordered by the first and the The two conversion functions are composed, in other words, f2 (fl (input data), magic) and produce a positive integer calculation for all "personalized inputs". (Note: f2fl is calculated first and then f2) "" (3) Give a representative value of "personalized input", in other words, give a representative value of the digital secret-independent part, then use it for calculation The f2 function of the r-digit secret correlation part has an inverse relationship with the f3 function for replying to the computer-generated secret. (4) If you do not know the "digital secret related part", you can only ask for the "digital secret irrelevant part" (or the "personalization round" used to obtain the "digital secret irrelevant part"). Get "digital secrets". (5) The input value of the conversion function has nothing to do with the "digital secret". In other words, the choice of "personalization" and the generation of "digital secret 20 I2SSt2j 铨" are two separate events. Yes (: Even if you know the humanity ": the secret part of the bit", there is no clue - turn m". "Digital secret related part" is the mth using two mutually unrelated values as the round and this The two values include: (1) "personalization round" and (2) "number: in addition to the above attributes, fl, f2, and f3, three conversion letters,: the body must be as close as possible to the "digital secret" "The relevant °, there must be no clues to guess the "digital secret". A computer program that uses these = to execute these conversion functions can be set in a standby device, although the environment in which the client device is located It may be uneasy, and it does not threaten the security of the protected digital secret. In some applications, the "digital secret related part" (4) exists in a portable storage device with persistent memory; in contrast, When there is a demand, the "digital secret irrelevant part" is calculated based on the input data. Pass: code: to be regarded as the main personal input and can be memorized in the month of use 'convenient user in different Local use. So, Assuming that the computer program that executes the three conversion functions can be downloaded to the non-(four) client, the calculation of the secret reply can be performed on the non-designated client. In other applications, the secret reply procedure may be necessary due to system construction restrictions. Limited to a specified client to perform. In this category (4), the selected personalization input has a specific data item that can only be obtained from the storage device that cannot be separated on the specified client. Therefore, the secret reply procedure - Generally speaking, it cannot be executed on different clients or computers. rI255ii21 1 ί ->;"* ''1

The construction of the three conversion functions ί I fl, f2, and f3 must take into account the relationship between them. For example, the three conversion functions are as follows: (1) "Digital secret-independent part" = fl(Y) = SHA-1(γ) 'where γ疋 is a representative value of "personalized input", SHA On behalf of the Secure Hash Algorithm, SHA-1 is a well-known one-way hash function that produces a positive integer less than 2 16G for each "personalized input" value. (2) V = "digital secret correlation part" = f2(u, s) = (U + α S) mod Q, where S is the value of a normalized positive integer of a protected "digital secret", q is greater than The numerical examples of all s are not less than a positive integer of 2 16°, and α is another positive integer selected and is relatively prime to q. (Positive integer 1 is considered to be homogenous to q, so α = 丨 can be treated as a simple example of α). (3) S=f3(U, V) = (a -'xV+(-((a .xu)m〇dq)m〇dq)) mod q, where α -1 is α in the modulo operation of mod q Multiplication anti-element. The above two functions are not independent but are related to each other. (1, f2 and f3 These three formulated functions can be verified to satisfy the aforementioned six properties. One of the reasons is that q is greater than all s numerical examples and greater than all U's representative values; the second reason is that for one and q For a positive integer ^, there is a unique multiplicative inverse element aq and ^; the two constants do not need to be kept secret, and the values of the public q sum only reveal information that S and u are less than q. Because of the q value It is very large, and such public information is very small to provide help to guess S or U. 22 "Miscellaneous 1: Example 2, modify the above construction formula as follows... (1) U = f 1 (Y) = hash(hash(Y)) + p ; (2) V= f2(U+ S)= (u+ α xs) mod q ; and (3) S=f3(U, Y) = (a - x VH~( (a -χ U) mod q) m〇dq) ) mod q ° In the formula of the second example, all parameters except β are selected as a fixed positive integer as previously determined. SHA-1 (γ) Is a collision impedance function, which produces a ❺ γ value that produces a positive number less than the lower .. 厶, and Υ represents any input data. Therefore, this new f-number is δ ΗΑ -1 (γ) + β ,and also The Υ value accepted by a collision impedance function produces a positive integer less than 21Μ+ρ. The mathematical function is used to push the complex function of V, fl and f2, ie v=f2(fl(Y) (SHH00+P+ aS) _q), for the variable γ, is also the collision impedance function. This composite function produces a small positive integer for each input γ value. Part of the reason for this inference is that the selected constant is greater than all SHA-1 ( Υ) Possible values. Another variation of the above construction is as follows: where ''hash'' represents the hash value produced by it, CD u=fl(Y)=hash(hash(Y))+ β-impact impedance function, such as SHA-1 Or MD5 is expressed as a positive integer. (2) V—f2(U,S): (U+ aS)m〇dq; and (3) s ^ f3(u, V)-( a -1 V+(-(( a -i ttx H , q)) mod q〇α U) m〇d Q) mod In the formula of 达, the composite function 23 W&k consisting of two hash functions can be extended by one / 糸A composite function consisting of a series of hash functions. According to the number I, it is proved that the composite function composed of the collision impedance function of the 士一/ 糸 糸 column also has the characteristics of the collision impedance. The target case of the singularity is in the first transfer function. In the construction, use one-way right "to effectively increase the input range; in other words, expand the content selection round" value set. Thus, the "personalized input" user "has the flexibility" and allows the secret owner or authorized user to: freely choose personal input. The digital secret related part can be designed to be portable, Therefore, it can be regarded as "available in the form of m ^ ^ ^ ^ net workers. 77". A device with persistent memory: a worker-sub-device such as a USB memory device, a magnetic disk, or a memory card can be used as a storage device for storing this part of the heart of the device. The LI is the peripheral device of the server connected to the network. The storage of "digital secret related parts" in portable 3 I is a preferred choice, in part because the calculation of the "digital secret & field g ^ private mountain" can be calculated in a computing facility other than the designated user. carried out. In addition, after the "digital secret ^ ^ ^ , , ^^p injury " is stored in a portable storage device, when any data of "digital secret, ^ in the relevant backup" is deleted or removed from the network The M.m L j仏 storage device can be separated from the network. Therefore, the "digital secret related bruises" with the "digital secrets such as eight" related to the news can no longer be accessed by the Internet. Even if you have access to the Internet, you can't act on the protected "numbers and passwords". Thus, for the protected digital security, the storage device for storing the "digital secret related parts" can also be fixed 24; the storage device of the client; for example, The client can be a portable user 4 with an injured processor whose processor can be programmed to execute: ::Month! The processing and calculation required for the technology of the case, the portable client also has a persistent § ‧ billion body as the required storage device. This is a long-lasting one. Having & the body stores - (5) "Digital secret related parts" \Original device is a private client, and has the ability to perform secret reply calculations, and at the same time, can also be used as a client for Internet access.

For the convenience of the end user, the passcode can be used as a self-contained input in many applications." "Personalized input" may optionally include additional identifying information, such as a manufacturer built-in identification code for storing a "digitally secret related portion" of the personal device, thereby converting the personal device into a digital secret reply. Calculate the necessary guards. This built-in ID code can be made readable by a computer and avoids the need for human intervention.

According to the reply design of the third transfer function, under the premise that the "digital secret related part" is known, the work of guessing the secret generated by the computer can be simplified to guess; then the work of "personalized input". Therefore, adding a gas number to a personalized input can increase the difficulty of using exhaustive guessing for secret use. If the secret owner or authorized user can ensure that the "digital secrets" are safe and prevent unauthorized use, then adding a random number to the personalized input will not improve the security level. Significant. The random number attached here can be regarded as a second portable part, or can also be stored in the persistent memory of a specific client. For this reason, the generated reply processing can be limited to The specified client is up to execute 0 25 that 5121: Page! Come!: 1 ' The personalized input used to calculate the "Digital Secret Unrelated Part" can be included - separate items or include at least two data items. The secret chosen by people such as passcode = short PIN is a single-item input (4) typical example. As an example of combining at least two f-items, a pass code and a device identification code can be sequentially connected to form a "personalized input", for example, a pass code 丨丨 device identification code , or, the identification code Μ pass Ma; another example is to pass a pass code, a number, a device identification code sequentially connected its bit string to form a personalized input, for example, pass code II Random number I丨 device identification code. In another processing method, the personalized input can be divided into several groups, and each group = to calculate a "digital secret irrelevant sub-portion", and then, the "digital secret irrelevant portion" is composed of all "digits" The secret-independent sub-part J is calculated. In this way, each "digital secret-independent sub-portion" is calculated individually via a collision-free function or collision impedance function. After the reply is completed, the technique of the present application further verifies the secret of the reply without verifying the entered passcode or other input data. The method of verification depends on the type of secret generated by the computer and the verification data used, even if the computer generates a secret segmentation and reply may be the same method. For example, a method called the challenge and response verification process has been designed and implemented to verify the value of the private cryptosystem in the public cryptosystem. A traditional verification method used on the Internet has been defined. Several international standards include 18〇/1 of this 9798-3 (1 998). This verification procedure can be implemented in four basic steps: (丨) generating a challenge message in a random number; (2) calculating the response, in other words, using a hypothetically valid private key value to sign the challenge's fingerprint value. Chapter: (3) Decrypting the response using the corresponding public key; and (4) comparing the decrypted response to the fingerprint value of the challenge message. By definition, a challenge message is converted using an early-choice function, and the output is the fingerprint of the challenge message. As another example, a long PIN (long PIN) can be calculated by a one-way epoch function twice to get a hash (the long PIN), which is a hash value. It can be used as a poor material for verification _; when verifying, the same selected epoch function is used, and a recovery value of the longer PIN is calculated twice, and then the result is compared with the verification data. In some environments, in order to avoid the same heuristic value being reused in the system, the apex, and the client, the user may select two or two, and calculate the obtained he-order value. You set the client to use the epoch function twice: the epoch value is used as a verification data, and the system uses the _th order function to calculate the epoch value as the verification data, if the selected unidirectional Hz The function does have the property of calculating the irreversibility, and the disclosure of the heuristic value obtained by the two-ordered function is not threatening to guess the Her-order value of the one-order function. In some applications of the present application, the verification data and the "digital secret-independent portion" can be deliberately stored in the same storage device; thus, the verification work can be performed immediately after the secret reply work is performed on the same user side. When properly implementing the techniques described in the application of the present invention, the data is verified and/or there are any clues that can be guessed about the protected secret. On the 27 ^ ^ § 454 - ~ - year 53⁄43⁄4 is replacing the buy. ...-----------...<-one-one-one---" described the challenges and In the verification method of the response, the public information as the verification data is in compliance with this requirement. The h-order value calculated by the two-order function and the he-order value calculated by the second-order function are also very limited for the guess of the longer PIN. Passcodes are commonly used in many security services. The technique described in the application of the present invention uses a pass code as all or part of "personal = input". This aspect is significantly different from the use of pass codes by other methods. Passcodes are also commonly used to generate derived values for digital security protection φ. The pass-through mother (4) is defined here as a number derived only by the pass code, for example, by a transfer function containing only a single input variable, and 2 early-variables are used to receive the pass code. The hash value of the passcode is the time, example. In this sense, the techniques for implementing the techniques of the present application are not retained in the persistent memory. "The number of secrets dragged 4 injuries" is also derived from the pass code, but it uses the second transfer function f 9 士 丄 μ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Protected ^ passcode (or more general personalized input), (2) is protected by the Ministry of Secrets. !1, according to the definition of the above derivative value, "digital secret phase φ input:: not a derivative value of a pass code" because the second conversion function has more than one indentation variable. Many traditional methods use a passcode or this, the passcode derived value to obtain a secret and make it available; because the secret τ 2 or its value must be stored in the permanent memory as the relevant tr And the storage device may be invaded by the attacker to steal the pass code. According to the technology of the application of the present invention, the pass code system 28 "msm ! .ft, Ά., is used for the calculation of the secret reply, so the pass code itself or The derivative value does not need to be stored in advance for identification testing, and it does not need to be part of the data used to obtain the "digital secrets related parts". The "Digital Secrets Related Part" can be obtained simply by using the file name directly. This difference is very specific, and one of the reasons is that the inventive technique uses passcodes to significantly increase the level of security and eliminates the risk of attack by traditional methods using passcodes. In the technique of the present application, the pass code is used to reply to the secret generated by the computer rather than the fact that it is directly checked, resulting in strong passcode protection. Theft and reuse of passcodes 'Unchecked common use will become impossible unless the owner of the passcode ^ authorized user retains a handwritten or digital backup. It is also impossible to attack the passcode by impersonating the server or hacking the server. ^, the server does not require the user to provide a passcode or a passcode. It is also worth noting that the implementation of the techniques of the present invention allows terminal users to be aware of the differences in τ and use passcodes in a manner that they have long used. The technology of the eight inventions can be implemented to use dual factors (1) to identify what the user has (in the storage and verification data), (2) #Do not make $ | Λ , , , , and related parts ) Identify informational inputs that users should know, such as passcodes. #蒋象查, 仃巧) The right will be random and additional recognition into the personalized input order, then the hair application, π ^ . ^ er v " tea technology can be used to achieve the eve of the knife to open the individual identification The factor can reduce the attacker stealing all: money to carry out the guessing of the pass code, such as the attacker in the implementation of the technology of the present invention, #一攻击. The bad situation is "digital secret phase 29 1235121 off injury" The "verification data" was obtained by the attacker, so the guess of the secret was reduced to a guess of "personalized input." However, in the system developed by the technique of the present invention, it is still very difficult to guess the personal input of the factory every time it is required to perform secret reply work and verification work. In some instances, verifying the replied secret requires very complicated calculations. For example, using the A-key in the rsa cryptosystem to verify the private key that has been backed up will be used. The calculation of the number of turns' and such calculations considerably increased the difficulty of the search attack. Specific examples of the implementation of the techniques of the present invention are provided as in Figures - Figures 4 Figures. The same reference numbers used in the figures or in the text descriptions refer to the same or similar parts no matter where they appear. The figure-figure shows the steps of an implementation of the segmentation handler and the interaction between the program and its working environment. This secret split handler, once started, will request input (110) to the user via the user interface. This input (110) is a "personalized input" that is determined by the owner of the secret created by the protected computer or by an authorized user. # This input (110) may contain a passcode, or alternatively The location includes more passcodes, or includes random numbers, identification data, or a possible combination of the various materials described above. The secret owner or authorized person types the passcode, while other materials may automatically read the input to the split program. Assuming that the protected secret law is generated by a system-side security service (丨30), the system provides a computer-generated secret as a protected secret (140). In step (120), the secret segmentation handler applies the selected first conversion function 30 to "calculate the "digital secret-independent portion to obtain the computer-generated secret, which is from the ^' execution step (_ to mark (15. The steps of sub-contracting ":j described security services (10)). The private order uses the selected first-wire 4 7 a f2 to calculate the digital secret correlation, "number...they are large, in step (丨60) , digital tough: ==, deleted by the temporary memory used by **. ^ #第图图疋功的块块图' illustrates the secret reply and then the implementation of the verification (4) the operation step related to the input loss in step (202) secret in the reply private order by the request and receiving input data (2 (8) to start receiving The input data is used as (4) "personalized input", followed by step (205) 'calculating the digital secret-independent part from the received input data, and as in step (215), obtaining the digital secret related part from the storage memory, After the absence of 'step (2U)), the original digit secret is restored by the above two digit parts (digital secret irrelevant part, digital secret related part). The input of the label ((10)) is used as the personalization input defined in the corresponding secret segmentation process. The digital secret-independent portion is calculated using the first conversion function used in the secret segmentation processing procedure, and the digital secret correlation portion is previously generated by the secret segmentation processing program and stored in the storage device labeled (215). The protected secret is replied by a third conversion function, and there is an inverse relationship between the third conversion function and the second conversion function employed in the corresponding segmentation program. The verification data is generated by an initialized program and stored in the memory (225). In the step (22〇), the verification data is taken out and used to verify the back 31. The purchase date is Ώ ||·: Correct or not ^ 2 'execute step (23G) to determine the verification result is and by...:. "The input received by the kilogram (20°) is consistent with the personalized input. The digital secret related part obtained by the two-memory device and the verification data are correct.] The verification result will be determined correctly. Otherwise, the test is also '. Fruit will be determined to be incorrect and the result is correct, then::! The digital secret will be used as 'step calls and will be provided to =,, the prophet's security service as the secret generated by the original computer, such as .in

=(6)... The secret generated by the computer and the calculated digits = the unrelated part will be deleted from the computer's memory. If the verification is not correct, go back to step (25G) to decide whether to re-execute or: • stop the secret reply procedure, if the decision is terminated, the program flow is completed in step 26), if it is decided to repeat the execution, then again Ask the user to enter another input, such as the label (200).

In the implementation of the techniques of the present invention, the segmentation and recovery procedures described above may be implemented in the form of computer software instructions that may be stored in a machine readable storage medium or device coupled to a computer or computer system. In operation, a single computer processor can be used to perform the functions and operations described. The third diagram is a flow chart of an embodiment of a segmentation program, and the fourth diagram is a flow chart of a secret reply and verification embodiment. The steps in the flowchart are actions taken by the computer in accordance with the control of the software instructions. The secret protected by the third and fourth figures is a private key S. The embodiment of the fourth figure uses the challenge and response method mentioned above as a verification method. As for the three transfer functions f 1 , f2 and f3 are slightly different from the construction formula mentioned above, the description is as follows: (1) U= fl(password)= MD5(password)+ β, where MD5 32 is δSi21 is -MM The known one-way Her-order function 1 β is a fixed positive integer (2)V"2(U,s)= (u+aS) The privacy of the protection is now loose ^ H, the middle S is one and the constant is large / The message digest value I is selected as a positive value of λ from all S values, and the number of the message digests by the 35MD5 function is a positive integer with q; m〇d 13)Γ/3( ^Μ:^ (_((α"υ) m〇dq))m〇dq) , , and α in the 疋" in „10(1(1 modulo multiplication anti-element. In this particular fan, The personal input refers to the pass code, and the result of the 1 _ function is a word consisting of 128 2-bit values. Therefore, the result of MD5 (password) is always less than 2, 28. The length of the private gold wheel is two. The carry bit, that:; = 2 b or a larger positive integer 'This is because 2_ is greater than all private gold values, and is greater than 2128. Assume that a typical rsa cryptosystem is used here' to determine the pass. Code-time guess is positive Indeed, it is necessary to perform at least: a sub-exponential operation 'where the exponential operation includes an operation with the secret (private key) being replied as an exponent. Therefore, as long as a better parameter β is selected, the pass code is made. Guessing the attack is more difficult. See the third diagram. In step (31〇), a private key is used as the protected target S. This private key is a binary bit string and is a A positive integer S is used to represent it. In step (32〇), three positive integers q, α, and β are selected by the user, where q will be greater than y, and “疋 and q are prime positive integers, β is also A positive integer. In the step labeled (330), a passcode is selected and confirmed by the protected private key § or the authorized user. Personalized input value. In step (340), the digital secret-independent portion is calculated by the selected first conversion function, that is, u = Μ曰D5(Password) + β. In step (35〇), The digital secret correlation part is calculated by the second conversion function selected Obtained, #卜(五)" In step (360), the private gold ring ^ and the digits (four) (four) = U' will be deleted from the computer memory. In the step w〇), the relevant part of the digital secret will be stored in a persistent In the memory, as shown in the fourth figure, it shows the operation process of reply and verification. In step (4) G), the key person is a pass code as the input. The digital secret benefit part will be as shown in the third figure. The first conversion function used in the calculation is obtained, namely: PaS_d)". In the step (in detail, the digital secret correlation 2 will be retrieved from its storage. In step (10)), the protected private scorpion S will be replied via the calculation of the third conversion function, ie, two, :) = —-((... This is the reply procedure. The challenge and response verification procedure is initiated in step (450), which represents the acquisition-a number of messages c as a challenge. In the step (bias) the system The private key that is replied is used as the signature key, and the message digest value of C is signed and the signature function is SIG = Si_re (the

Tiered Private (8), —h(6)). In the step (47〇), the signature value of the step (1) is decrypted by the public key paired with the authenticated private key, and the result is represented by D and D is represented as 34.

1255121

Decrypti〇n(public Key, SIG). In step (48〇), the digest values of D and C are compared. If the comparison results are equal, the replying private key will be accepted in step (490). In step (498), the recovered secret will be used by the incoming security service and deleted from the computer memory. However, if the comparison results in the step (4800) are not equal, then in step (45), the secret key that has been rejected, and the reply is used by the system, and is represented in step (49.5). The program that will guide the entire secret reply and verification will start from the beginning. As shown in the fourth figure, the replies described and the subsequent verification procedures can be done under a variety of different system settings. For example, a non-specific client computer that can retrieve digital secret related parts and public keys from the portable storage device can be used for the execution of the fourth figure; for another example, one has permanent The portable client processor of the memory can also be used to store the digital secret related portion and the public key and to perform the reply and verification procedures.

In the application of the present invention, only a few examples and implementations are described. And various changes, modifications, or modifications are possible in the description of the present invention based on this technical invention. 35 1255121 • - '.- [Simple description of the diagram] The first diagram is a functional block diagram illustrating an example of a secret split procedure. The second diagram is a functional block diagram illustrating an example of a procedure for secret reply and subsequent verification. The third diagram is a flow chart illustrating an example of a secret split procedure and a secret reply, the purpose of which is to protect the private key. The fourth diagram is a flow chart illustrating an example of a procedure followed by verification to protect the private key. [Major component symbol description] (110) Personalized input (120) Calculate digital secret irrelevant part (130) Security service (140) Obtain secret generated by protected computer (150) Calculate digital secret related part (160) Store digital secret The relevant part is in the persistent memory (170) digital secret related part (180), the digital secret irrelevant part, the digital secret related part and the computer generated secret (200) input data (202) are received from the temporary storage memory. As a personalization input 36 1255121 (205) Counting the different bits of the secret irrelevant part (210) Replying to the computer generated secret (215) Digital secret related part (220) Verifying the replyed secret (225) Verification data (230) Verification result

(235) Digital secret-independent portion (245) calculated using the reply secret (240) security service (245) Deleting the secret of the reply from the memory (250) Repeating or terminating (260) Ending (310) Receiving the private key as The secret of protection § (320) selects the parameter q, α' stone to construct, /2 and /3 hash function (330) select and confirm the pass code

(340) Calculate the digital secret irrelevant part of the singer (Qing Li (four) C350) calculation number _ 'closed correlation part v = /2 (u, s) = (u + as) _ q (360) deleted from the computer memory Secret s and digital secrets have nothing to do. (370) storing the digital secret related part v in the persistent memory (410), inputting a pass code as an input (420), calculating a digital secret-independent part, MD5 (passward) M (430), obtaining a digital secret correlation from the storage body. Part 37 (440) σ 异 s^^u^vxQfiv+^o^L^modqXimodqjmodq, S is regarded as the private key of the reply (450) to generate a random message c (460) a ten different nutrition siG=signature ( The recovered private key, hash(C)) (470 ) D=decrypti〇n(Public Key, SIG) (480) hash(C)=D?

(490) The private key that accepts the reply (495) The private key that does not accept the reply (498) gives the secret of the reply to the security service, and then deletes it from the memory.

38

Claims (1)

;1255121 — picking, patent application scope: method, which includes: the user selects the pass behavior, the second conversion type of input value 丄 · one for protecting the digital secret, a benefit to the protected digital secret, Entering a temporary value to obtain the temporary value and the digital secret to generate a digital secret related portion in the temporary storage memory; The digital secret related part is stored in the persistent memory to delete the digital secret related part in the temporary δ hexamed body; the digital secret sum is deleted from the memory used in the calculation of the first and second conversion formulas The aforementioned temporary value. 2. The method for protecting a digital secret according to item 2 of the patent application scope, comprising: when the user requests to reply to the digital secret, receiving a pass code and a digital secret related part; using the received pass The code and the received digital secret related part are used as the input value of the Dilu three conversion formula to calculate a value as the secret of the reply, and the calculation of the reply secret does not verify in advance whether the received pass code is correct; Verifying the information to verify the secret being replied, the verification information used is related to the protected digital secret; based on the result of the verification step, determining whether the received pass code matches the pass code selected by the user, and receiving The number of secrets related to 39 ', 乂. page change is consistent with the correct digital secret related parts. 3. The method for protecting digital secrets as described in claim 2, wherein the first and second conversion formulas are respectively set to a function ^ fl and - (four) the number two f2 'the aforementioned third conversion formula Then, a synthesizing function is set for this function fl and another function three f3, and the synthesizing function is composed of the first method and then the f3. 4. The method for protecting digital secrets described in item 3 of the patent scope is as follows: where function f, function two f2 and function three are described as follows: U = fl(paSSW0rd) = hash( Passw〇rd) + (3 , where hash() is a collision function in the collision resistance technique. This function is for any anomaly: r; the input value of d produces a positive integer, and β is - non-negative Integer value, ll=u, s) = (u+axs)modq, where '...the input number represents an output example of the function -fl, s is a positive integer, a numerical example representing a digit secret, 1 Q is greater than a digit All numerical examples of secrets are also larger than the value of all pass code input values, q is a positive integer; S = f3(U,V) = ( α -1χν + " q)) m. ", among them, U is m〇dq)) mod ^ ^ is a round-in value, representing an output of the function π. 'v is also an example of an input number representing a part of the digital secret, Q is a function like f 2 The number, π Τ / 7 Γ疋 I am large enough α is also defined in the function f2, and the multiplication inverse element of the α operation. Then, in the "model of 53⁄4 j Ί ' . ' ί. κ ' 5 , as described in claim 1 of the scope of the patent for protecting digital secrets: including the use of a cryptographic key as protected Part or all of the digital secret. 6. The method for protecting digital secrets as set forth in claim 5, wherein the cryptographic key is - a key to a symmetric cryptosystem Ο 7, as described in claim 5 The method for protecting a digital secret, wherein the cryptographic key is a private key and a private key. 8. A method for protecting digital secrets as set forth in claim 1 wherein the identification code is used as part or all of a protected digital secret for accessing a protected Information system. 9. The method for protecting digital secrets as claimed in claim 5, wherein: the first and the first execution are performed in a computer system connected to the persistent memory to receive and store the "digital secret related portion" Second conversion; # After completing the second conversion and storing the digital secret related parts, the persistent memory is separated from the computer system. + 1 0. A method for protecting digital secrets as described in the scope of the patent application, which includes selecting a collision-free mapping function to calculate the first conversion. ° VII 1. The method for protecting digital secrets as described in the scope of the patent application, which includes selecting a collision impedance hash function to calculate the 41st conversion. The method for protecting a digital secret according to claim 1, wherein the first and second conversion formulas are respectively set to a function η and a function two f2, so that According to the calculation function i2 (fl(7), s) of the function-η followed by the calculation order of the function f2, given the value of the protected digital secret s, for the input variable γ, it is a touchless The edge mapping function is either a collision impedance hash function. The method for protecting digital secrets as described in the patent application scope includes: setting the second and second conversion formulas as a function one fl and a function two f2; A user of the digital secret receives the pass code and the digital secret related part; if the pass code received has not been verified in advance, the received pass code and the received digital secret related part are used as The input value of the third conversion formula is calculated as a secret value of the reply #9 μ, and the synthesis function consisting of the function f and the function f2 is calculated first by η and then by the different f2. The relationship between the calculated digital secret related part and the digital secret replied by the third conversion type is 'under the condition that the received pass code conforms to the pass code selected by the user. ^ Η, as described in claim i of the scope of claim i for protecting the digital secret 42 1255121 crypto' which includes the κ mesh portable storage device as a persistent memory for storing digital secret related parts. 15. The method for protecting a digital secret according to claim 14, wherein the portable storage device comprises _ digits, and the method further comprises performing the first and second exchanges in the digital processor. formula. One turn, 16. The method for protecting digital secrets, as claimed in the patent claim 1st $g Le 1b, which includes: a user who requests a reply to a digital secret to receive a pass code; In the absence of prior verification of the receipt of the β £ 女 女 女 女 女 女 女 女 女 女 女 女 女 女 β β β β β β β β β β β β β β β β β β β β β β β β β a value that is the secret of the reply; the third conversion is performed in the above-described digital processor. The method for protecting digital secrets as described in claim 4, wherein the portable storage network storage device comprises a digital processor, and the method further comprises: The user who requests the reply to the digital secret receives the pass code; obtains the digital secret related part; and uses the received pass code and the obtained digital secret correlation part without verifying in advance whether the received pass code is being read or not. The input is used as the input value of the third conversion type to calculate a value as the secret of the reply; the third conversion formula is executed in the digital processor. 18 The term described in item 1 of the patent scope of Shi Zhongming is used to protect the number of secrets 43 1255121. The package is free of the selected pass code and the value of the selected code in a persistent memory. Medium, but the foregoing: The exception is the secret correlation part. Digital secret method for protecting digital secrets, which includes X-digit secrets as protected objects; and a value; giving an authorized user a device from a particular device Device designation code to form a selected passcode selection input Converting the selected input value into a temporary value by using the first conversion formula; using the digital secret and the temporary value as the input value of the second conversion formula to generate a digital secret related portion, and storing the durability of the device in the foregoing device And in the memory used in the calculation of the second conversion formula, the digital secret and the aforementioned temporary value are deleted. 20. A method for protecting digital secrets as set forth in claim i, wherein the method of avoiding the selection of the selected pass code and the selected pass code is stored in a persistent memory. The aforementioned digital secret related parts are the exception. 2 1. The method for protecting a digital secret according to claim 19, wherein the selected pass code and the device designation code are linked together, and the selected pass code is preceded by The device designation code is sequentially connected to its bit string, or the device specifies the code first and the selected pass code is sequentially connected to its bit string. 2 2. The method for protecting the secret of the digital 44^255121 as described in claim 19 of the patent scope includes: when the user requests to reply to the digital secret, receiving the pass and the digital secret related part Reading the device to obtain the device designation code; receiving the received pass code and the input value received by the device designation code obtained as described above; splicing. Converting the received input value into a temporary value by using the first-conversion formula Retrieving the digital secret related part from the persistent memory of the device, using the aforementioned temporary value and the retrieved digital secret related part as the input value of the second conversion type to calculate - as the secret of the reply The value == the calculation of the reply secret does not verify in advance whether the received access is 2 or 3. The method for protecting the secret as described in item 22 of the patent scope, which includes: - will be - and The second and third conversion equations are respectively set to _ a function one " a function two f2, and a function three f3, so that the function one "and the function two f2 first calculate fl Way of smashing different f 2 The sum of the letters - the calculated part of the digital secret correlation, and the user who consists of the function of the f-synthesizer and the reciprocal f3, the input value in the received input Under the condition of the input value, there is a reverse relationship. Secret 2, as described in claim 22, for protecting a digit, wherein the device includes a digital processor. 45 ΓΪ255Ί21 Secret 2 method In the range 24, it is used to protect the execution of the digital processor, and the calculation of the I-containing restriction-transformation method is performed at the digitization method. 'The device is a portable device. 2 7. For example, the patent method is the i9 secret method, and the 1A person is used for the marginal digitization. The T includes: setting the first and the skirt-4* For a number one function two, so that a function according to the function fl and the sequence of the composition ... Λ number two f2 calculation of the number of digits of the secret s value of the r, 1 (7): S): given a protected Collision-free mapping function Ge J# in terms of input variable γ , is a mountain number or a collision impedance hash function. 2 8 methods for protecting digital secrets, including · = first-transformation converts a personalized input into; digits..., the personalization At least part of the input content has nothing to do with the protected digital secret; using the digital secret-independent part generated by the first-transformation method and the protected digital secret as the input value of the second conversion type, generating a digital digitizer 2 The digital secret related part of the digital secret, in which there will be a third conversion type, designed to use the digital secret unrelated part and the digital secret related part as input values to reply to the hidden digital secret (ie, Protected digital secret); storing the digital secret related part generated by the second conversion in a persistent memory; '46 the digital secret and the aforementioned temporary value by the calculation of the first and second conversion formulas; In addition to the requirement to open the secret anaphora input and (7) the correct user to provide (1) the correct personal Λ ^ i digital secret related parts, the digital secret; 攸攸U臧The third conversion formula exists in the application, and the street input uses the input value to calculate the two input values of the digital secret-independent part, and the user should obtain the second IS as the mouth (4) the digit-related secret correlation part. Response, and use these two responses to generate an input operation, the first, the third conversion, and the first input value matches the correct personal input. When the relevant part matches, the loss will reveal the hidden digital secret to the user. 2 9 as described in the application of patent scope item 28; # # secret method, i^ sense of heart used to protect the digit ’,, the digital secret contains a cryptographic key. 0 as described in the second paragraph of the scope of the invention; ^|彳 The secret method, the basin is used to protect the key in the ginger digit. 〃 'The cryptographic key is a symmetrical cryptosystem secret U law as described in item 29 of the patent scope for protecting the full key of the digital gold surplus' And the private key in the private rabbit key pair. The secret is as described in item 28 of the patent scope for protecting the digits. The digital secret contains a group for accessing the protected identification code of the protected system. 3 3. The method for protecting digital 47 1255121 Mishan as described in claim 28, wherein the personalized input includes a pass code, a unique identifier 'location identification number', a device identification code, a random number of generations Or a piece of information consisting of the foregoing. 3. The method for protecting a digital secret as described in claim 28, wherein the method comprises: after completing the calculation of the third conversion formula, performing a verification procedure to verify the calculated round-out value. ^ Affirming the method for protecting digital secrets mentioned in Item 34 of the patent scope, the complex φ, technology " 5 Hai trials private order use and digital secrets have related verification information. A method for protecting a digit as described in claim 28, wherein the first-conversion is a collision-free mapping function or a collision-impedance hash function.秘 Secret 2, such as the towel, please use the protection method for the number of digits mentioned in item 28 of the patent scope, in which a protected digital secret S is given as the former i = calculation function called 1 and then calculated: f2 The mode consists of = immediately f2 (fl(Y), s), for the input variable Y, is a mapping function: or a collision impedance hash function. The system of the digital secret system, which includes a machine readable machine; the body stores instructions executable by the machine, and the instructions will direct the force to be independent of the digital secret protected by the conversion, . '八·,,, sigh< User 4 selects the pass code to be converted into a temporary value, · 4 to describe the temporary value and the number of secrets W Madi-transformed input 48 1255121 'Secondary secret correlation Part of the temporary memory; the digital secret related part is stored in the persistent memory; the digital secret related part of the temporary memory is deleted; the digits are deleted: the second and the first conversion are used by the calculation Memory digital secrets and the aforementioned temporary values. The system is: Shen = Wai: The protection digital secret described in item 38 ^ ^7 further guides the machine to execute: When the user requests to reply to the digital secret, it receives a pass code and a digital secret related part; The received pass code and the three-transformed input value are counted as the first and _ as the secret value of the reply. The calculation of this reply secret is not correct. The received passcode is verified by the verification information to verify the secret of σt >, f ^ ^ is σ complex, and the verification information used is related to the digital secret of the description; :: the result of the oil step is determined The received pass code, /V a ^ 々 pays U and receives the digital secret related part of the correct digital secret related part. =0, as described in the third paragraph of the patent scope, (4) digital secret two, in the middle of the 'the first and second conversion formulas are set to - a function f 1 and 'a function - f 9, meaning, 1 A third conversion formula is set as a synthesis function of the function f1 and the other function 2:3, and the synthesis function is composed of the first and second η methods. 4 i. The protection digit secret 49 1255121 and function 3 described in item 4 of the patent scope are as follows: Object, where function (1) u = fi(Password) = hash(passw〇 Rd)+p , where hash( ) & _ _ impact impedance hash function This function produces a positive integer for any input value of PaTM, and β is a constant of - non-negative ;; number (2) V = F2(U,S) = (u + a xS)m〇d Q, where υ is an input value of 'representative function-fl', an output example, S is a number, representing a digital secret - a value For example, q is a numerical example larger than the digit secret, and is also larger than the hash value generated by all the passcode input values, “曰 a positive integer that is mutually prime with q; 疋 where v is an input value representing the digital secret correlation part. For a numerical example, u, q, and a are defined as functions: f2, and r1 is the multiplicative inverse of a's modulo operation. 4 2 · A computer system containing: according to the first-conversion Converts a personalized input into a component that is not related to the digital secret; uses a digital secret-independent part and a digital secret two As the input value of the second conversion formula to generate a component of the digital secret correlation part, and using the digital secret correlation part to hide the original digital secret 'where, there will be a third conversion formula, designed to make the digital secret irrelevant part and Digital secret % target: The copy is used as an input value to reply to the digital secret; the component used to access the persistent memory to store the digital secret related part; .............w., I k'' removes the components of the digital secret-related part of the computer system; after the calculation of the first and second conversion formulas, The computer system t deletes the digital secret-independent part and the digital secret component. 4 3. If the computer system mentioned in item 4 of the patent application scope contains ··, 〃 for users who request to open the secret reply process (1) correct personal input and correct digital secret related parts To reply to the component that hides the digital secret; the component used for the calculation of the second conversion formula, which obtains the first 2 input value from the user, calculates the digital secret irrelevant part as a response, and the user knows the first - Input values, as a response to the request for the relevant part of the digital secret, and use these two responses to generate an output value to use I, in the third operation of the ^ ^ when the first input value and the correct The personalization 矜 matches and the first input value matches the correct digital secret related part to reveal the hidden digital secret to the user. 4 4. The computer system as claimed in claim 4, wherein the method includes: 'the value used for performing the verification procedure to verify the loss after the third conversion calculation is completed, wherein the verification program uses A verification document that is related to the protected number. Picking up, drawing ···················································· (b) The representative symbol of the representative figure is a simple description: (110) Personalized input (120) Calculate the digital secret irrelevant part (130) Security service (140) Obtain the secret generated by the protected computer (150) Calculate the digital secret correlation Part (160) storing the digital secret related part in the persistent memory (170) digital secret related part (180) deleting the digital secret unrelated part, the digital secret related part, and the computer generated secret from the temporary storage memory, if the case is When there is a chemical formula, please reveal the chemical formula that best shows the characteristics of the invention: