TWI526036B - Data securing method, data securing system for encryption or authentication and data carrier - Google Patents

Data securing method, data securing system for encryption or authentication and data carrier Download PDF

Info

Publication number
TWI526036B
TWI526036B TW102149392A TW102149392A TWI526036B TW I526036 B TWI526036 B TW I526036B TW 102149392 A TW102149392 A TW 102149392A TW 102149392 A TW102149392 A TW 102149392A TW I526036 B TWI526036 B TW I526036B
Authority
TW
Taiwan
Prior art keywords
key
random number
data
security
personal identification
Prior art date
Application number
TW102149392A
Other languages
Chinese (zh)
Other versions
TW201526592A (en
Inventor
倪萬昇
羅煥金
黃淑菁
許芬英
Original Assignee
全宏科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 全宏科技股份有限公司 filed Critical 全宏科技股份有限公司
Priority to TW102149392A priority Critical patent/TWI526036B/en
Publication of TW201526592A publication Critical patent/TW201526592A/en
Application granted granted Critical
Publication of TWI526036B publication Critical patent/TWI526036B/en

Links

Description

資料安全加密方法、用以加密或認證之資料安全系統及資料載體 Data security encryption method, data security system and data carrier for encryption or authentication

本發明是有關於一種資料處理方法、資料處理系統及資料載體,且特別是有關於一種資料安全加密方法、用以加密或認證之資料安全系統及資料載體。 The present invention relates to a data processing method, a data processing system, and a data carrier, and more particularly to a data security encryption method, a data security system and a data carrier for encryption or authentication.

隨著科技的發展,各種數位資料可以儲存於儲存裝置中。人們可能會儲存或傳輸機密資料於儲存裝置中。一旦儲存裝置遺失時,機密資料可能會被竊取。 With the development of technology, various digital materials can be stored in storage devices. People may store or transmit confidential information in storage devices. Once the storage device is lost, confidential information may be stolen.

資訊安全變得越來越重要。儲存裝置可以已加密之資料來作儲存,而不儲存原始資料,保障資訊被竊取之安全。如果某人想要取出原始資料,他必須以金鑰來解密已加密之資料。 一旦駭客竊取到金鑰,駭客可以輕易地取出原始資料。目前網路與手機軟體應用充斥,若金鑰藏於軟體內或非揮發性記憶體當中,駭客或開發者均能夠竊取金鑰。因此,如何確保金鑰不被竊 取是資訊安全技術的一項大挑戰。 Information security is becoming more and more important. The storage device can store the encrypted data without storing the original data, thereby ensuring the security of the information being stolen. If someone wants to retrieve the original material, he must decrypt the encrypted data with a key. Once the hacker steals the key, the hacker can easily retrieve the original data. Currently, Internet and mobile software applications are flooded. If the key is hidden in software or non-volatile memory, the hacker or developer can steal the key. So how to ensure that the key is not stolen It is a big challenge for information security technology.

本發明係有關於一種資料安全加密方法、用以加密或認證之資料安全系統及資料載體。個人識別碼(personal identification number)及金鑰(key)未儲存於資料載體。即使駭客取得資料載體,他仍然無法竊取到個人識別碼及金鑰。因此,對於應用在資料安全系統及資料載體上而言,已加密之資料不會被駭客所解密,對於資料安全認證方法而言,駭客也無法認證通過。 The present invention relates to a data security encryption method, a data security system for encrypting or authenticating, and a data carrier. The personal identification number and key are not stored in the data carrier. Even if the hacker gets the data carrier, he still can't steal the PIN and the key. Therefore, for data security systems and data carriers, the encrypted data will not be decrypted by the hacker. For the data security authentication method, the hacker cannot pass the authentication.

根據本發明之第一方面,提出一種資料安全加密方法。資料安全加密方法包括一加密程序,用以加密一資料或進行一認證程序(Authentication Procedure)。加密程序包括以下步驟。 獲得一第一個人識別碼。產生一第一亂數。根據個人識別碼及第一亂數,獲得一第一金鑰。根據第一金鑰,獲得一第一安全核對和。儲存第一亂數及部份之第一安全核對和。根據第一金鑰,加密資料或進行認證程序。 According to a first aspect of the present invention, a data security encryption method is presented. The data security encryption method includes an encryption program for encrypting a material or performing an Authentication Procedure. The encryption program includes the following steps. Obtain a first PIN. Generate a first random number. A first key is obtained based on the personal identification number and the first random number. According to the first key, a first security checksum is obtained. Store the first random number and part of the first security checksum. Encrypt data or perform an authentication procedure based on the first key.

根據本發明之第二方面,提供一種用以加密之資料安全系統(data securing system)。資料安全系統包括一輸入單元(inputting unit)、一亂數產生單元(random number generating unit)、一金鑰產生單元(key generating unit)、一加解密單元(crypto unit)及一儲存單元(storage unit)。輸入單元用以輸入 一第一個人識別碼(personal identification number)。亂數產生單元用以產生一第一亂數(random number)。金鑰產生單元用以根據第一個人識別碼及第一亂數,獲得一第一金鑰(key)。加解密單元用以根據第一金鑰獲得一第一安全核對和(secure checksum)並用以根據第一金鑰加密(encrypting)一資料。儲存單元用以儲存部份之第一安全核對和、第一亂數及已加密之資料。 According to a second aspect of the present invention, a data securing system for encryption is provided. The data security system includes an input unit, a random number generating unit, a key generating unit, a crypto unit, and a storage unit. ). Input unit for input A first personal identification number. The random number generating unit is configured to generate a first random number. The key generation unit is configured to obtain a first key according to the first personal identification code and the first random number. The encryption and decryption unit is configured to obtain a first secure checksum according to the first key and to encrypt a data according to the first key. The storage unit is configured to store a portion of the first security checksum, the first random number, and the encrypted data.

根據本發明之第三方面,提供一種資料載體(data carrier)。資料載體用以儲存與加密一資料。一第一安全核對和(secure checksum)係根據一第一金鑰(key)而獲得,並且資料根據第一金鑰而加密(encrypt)。資料載體包括一儲存單元(storage unit)。加解密單元用以根據一第一金鑰(key)獲得一第一安全核對和(secure checksum),並用以根據第一金鑰加密(encrypting)資料。儲存單元用以儲存一第一亂數(random number)、部份之第一安全核對和及已加密之資料。第一金鑰係根據一第一個人識別碼(personal identification number)及第一亂數所獲得。 According to a third aspect of the present invention, a data carrier (data) is provided Carrier). The data carrier is used to store and encrypt a data. A first secure checksum is obtained based on a first key, and the data is encrypted according to the first key. The data carrier includes a storage unit. The encryption and decryption unit is configured to obtain a first security checksum according to a first key, and to encrypt the data according to the first key. The storage unit is configured to store a first random number, a partial first security check, and an encrypted data. The first key is obtained based on a first personal identification number and a first random number.

根據本發明之第四方面,提供一種用以認證之資料安全系統(data securing system)。資料安全系統包括一輸入單元(inputting unit)、一亂數產生單元(random number generating unit)、一金鑰產生單元(key generating unit)、一加解密單元(crypto unit)及一儲存單元(storage unit)。輸入單元用以輸入一第一個人識別碼(personal identification number)。亂數產生單 元用以產生一第一亂數(random number)。金鑰產生單元用以根據第一個人識別碼及第一亂數,獲得一第一金鑰(key)。加解密單元用以根據第一金鑰進行一認證程序。儲存單元用以儲存第一亂數。 According to a fourth aspect of the present invention, a data securing system for authentication is provided. The data security system includes an input unit, a random number generating unit, a key generating unit, a crypto unit, and a storage unit. ). The input unit is configured to input a first personal identification number. Random number generation The element is used to generate a first random number. The key generation unit is configured to obtain a first key according to the first personal identification code and the first random number. The encryption and decryption unit is configured to perform an authentication procedure according to the first key. The storage unit is configured to store the first random number.

為了對本發明之上述及其他方面有更佳的瞭解,下文特舉較佳實施例,並配合所附圖式,作詳細說明如下: In order to better understand the above and other aspects of the present invention, the preferred embodiments are described below, and in conjunction with the drawings, the detailed description is as follows:

110‧‧‧輸入單元 110‧‧‧Input unit

120‧‧‧亂數產生單元 120‧‧‧ random number generating unit

130‧‧‧金鑰產生單元 130‧‧‧Key Generation Unit

140‧‧‧加解密單元 140‧‧‧Addition and decryption unit

150‧‧‧儲存單元 150‧‧‧storage unit

200、200’‧‧‧主機 200, 200’‧‧‧ host

210‧‧‧近距離無線通訊安全元件 210‧‧‧Short-range wireless communication security components

300、300’‧‧‧資料載體 300, 300’ ‧ ‧ data carrier

310‧‧‧控制器 310‧‧‧ Controller

1000、1000’、1000”‧‧‧資料安全系統 1000, 1000’, 1000” ‧‧‧ data security system

AD‧‧‧欲認證資訊 AD‧‧‧ wants to certify information

AD’‧‧‧已加密之認證資訊 AD’‧‧‧ Encrypted Certification Information

D‧‧‧原始之資料 D‧‧‧ original information

D’‧‧‧已加密之資料 D’‧‧‧Encrypted material

KEY1‧‧‧第一金鑰 KEY1‧‧‧ first key

KEY2‧‧‧第二金鑰 KEY2‧‧‧ second key

PIN1‧‧‧第一個人識別碼 PIN1‧‧‧first PIN

PIN2‧‧‧第二個人識別碼 PIN2‧‧‧Second Personal Identification Number

PIN3‧‧‧第三個人識別碼 PIN3‧‧‧ third PIN

PN‧‧‧預定碼 PN‧‧‧ booking code

RN1‧‧‧第一亂數 RN1‧‧‧ first random number

RN2‧‧‧第二亂數 RN2‧‧‧Second chaos

S201~S206、S501~S505、S701~S703‧‧‧流程步驟 S201~S206, S501~S505, S701~S703‧‧‧ process steps

SC1‧‧‧第一安全核對和 SC1‧‧‧ first safety check and

SC2‧‧‧第二安全核對和 SC2‧‧‧Second safety check and

TN‧‧‧暫存碼 TN‧‧‧ temporary storage code

第1A圖繪示資料安全系統之示意圖。 Figure 1A shows a schematic diagram of a data security system.

第1B圖繪示資料安全系統之另一示意圖。 Figure 1B depicts another schematic of a data security system.

第1C圖繪示資料安全系統之另一示意圖。 Figure 1C depicts another schematic diagram of a data security system.

第2圖繪示資料安全加密方法之加密程序的流程圖。 Figure 2 is a flow chart showing the encryption procedure of the data security encryption method.

第3圖繪示第2圖之邏輯圖。 Figure 3 is a diagram showing the logic of Figure 2.

第4圖繪示第3圖之另一實施例。 Fig. 4 is a view showing another embodiment of Fig. 3.

第5圖繪示資料安全加密方法之解密程序的流程圖。 Figure 5 is a flow chart showing the decryption procedure of the data security encryption method.

第6圖繪示第5圖之邏輯圖。 Figure 6 is a diagram showing the logic diagram of Figure 5.

第7圖繪示資料安全加密方法之個人識別碼變更程序之流程。圖 Figure 7 shows the flow of the personal identification code change procedure of the data security encryption method. Figure

第8圖繪示第7圖之邏輯圖。 Figure 8 is a diagram showing the logic diagram of Figure 7.

以下係提出各種實施例進行詳細說明,個人識別碼 (personal identification number)及金鑰(key)未儲存於資料載 體。即使駭客取得資料載體,仍無法得知個人識別碼或金鑰。因此,已加密之資料不會被駭客所解密。然而,實施例僅用以作為範例說明,並不會限縮本發明欲保護之範圍。此外,實施例中之圖式係省略部份元件,以清楚顯示本發明之技術特點。 The following is a detailed description of various embodiments, personal identification code (personal identification number) and key (key) are not stored in the information body. Even if the hacker obtains the data carrier, the PIN or key cannot be known. Therefore, the encrypted data will not be decrypted by the hacker. However, the examples are for illustrative purposes only and are not intended to limit the scope of the invention. Further, the drawings in the embodiments are omitted to partially illustrate the technical features of the present invention.

請參照第1A圖,其繪示資料安全系統(data securing system)1000之示意圖。資料安全系統1000用以加密(encrypting)一資料或解密(decrypting)已加密之資料。資料安全系統1000包括一輸入單元(inputting unit)110、一亂數產生單元(random number generating unit)120、一金鑰產生單元(key generating unit)130、一加解密單元(crypto unit)140及一儲存單元(storage unit)150。 Please refer to Figure 1A, which shows the data security system. System) 1000 schematic diagram. The data security system 1000 is used to encrypt a data or decrypt the encrypted data. The data security system 1000 includes an input unit 110, a random number generating unit 120, a key generating unit 130, a crypto unit 140, and a A storage unit 150.

輸入單元110用以由使用者輸入各種資料或資訊。 舉例來說,輸入單元110可以是一觸控面板、一鍵盤、一掃描器、連接於一輸入裝置之一傳輸線、或具有輸入各種資料之功能的電路。 The input unit 110 is configured to input various materials or information by the user. For example, the input unit 110 can be a touch panel, a keyboard, a scanner, a transmission line connected to one of the input devices, or a circuit having a function of inputting various materials.

亂數產生單元120用以產生一亂數。舉例來說,亂數產生單元120可以是一晶片、具有韌體之一電路板、儲存數組程式碼之一儲存媒體、或具有產生亂數功能之電路。 The random number generating unit 120 is configured to generate a random number. For example, the random number generating unit 120 may be a chip, a circuit board having a firmware, a storage medium storing one of the array codes, or a circuit having a function of generating random numbers.

金鑰產生單元130用以藉由一演算法來獲得一金鑰。舉例來說,金鑰產生單元130可以是一晶片、具有韌體之電路板、儲存數組程式碼之一儲存媒體、或具有獲得金鑰之功能的 電路。 The key generation unit 130 is configured to obtain a key by an algorithm. For example, the key generation unit 130 may be a chip, a board with a firmware, a storage medium storing one of the array codes, or having a function of obtaining a key. Circuit.

加解密單元140用以加密、解密或驗證資料。加解密單元140用第一金鑰KEY1進行一認證程序,如終端與使用者端,或手機APP與NFC SE端進行認證確認第一金鑰KEY1是否正確。舉例來說,加解密單元140可以是一晶片、具有韌體之一電路板、儲存數組程式碼之一儲存媒體、或具有加密、解密或驗證資料功能之電路。 The encryption and decryption unit 140 is used to encrypt, decrypt or verify data. The encryption/decryption unit 140 performs an authentication procedure using the first key KEY1, such as the terminal and the user end, or the mobile APP and the NFC SE end to perform authentication to confirm whether the first key KEY1 is correct. For example, the encryption and decryption unit 140 can be a chip, a circuit board having a firmware, a storage medium storing one of the array codes, or a circuit having the functions of encrypting, decrypting, or verifying data.

儲存單元150用以儲存各種資料。舉例來說,儲存單元150可以是一記憶體、一暫存器、或一硬碟。 The storage unit 150 is configured to store various materials. For example, the storage unit 150 can be a memory, a scratchpad, or a hard disk.

在第1A圖中,輸入單元110及亂數產生單元120可設置於一主機(host)200內或一資料載體(data carrier)300之一控制器310內。金鑰產生單元130、加解密單元140可設置於資料載體300之控制器310內,且儲存單元150可儲存於資料載體300內。舉例來說,主機200可以是一智慧型手機、一平板電腦、一桌上型電腦、或一伺服器電腦。資料載體300可以是一USB隨身碟、一隨身硬碟、或一記憶卡。 In FIG. 1A, the input unit 110 and the random number generating unit 120 may be disposed in a host 200 or in a controller 310 of a data carrier 300. The key generation unit 130 and the encryption and decryption unit 140 may be disposed in the controller 310 of the data carrier 300, and the storage unit 150 may be stored in the data carrier 300. For example, the host 200 can be a smart phone, a tablet, a desktop computer, or a server computer. The data carrier 300 can be a USB flash drive, a portable hard drive, or a memory card.

請參照第1B圖,其繪示資料安全系統1000’之另一示意圖。在另一實施例中,輸入單元110、亂數產生單元120、金鑰產生單元130及加解密單元140可設置於主機200’內。儲存單元150設置於資料載體300’內。也就是說,輸入單元110、亂數產生單元120、金鑰產生單元130及加解密單元140可以設置於主機(如第1A圖之主機200)或資料載體(如第1B圖之資 料載體300’)。 Please refer to FIG. 1B, which shows another schematic diagram of the data security system 1000'. In another embodiment, the input unit 110, the random number generating unit 120, the key generating unit 130, and the encryption and decryption unit 140 may be disposed in the host 200'. The storage unit 150 is disposed within the data carrier 300'. That is, the input unit 110, the random number generating unit 120, the key generating unit 130, and the encryption and decryption unit 140 may be disposed on a host (such as the host 200 in FIG. 1A) or a data carrier (such as the first FIG. Material carrier 300').

請參照第1C圖,其繪示資料安全系統1000”之另一示意圖。在另一實施例中,亂數產生單元120、金鑰產生單元130、加解密單元140與儲存單元150可以設置於一近距離無線通訊(NCF)安全元件(SE)210內。 Please refer to FIG. 1C, which illustrates another schematic diagram of the data security system 1000. In another embodiment, the random number generating unit 120, the key generating unit 130, the encryption and decryption unit 140, and the storage unit 150 may be disposed in one. Near Field Communication (NCF) Secure Element (SE) 210.

本發明並不侷限於第1A~1C圖。舉例來說,加解密單元140可以設置於資料載體300、300’或主機200、200’。加解密單元140所執行之演算法並不侷限儲存於加解密單元140所在之裝置。加解密單元140所執行之演算法可以儲存於主機200、200’或資料載體300、300’。 The present invention is not limited to the first to third embodiments. For example, the encryption and decryption unit 140 can be disposed on the data carrier 300, 300' or the host 200, 200'. The algorithm executed by the encryption/decryption unit 140 is not limited to the device stored in the encryption/decryption unit 140. The algorithm executed by the encryption and decryption unit 140 can be stored in the host 200, 200' or the data carrier 300, 300'.

在另一方面,金鑰產生單元130所執行之演算法並不局限儲存於金鑰產生單元130所在之裝置。金鑰產生單元130所執行之演算法可以儲存於主機200、200’或資料載體300、300’。 On the other hand, the algorithm executed by the key generation unit 130 is not limited to the device in which the key generation unit 130 is located. The algorithm executed by the key generation unit 130 can be stored in the host 200, 200' or the data carrier 300, 300'.

資料安全系統1000、1000’、1000”之上述元件可以透過一資料安全加密方法來做詳細描述。資料安全加密方法包括一加密程序(encryption procedure)、一解密程序(decryption procedure)及一個人識別碼變更程序(personal identification number changing procedure)。 The above components of the data security system 1000, 1000', 1000" can be described in detail by a data security encryption method. The data security encryption method includes an encryption procedure, a decryption procedure, and a person identification code change. Personal identification number changing procedure.

請參照第2圖及第3圖,第2圖繪示資料安全加密方法之加密程序的流程圖,第3圖繪示第2圖之邏輯圖。在步驟S201中,輸入單元110從使用者獲得一第一個人識別碼(personal identification number)PIN1。第一個人識別碼PIN1可以由按鍵輸入、點選螢幕上之動態虛擬鍵盤、掃描一維條碼或二維條碼等方式來輸入。舉例來說,第一個人識別碼PIN1例如是「0x3132333435363738393a3b3c3d3e3f30」。 Please refer to FIG. 2 and FIG. 3, FIG. 2 is a flow chart showing an encryption program of the data security encryption method, and FIG. 3 is a logic diagram of FIG. In step S201, the input unit 110 obtains a first personal identification code (personal) from the user. Identification number) PIN1. The first personal identification number PIN1 can be input by means of key input, clicking a dynamic virtual keyboard on the screen, scanning a one-dimensional barcode or a two-dimensional barcode. For example, the first personal identification number PIN1 is, for example, "0x3132333435363738393a3b3c3d3e3f30".

在步驟S202,亂數產生單元120產生一第一亂數(random number)RN1。第一亂數RN1可以儲存於資料載體300、300’之儲存單元150或儲存於主機200、200’之非揮發記體。 舉例來說,第一亂數RN1例如是「0xC4F87A6290AEE1ACFC1F26083974CE94」。在步驟S202中,第一亂數RN1可以藉由第1A圖之主機200或資料載體300來產生。 In step S202, the random number generating unit 120 generates a first random number RN1. The first random number RN1 may be stored in the storage unit 150 of the data carrier 300, 300' or the non-volatile record stored in the host 200, 200'. For example, the first random number RN1 is, for example, "0xC4F87A6290AEE1ACFC1F26083974CE94". In step S202, the first random number RN1 can be generated by the host 200 of FIG. 1A or the data carrier 300.

在步驟S203中,金鑰產生單元130根據第一個人識別碼PIN1及第一亂數RN1獲得第一金鑰KEY1。在步驟S203中,第一金鑰KEY1可以藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)來獲得。 多對一演算法可以是一互斥或邏輯運算(exclusive-OR)。一對一演算法可以是一線性函數演算法(linear function algorithm)。以互斥或邏輯運算為例,第一金鑰KEY1可以藉由下列方程式(1)來獲得。經過計算,第一金鑰KEY1為「0xF5CA4956A598D694C5251D34044AF1A4」。 In step S203, the key generation unit 130 obtains the first key KEY1 based on the first personal identification code PIN1 and the first random number RN1. In step S203, the first key KEY1 can be obtained by a many-to-one algorithm or a one-to-one algorithm. The many-to-one algorithm can be a mutually exclusive or exclusive-OR. The one-to-one algorithm can be a linear function algorithm. Taking a mutually exclusive or logical operation as an example, the first key KEY1 can be obtained by the following equation (1). After calculation, the first key KEY1 is "0xF5CA4956A598D694C5251D34044AF1A4".

PIN1⊕RN1=KEY1………………………………(1) PIN1⊕RN1=KEY1..............................(1)

在步驟S204中,加解密單元140根據第一金鑰 KEY1獲得一第一安全核對和(secure checksum)SC1。在步驟S204中,第一安全核對和SC1可以根據第一金鑰KEY1及一預定碼(predetermined number)PN(例如是「0X00…00」)來獲得。 第一安全核對和SC1可以藉由多對一演算法或一對一演算法來獲得。舉例來說,第一安全核對和SC1可以藉由一Hash演算法、一對稱加密演算法、一非對稱加密演算法、或一CRC32演算法來獲得。舉例來說,第一安全核對和SC1可以藉由方程式(2)之AES128加密演算法來獲得。經過計算,第一安全核對和SC1為「0xED56716F3B78D8741758ED0B34E3A2DD」。 In step S204, the encryption and decryption unit 140 is based on the first key. KEY1 obtains a first secure checksum (SC1). In step S204, the first security check and SC1 may be obtained according to the first key KEY1 and a predetermined number PN (for example, "0X00...00"). The first security check and SC1 can be obtained by a many-to-one algorithm or a one-to-one algorithm. For example, the first security check and SC1 can be obtained by a hash algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, or a CRC32 algorithm. For example, the first security check and SC1 can be obtained by the AES128 encryption algorithm of equation (2). After calculation, the first security check and SC1 are "0xED56716F3B78D8741758ED0B34E3A2DD".

SC1=AES_ENC(KEY1,PN)…………………(2) SC1=AES_ENC(KEY1, PN)........................(2)

在步驟S205中,第一亂數RN1及部份之第一安全核對和SC1儲存於儲存單元150中。在步驟S205中,第一安全核對和SC1的一預定字元(byte)數可以被儲存。舉例來說,第一安全核對和SC1之前8字元「ED56716F3B78D874」被儲存於儲存單元150中。 In step S205, the first random number RN1 and a part of the first security check and SC1 are stored in the storage unit 150. In step S205, the first security check and a predetermined number of bytes of SC1 may be stored. For example, the first security check and the first eight characters "ED56716F3B78D874" of SC1 are stored in the storage unit 150.

在步驟S206中,加解密單元140根據第一金鑰KEY1加密資料D為已加密之資料D’,或者加解密單元140根據第一金鑰KEY1加密一欲認證資訊(Authentication Data)AD為已加密之認證資訊(Authtication Data)AD’。 In step S206, the encryption/decryption unit 140 encrypts the data D into the encrypted data D' according to the first key KEY1, or the encryption/decryption unit 140 encrypts an authentication data AD (Authentication Data) AD according to the first key KEY1. Authentiation Data AD'.

請參照第3圖,第一個人識別碼PIN1及第一金鑰KEY1並未儲存於儲存單元150中。即使駭客取得資料載體300、300’,他仍然無法竊取第一個人識別碼PIN1及第一金鑰KEY1。 因此,已加密之資料D’並不會被駭客所解密。 Referring to FIG. 3, the first personal identification code PIN1 and the first key KEY1 are not stored in the storage unit 150. Even if the hacker obtains the data carrier 300, 300', he cannot steal the first personal identification number PIN1 and the first key KEY1. Therefore, the encrypted material D' is not decrypted by the hacker.

請參照第4圖,其繪示第3圖之另一實施例。在另一實施例中,第一金鑰KEY1可以根據一暫存碼(temporary number)TN及第一亂數RN1來獲得。藉由多對一演算法或一對一演算法,暫存碼TN係根據第一個人識別碼PIN1來獲得。舉例來說,暫存碼TN可以藉由Hash演算法來獲得,或者暫存碼TN也可以直接等於第一個人識別碼PIN1(即為第3圖之實施例)。 Please refer to FIG. 4, which illustrates another embodiment of FIG. In another embodiment, the first key KEY1 can be obtained according to a temporary number TN and a first random number RN1. The temporary storage code TN is obtained based on the first personal identification code PIN1 by a many-to-one algorithm or a one-to-one algorithm. For example, the temporary storage code TN can be obtained by a hash algorithm, or the temporary storage code TN can also be directly equal to the first personal identification code PIN1 (ie, the embodiment of FIG. 3).

請參照第5圖及第6圖,第5圖繪示資料安全加密方法之解密程序的流程圖,第6圖繪示第5圖之邏輯圖。在步驟S501中,輸入單元110從使用者獲得第二個人識別碼PIN2。 Please refer to FIG. 5 and FIG. 6 , FIG. 5 is a flowchart of a decryption program of the data security encryption method, and FIG. 6 is a logic diagram of FIG. 5 . In step S501, the input unit 110 obtains the second personal identification code PIN2 from the user.

在步驟S502,金鑰產生單元130根據第二個人識別碼PIN2及第一亂數RN1獲得一第二金鑰KEY2。在步驟S503中,第二金鑰KEY2可以藉由多對一演算法或一對一演算法來獲得。 多對一演算法例如是一互斥或邏輯運算(exclusive-OR)。一對一演算法例如是一線性函數演算法(linear function algorithm)。以互斥或邏輯運算為例,第二金鑰KEY2可以藉由方程式(3)來獲得。 In step S502, the key generation unit 130 obtains a second key KEY2 according to the second personal identification code PIN2 and the first random number RN1. In step S503, the second key KEY2 can be obtained by a many-to-one algorithm or a one-to-one algorithm. The many-to-one algorithm is, for example, a mutual exclusion or an exclusive-OR. The one-to-one algorithm is, for example, a linear function algorithm. Taking a mutually exclusive or logical operation as an example, the second key KEY2 can be obtained by equation (3).

KEY2=PIN2⊕RN1………………………………(3) KEY2=PIN2⊕RN1..............................(3)

在步驟S503中,加解密單元140根據第二金鑰KEY2獲得一第二安全核對和SC2。在步驟S503中,第二安全核對和SC2可以根據第二金鑰KEY2及步驟S204之預定碼PN(如「0X00…00」)來獲得。第二安全核對和SC2可以藉由多對一演 算法或一對多演算法來獲得。舉例來說,第二安全核對和SC2可以藉由Hash演算法、一對稱加密演算法、一非對稱加密演算法、或一CRC32演算法來獲得。舉例來說,第二安全核對和SC2可以藉由方程式(4)來獲得。 In step S503, the encryption and decryption unit 140 obtains a second security check and SC2 according to the second key KEY2. In step S503, the second security check and SC2 may be obtained according to the second key KEY2 and the predetermined code PN of step S204 (such as "0X00...00"). The second security check and SC2 can be played by many-to-one Algorithm or one-to-many algorithm to get. For example, the second security check and SC2 can be obtained by a hash algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, or a CRC32 algorithm. For example, the second security check and SC2 can be obtained by equation (4).

AES_ENC(KEY2,PN)=SC2……………………(4) AES_ENC(KEY2,PN)=SC2........................(4)

在步驟S504中,加解密單元140判斷部份之第二安全核對和SC2是否相同於已儲存之部份第一安全核對和SC1。若部份之第二安全核對和SC2相同於已儲存之部份第一安全核對和SC1,則進入步驟S505;若部份之第二安全核對和SC2不同於已儲存之部份第一安全核對和SC1,則進入步驟S501。 In step S504, the encryption/decryption unit 140 determines whether part of the second security check and SC2 are the same as the stored partial first security check and SC1. If part of the second security check and SC2 are the same as the stored first security check and SC1, proceed to step S505; if part of the second security check and SC2 are different from the stored first secure check And SC1, then proceeds to step S501.

在步驟S505中,加解密單元140根據第二金鑰KEY2解密已加密之資料D’為原始之資料D。 In step S505, the encryption/decryption unit 140 decrypts the encrypted material D' as the original material D based on the second key KEY2.

請參照第6圖,即使第一個人識別碼PIN1及第一金鑰KEY1沒有儲存於儲存單元150,使用者仍然可以藉由輸入第二個人識別碼PIN2來取出原始的資料D。 Referring to FIG. 6, even if the first personal identification code PIN1 and the first key KEY1 are not stored in the storage unit 150, the user can still retrieve the original data D by inputting the second personal identification number PIN2.

請參照第7圖及第8圖,第7圖繪示資料安全加密方法之個人識別碼變更程序之流程圖,第8圖繪示第7圖之邏輯圖。在步驟S701中,輸入單元110從使用者獲得一第三個人識別碼PIN3。 Please refer to FIG. 7 and FIG. 8 , FIG. 7 is a flowchart of a personal identification code change procedure of the data security encryption method, and FIG. 8 is a logic diagram of FIG. 7 . In step S701, the input unit 110 obtains a third personal identification number PIN3 from the user.

在步驟S702中,金鑰產生單元130根據第一個人識別碼PIN1、第三個人識別碼PIN3及第一亂數RN1獲得一第二亂數RN2。在步驟S203中,請參照方程式(5),藉由一邏輯運算 或一演算法,第一金鑰KEY1可以根據第一個人識別碼PIN1及第一亂數RN1來獲得。在方程式(5)中,符號「@」表示一邏輯運算或一演算法。請參照方程式(5),藉由同樣的邏輯運算或演算法,第一金鑰KEY1也可以根據第三個人識別碼PIN3及第二亂數RN2來獲得。 In step S702, the key generation unit 130 obtains a second random number RN2 according to the first personal identification code PIN1, the third personal identification number PIN3, and the first random number RN1. In step S203, please refer to equation (5), by a logic operation Or an algorithm, the first key KEY1 can be obtained according to the first personal identification code PIN1 and the first random number RN1. In equation (5), the symbol "@" represents a logical operation or an algorithm. Referring to equation (5), the first key KEY1 can also be obtained according to the third personal identification code PIN3 and the second random number RN2 by the same logical operation or algorithm.

KEY1=PIN1@RN1=PIN3@RN2………………(5) KEY1=PIN1@RN1=PIN3@RN2..................(5)

根據方程式(5),第二亂數RN2可以透過方程式(6)來獲得。 According to equation (5), the second random number RN2 can be obtained by equation (6).

RN2=PIN1@RN1@PIN3………………………(6) RN2=PIN1@RN1@PIN3........................(6)

在步驟S703中,將第二亂數RN2儲存於儲存單元150中,以取代第一亂數RN1。接著,使用者可以輸入第三個人識別碼PIN3來取出原始的資料D。 In step S703, the second random number RN2 is stored in the storage unit 150 instead of the first random number RN1. Then, the user can input the third personal identification number PIN3 to retrieve the original data D.

請參照第8圖,當使用者將第一個人識別碼PIN1變更為第三個人識別碼PIN3時,第一金鑰KEY1並未變更。因此,已加密之資料D’無須解密及加密一次。 Referring to FIG. 8, when the user changes the first personal identification number PIN1 to the third personal identification number PIN3, the first key KEY1 is not changed. Therefore, the encrypted material D' does not need to be decrypted and encrypted once.

此外,根據另一方面應用,請參照第1C圖,手機APP調用NFC SE或其他硬體時,利用本方法產生之第一金鑰KEY1可作為與NFC SE或其他硬體認證之金鑰。 In addition, according to another application, please refer to FIG. 1C. When the mobile APP calls NFC SE or other hardware, the first key KEY1 generated by the method can be used as a key to NFC SE or other hardware authentication.

綜上所述,雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明。本發明所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作各種之更動與潤 飾。因此,本發明之保護範圍當視後附之申請專利範圍所界定者 為準。 In conclusion, the present invention has been disclosed in the above preferred embodiments, and is not intended to limit the present invention. Those skilled in the art to which the invention pertains can make various changes and changes without departing from the spirit and scope of the invention. Decoration. Therefore, the scope of protection of the present invention is defined by the scope of the appended claims. Prevail.

S201~S206‧‧‧流程步驟 S201~S206‧‧‧ Process steps

Claims (40)

一種資料安全加密方法,包括一加密程序(encryption procedure),用以加密一資料或進行一認證程序(Authentication Procedure),該加密程序包括:獲得一第一個人識別碼(personal identification number);產生一第一亂數(random number);根據該個人識別碼及該第一亂數,獲得一第一金鑰(key);根據該第一金鑰,獲得一第一安全核對和(secure checksum);儲存該第一亂數及部份之該第一安全核對和;以及根據該第一金鑰,加密(encrypting)該資料或進行該認證程序。 A data security encryption method, comprising an encryption procedure for encrypting a data or performing an authentication procedure, the encryption program comprising: obtaining a first personal identification number; generating a first a random number; according to the personal identification number and the first random number, obtaining a first key; according to the first key, obtaining a first security checksum (secure checksum); storing The first random number and the portion of the first security checksum; and encrypting the data or performing the authentication procedure according to the first key. 如申請專利範圍第1項所述之資料安全加密方法,其中在產生該第一亂數之步驟中,該第一亂數係藉由一主機所產生。 The data security encryption method of claim 1, wherein in the step of generating the first random number, the first random number is generated by a host. 如申請專利範圍第1項所述之資料安全加密方法,其中在產生該第一亂數之步驟中,該第一亂數係藉由一資料載體所產生。 The data security encryption method according to claim 1, wherein in the step of generating the first random number, the first random number is generated by a data carrier. 如申請專利範圍第1項所述之資料安全加密方法,其中在獲得該第一金鑰之步驟中,該第一金鑰係藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)所獲得。 The data security encryption method according to claim 1, wherein in the step of obtaining the first key, the first key is performed by a many-to-one algorithm or Obtained by a one-to-one algorithm. 如申請專利範圍第1項所述之資料安全加密方法,其中在 獲得該第一金鑰之步驟中,該第一金鑰係藉由一互斥或邏輯運算(exclusive-OR)或一線性函數演算法(linear function algorithm)所獲得。 For example, the data security encryption method described in claim 1 of the patent scope, wherein In the step of obtaining the first key, the first key is obtained by a mutual exclusion or an exclusive-OR or a linear function algorithm. 如申請專利範圍第1項所述之資料安全加密方法,其中在獲得該第一安全核對和之步驟中,該第一安全核對和係根據該第一金鑰及一預定碼(predetermined number)所獲得。 The data security encryption method of claim 1, wherein in the step of obtaining the first security check, the first security check is based on the first key and a predetermined number (predetermined number) obtain. 如申請專利範圍第1項所述之資料安全加密方法,其中在獲得該第一安全核對和之步驟中,該第一安全核對和係藉由一多對一演算法或一一對一演算法所獲得。 The data security encryption method according to claim 1, wherein in the step of obtaining the first security check, the first security check is performed by a many-to-one algorithm or a one-to-one algorithm. Obtained. 如申請專利範圍第1項所述之資料安全加密方法,其中在儲存該第一亂數及部份之該第一安全核對和之步驟中,一預定字元(bytes)數之該第一安全核對和被儲存。 The data security encryption method of claim 1, wherein in the step of storing the first random number and the first security checksum, the first security of a predetermined number of bytes Check and store. 如申請專利範圍第1項所述之資料安全加密方法,其中在獲得該第一金鑰之步驟中,該第一金鑰係根據一暫存碼(temporary number)及該第一亂數來獲得,該暫存碼係根據該第一個人識別碼來獲得。 The data security encryption method of claim 1, wherein in the step of obtaining the first key, the first key is obtained according to a temporary number and the first random number. The temporary storage code is obtained based on the first personal identification number. 如申請專利範圍第1項所述之資料安全加密方法,更包括一解密程序(decryption procedure),用以解密已加密之該資料,該解密程序包括:獲得一第二個人識別碼;根據該第二個人識別碼及該第一亂數,獲得一第二金鑰;根據該第二金鑰,獲得一第二安全核對和; 判斷部份之該第二安全核對和是否相同於已儲存之部份之該第一安全核對和;以及若部份之該第二安全核對和相同於已儲存之部份之該第一安全核對和,則根據該第二金鑰,解密已加密之該資料。 The data security encryption method according to claim 1, further comprising a decryption procedure for decrypting the encrypted data, the decrypting program comprising: obtaining a second personal identification number; a second personal identification code and the first random number, obtaining a second key; according to the second key, obtaining a second security checksum; Determining whether the second security check is identical to the first security checksum of the stored portion; and if the portion of the second security check is the same as the first secure check of the stored portion And, the encrypted data is decrypted according to the second key. 如申請專利範圍第1項所述之資料安全加密方法,更包括一個人識別碼變更程序(personal identification number changing procedure),該個人識別碼變更程序包括:獲得一第三個人識別碼;根據該第一個人識別碼、該第三個人識別碼及該第一亂數,獲得一第二亂數;以及儲存該第二亂數,以取代該第一亂數。 The data security encryption method according to claim 1, further comprising a personal identification number changing procedure, the personal identification code changing procedure comprising: obtaining a third personal identification number; according to the first individual The identification code, the third personal identification number and the first random number obtain a second random number; and store the second random number to replace the first random number. 一種用以加密之資料安全系統(data securing system),包括:一輸入單元(inputting unit),用以輸入一第一個人識別碼(personal identification number);一亂數產生單元(random number generating unit),用以產生一第一亂數(random number);一金鑰產生單元(key generating unit),用以根據該第一個人識別碼及該第一亂數,獲得一第一金鑰(key);一加解密單元(crypto unit),用以根據該第一金鑰獲得一第一安全核對和(secure checksum)並用以根據該第一金鑰加密(encrypting)一資料;以及 一儲存單元(storage unit),用以儲存部份之該第一安全核對和、該第一亂數及已加密之該資料。 A data securing system for encrypting, comprising: an inputting unit for inputting a first personal identification number; a random number generating unit; For generating a first random number; a key generating unit for obtaining a first key according to the first personal identification number and the first random number; a crypto unit for obtaining a first secure checksum according to the first key and for encrypting a data according to the first key; a storage unit for storing a portion of the first security checksum, the first random number, and the encrypted data. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該亂數產生單元設置於一主機(host)內。 The data security system for encrypting according to claim 12, wherein the random number generating unit is disposed in a host. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該亂數產生單元設置於一資料載體(data carrier)內。 The data security system for encrypting as described in claim 12, wherein the random number generating unit is disposed in a data carrier. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該金鑰產生單元係藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)獲得該第一金鑰。 The data security system for encrypting according to claim 12, wherein the key generation unit is by a many-to-one algorithm or a one-to-one algorithm (one -to-one algorithm) Obtain the first key. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該金鑰產生單元根據一互斥或邏輯運算(exclusive-OR)或一線性函數演算法(linear function algorithm)獲得該第一金鑰。 The data security system for encrypting according to claim 12, wherein the key generation unit obtains the first according to an exclusive or OR operation or a linear function algorithm. A key. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該加解密單元根據該第一金鑰及一預定碼(predetermined number),獲得該第一安全核對和。 The data security system for encrypting according to claim 12, wherein the encryption and decryption unit obtains the first security checksum according to the first key and a predetermined number. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該加解密單元藉由一多對一演算法或一一對一演算法獲得該第一安全核對和。 The data security system for encrypting according to claim 12, wherein the encryption and decryption unit obtains the first security checksum by a many-to-one algorithm or a one-to-one algorithm. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該儲存單元儲存一預定字元(bytes)數之該第一安全核對和。 The data security system for encrypting according to claim 12, wherein the storage unit stores the first security checksum of a predetermined number of bytes. 如申請專利範圍第12項所述之用以加密之資料安全系統,其中該金鑰產生單元根據一暫存碼(temporary number)及該第一亂數獲得該第一金鑰,該金鑰產生單元根據該第一個人識別碼獲得該暫存碼。 The data security system for encrypting according to claim 12, wherein the key generation unit obtains the first key according to a temporary number and the first random number, and the key is generated. The unit obtains the temporary storage code according to the first personal identification code. 如申請專利範圍第12項所述之用以加密之資料安全系統,更用以解密已加密之該資料,其中該輸入單元更用以獲得一第二個人識別碼;該金鑰產生單元更用以根據該第二個人識別碼及該第一亂數獲得一第二金鑰;以及該加解密單元更用以根據該第二金鑰獲得一第二安全核對和、判斷部份之該第二安全核對和是否相同於已儲存之該第一安全核對和,若部份之該第二安全核對和相同於已儲存之部份之該第一安全核對和,則根據該第二金鑰,解密已加密之該資料。 The data security system for encrypting, as described in claim 12, is further used for decrypting the encrypted data, wherein the input unit is further used to obtain a second personal identification number; the key generating unit is further used. Obtaining a second key according to the second personal identification code and the first random number; and the encrypting and decrypting unit is further configured to obtain a second security checksum according to the second key, and determine the second part Whether the security check is the same as the stored first security checksum, and if part of the second security check and the first security checksum that is the same as the stored part, decrypt the second key according to the second key The data has been encrypted. 如申請專利範圍第12項所述之用以加密之資料安全系統,更用以變更該第一個人識別碼,其中該輸入單元更用以獲得一第三個人識別碼;以及該亂數產生單元更用以根據該第一個人識別碼、該第三個人識別碼及該第一亂數,獲得一第二亂數,以取代該第一亂數。 The data security system for encrypting as described in claim 12, further for changing the first personal identification number, wherein the input unit is further used to obtain a third personal identification number; and the random number generating unit is further And a second random number is obtained according to the first personal identification code, the third personal identification number, and the first random number to replace the first random number. 一種資料載體(data carrier),用以儲存與加密一資料,該資料載體包括:一輸入單元(inputting unit),用以輸入一第一個人識別碼(personal identification number); 一亂數產生單元(random number generating unit),用以產生一第一亂數(random number);一金鑰產生單元(key generating unit),用以根據該第一個人識別碼及該第一亂數,獲得一第一金鑰(key);一加解密單元(crypto unit),用以根據該第一金鑰獲得一第一安全核對和(secure checksum)並用以根據該第一金鑰加密(encrypting)該資料;以及一儲存單元(storage unit),用以儲存該第一亂數(random number)、部份之該第一安全核對和及已加密之該資料。 A data carrier for storing and encrypting a data, the data carrier comprising: an inputting unit for inputting a first personal identification number; a random number generating unit for generating a first random number; a key generating unit for using the first personal identification code and the first random number Obtaining a first key; a crypto unit for obtaining a first secure checksum according to the first key and for encrypting according to the first key (encrypting) And the storage unit; and the storage unit for storing the first random number, the portion of the first security check, and the encrypted data. 如申請專利範圍第23項所述之資料載體,其中該第一亂數係藉由一主機(host)所產生。 The data carrier of claim 23, wherein the first random number is generated by a host. 如申請專利範圍第23項所述之資料載體,其中該第一亂數係藉由該資料載體所產生。 The data carrier of claim 23, wherein the first random number is generated by the data carrier. 如申請專利範圍第23項所述之資料載體,其中該第一金鑰係藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)所獲得。 The data carrier of claim 23, wherein the first key is by a many-to-one algorithm or a one-to-one algorithm ) obtained. 如申請專利範圍第23項所述之資料載體,其中該第一金鑰係藉由一互斥或邏輯運算(exclusive-OR)或一線性函數演算法(linear function algorithm)所獲得。 The data carrier of claim 23, wherein the first key is obtained by a mutual exclusion or an exclusive-OR or a linear function algorithm. 如申請專利範圍第23項所述之資料載體,其中該加解密單元係藉由該第一金鑰及一預定碼(predetermined number)獲得該第一安全核對和。 The data carrier of claim 23, wherein the encryption and decryption unit obtains the first security checksum by the first key and a predetermined number. 如申請專利範圍第23項所述之資料載體,其中該加解密單元藉由一多對一演算法或一一對一演算法獲得該第一安全核對和。 The data carrier of claim 23, wherein the encryption and decryption unit obtains the first security checksum by a many-to-one algorithm or a one-to-one algorithm. 如申請專利範圍第23項所述之資料載體,其中該儲存單元儲存一預定字元(bytes)數之該第一安全核對和。 The data carrier of claim 23, wherein the storage unit stores the first security checksum of a predetermined number of bytes. 如申請專利範圍第23項所述之資料載體,其中該第一金鑰係根據一暫存碼(temporary number)及該第一亂數所獲得,該暫存碼係根據該第一個人識別碼所獲得。 The data carrier of claim 23, wherein the first key is obtained according to a temporary number and a first random number, the temporary code is according to the first personal identification code obtain. 如申請專利範圍第23項所述之資料載體,更用以解密已加密之該資料,其中該加解密單元更用以根據一第二金鑰獲得一第二安全核對和、判斷部份之該第二安全核對和是否相同於已儲存之該第一安全核對和,以及若部份之該第二安全核對和相同於已儲存之部份之該第一安全核對和,則根據該第二金鑰,解密已加密之該資料;以及該第二金鑰係根據一第二個人識別碼及該第一亂數所獲得。 The data carrier as described in claim 23, further for decrypting the encrypted data, wherein the encryption and decryption unit is further configured to obtain a second security checksum according to a second key, and determine the portion Whether the second security check is the same as the stored first security checksum, and if the second security check and the first secure checksum of the stored portion are the same, according to the second gold Key, decrypting the encrypted data; and the second key is obtained according to a second personal identification number and the first random number. 如申請專利範圍第23項所述之資料載體,更用以變更該第一個人識別碼,其中該亂數產生單元更用以根據該第一個人識別碼、一第三個人識別碼及該第一亂數,獲得一第二亂數;以及該儲存單元更用以儲存該第二亂數,以取代該第一亂數。 The data carrier according to claim 23, wherein the first personal identification code is further used, wherein the random number generating unit is further configured to use the first personal identification code, a third personal identification number, and the first mess. And obtaining a second random number; and the storage unit is further configured to store the second random number to replace the first random number. 一種用以認證之資料安全系統(data securing system), 包括:一輸入單元(inputting unit),用以輸入一第一個人識別碼(personal identification number);一亂數產生單元(random number generating unit),用以產生一第一亂數(random number);一金鑰產生單元(key generating unit),用以根據該第一個人識別碼及該第一亂數,獲得一第一金鑰(key);一加解密單元(crypto unit),用以根據該第一金鑰進行一認證程序;以及一儲存單元(storage unit),用以儲存該第一亂數;其中,該輸入單元更用以獲得一第三個人識別碼;以及該亂數產生單元更用以根據該第一個人識別碼、該第三個人識別碼及該第一亂數,獲得一第二亂數,以取代該第一亂數。 A data securing system for authentication, The method includes: an input unit (inputting unit) for inputting a first personal identification number; a random number generating unit for generating a first random number; a key generating unit, configured to obtain a first key according to the first personal identification number and the first random number; a crypto unit for receiving the first key The key performs an authentication process; and a storage unit for storing the first random number; wherein the input unit is further used to obtain a third personal identification number; and the random number generating unit is further used And according to the first personal identification code, the third personal identification number, and the first random number, a second random number is obtained to replace the first random number. 如申請專利範圍第34項所述之用以認證之資料安全系統,其中該亂數產生單元設置於一主機(host)內。 The data security system for authentication according to claim 34, wherein the random number generating unit is disposed in a host. 如申請專利範圍第34項所述之用以認證之資料安全系統,其中該亂數產生單元設置於一資料載體(data carrier)內。 The data security system for authentication as described in claim 34, wherein the random number generating unit is disposed in a data carrier. 如申請專利範圍第34項所述之用以認證之資料安全系統,其中該金鑰產生單元係藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)獲得該第一金鑰。 A data security system for authentication as described in claim 34, wherein the key generation unit is by a many-to-one algorithm or a one-to-one algorithm (one -to-one algorithm) Obtain the first key. 如申請專利範圍第34項所述之用以認證之資料安全系 統,其中該金鑰產生單元根據一互斥或邏輯運算(exclusive-OR)或一線性函數演算法(linear function algorithm)獲得該第一金鑰。 The data security system for certification as described in claim 34 The key generation unit obtains the first key according to a mutual exclusion or an exclusive-OR or a linear function algorithm. 如申請專利範圍第34項所述之用以認證之資料安全系統,其中該金鑰產生單元根據一暫存碼(temporary number)及該第一亂數獲得該第一金鑰,該金鑰產生單元根據該第一個人識別碼獲得該暫存碼。 The data security system for authentication according to claim 34, wherein the key generation unit obtains the first key according to a temporary number and the first random number, and the key is generated. The unit obtains the temporary storage code according to the first personal identification code. 如申請專利範圍第34項所述之用以認證之資料安全系統,其中該第一金鑰作為認證或加解密使用。 The data security system for authentication as described in claim 34, wherein the first key is used for authentication or encryption and decryption.
TW102149392A 2013-12-31 2013-12-31 Data securing method, data securing system for encryption or authentication and data carrier TWI526036B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102149392A TWI526036B (en) 2013-12-31 2013-12-31 Data securing method, data securing system for encryption or authentication and data carrier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102149392A TWI526036B (en) 2013-12-31 2013-12-31 Data securing method, data securing system for encryption or authentication and data carrier

Publications (2)

Publication Number Publication Date
TW201526592A TW201526592A (en) 2015-07-01
TWI526036B true TWI526036B (en) 2016-03-11

Family

ID=54197877

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102149392A TWI526036B (en) 2013-12-31 2013-12-31 Data securing method, data securing system for encryption or authentication and data carrier

Country Status (1)

Country Link
TW (1) TWI526036B (en)

Also Published As

Publication number Publication date
TW201526592A (en) 2015-07-01

Similar Documents

Publication Publication Date Title
JP7257561B2 (en) computer-implemented method, host computer, computer-readable medium
US10237064B2 (en) Using everyday objects as cryptographic keys
US10616215B1 (en) Virtual smart card to perform security-critical operations
WO2021114891A1 (en) Key encryption method and decryption method, and, data encryption method and decryption method
CN102156843B (en) Data encryption method and system as well as data decryption method
US11115394B2 (en) Methods and systems for encrypting data for a web application
CN103427983A (en) Apparatus and method for content encryption and decryption based on storage device ID
US20150242332A1 (en) Self-encrypting flash drive
CN111316596B (en) Encryption chip with identity verification function
GB2556638A (en) Protecting usage of key store content
JP2016519544A5 (en)
KR102460069B1 (en) Security certification apparatus using biometric information and security certification method
US9432186B2 (en) Password-based key derivation without changing key
KR102028151B1 (en) Encryption method and system using authorization key of device
US8769301B2 (en) Product authentication based upon a hyperelliptic curve equation and a curve pairing function
US10642962B2 (en) Licensable function for securing stored data
JP4684714B2 (en) File management system and program
KR101485968B1 (en) Method for accessing to encoded files
CN113826096A (en) User authentication and signature apparatus and method using user biometric identification data
TWI526036B (en) Data securing method, data securing system for encryption or authentication and data carrier
JP2013171581A (en) Recording device and method for performing access to recording device
JP2018006896A (en) Terminal registration method and terminal registration system
JP2007150780A (en) Enciphering method, apparatus and program
CN104778421A (en) Data securing encryption method, data securing system used for encryption or authentication, and data carrier
US20080104414A1 (en) Apparatus And Method For Decryption, Electronic Apparatus And Method For Inputting Password Encryption, And Electronic System With A Password