TWI526036B - Data securing method, data securing system for encryption or authentication and data carrier - Google Patents
Data securing method, data securing system for encryption or authentication and data carrier Download PDFInfo
- Publication number
- TWI526036B TWI526036B TW102149392A TW102149392A TWI526036B TW I526036 B TWI526036 B TW I526036B TW 102149392 A TW102149392 A TW 102149392A TW 102149392 A TW102149392 A TW 102149392A TW I526036 B TWI526036 B TW I526036B
- Authority
- TW
- Taiwan
- Prior art keywords
- key
- random number
- data
- security
- personal identification
- Prior art date
Links
Description
本發明是有關於一種資料處理方法、資料處理系統及資料載體,且特別是有關於一種資料安全加密方法、用以加密或認證之資料安全系統及資料載體。 The present invention relates to a data processing method, a data processing system, and a data carrier, and more particularly to a data security encryption method, a data security system and a data carrier for encryption or authentication.
隨著科技的發展,各種數位資料可以儲存於儲存裝置中。人們可能會儲存或傳輸機密資料於儲存裝置中。一旦儲存裝置遺失時,機密資料可能會被竊取。 With the development of technology, various digital materials can be stored in storage devices. People may store or transmit confidential information in storage devices. Once the storage device is lost, confidential information may be stolen.
資訊安全變得越來越重要。儲存裝置可以已加密之資料來作儲存,而不儲存原始資料,保障資訊被竊取之安全。如果某人想要取出原始資料,他必須以金鑰來解密已加密之資料。 一旦駭客竊取到金鑰,駭客可以輕易地取出原始資料。目前網路與手機軟體應用充斥,若金鑰藏於軟體內或非揮發性記憶體當中,駭客或開發者均能夠竊取金鑰。因此,如何確保金鑰不被竊 取是資訊安全技術的一項大挑戰。 Information security is becoming more and more important. The storage device can store the encrypted data without storing the original data, thereby ensuring the security of the information being stolen. If someone wants to retrieve the original material, he must decrypt the encrypted data with a key. Once the hacker steals the key, the hacker can easily retrieve the original data. Currently, Internet and mobile software applications are flooded. If the key is hidden in software or non-volatile memory, the hacker or developer can steal the key. So how to ensure that the key is not stolen It is a big challenge for information security technology.
本發明係有關於一種資料安全加密方法、用以加密或認證之資料安全系統及資料載體。個人識別碼(personal identification number)及金鑰(key)未儲存於資料載體。即使駭客取得資料載體,他仍然無法竊取到個人識別碼及金鑰。因此,對於應用在資料安全系統及資料載體上而言,已加密之資料不會被駭客所解密,對於資料安全認證方法而言,駭客也無法認證通過。 The present invention relates to a data security encryption method, a data security system for encrypting or authenticating, and a data carrier. The personal identification number and key are not stored in the data carrier. Even if the hacker gets the data carrier, he still can't steal the PIN and the key. Therefore, for data security systems and data carriers, the encrypted data will not be decrypted by the hacker. For the data security authentication method, the hacker cannot pass the authentication.
根據本發明之第一方面,提出一種資料安全加密方法。資料安全加密方法包括一加密程序,用以加密一資料或進行一認證程序(Authentication Procedure)。加密程序包括以下步驟。 獲得一第一個人識別碼。產生一第一亂數。根據個人識別碼及第一亂數,獲得一第一金鑰。根據第一金鑰,獲得一第一安全核對和。儲存第一亂數及部份之第一安全核對和。根據第一金鑰,加密資料或進行認證程序。 According to a first aspect of the present invention, a data security encryption method is presented. The data security encryption method includes an encryption program for encrypting a material or performing an Authentication Procedure. The encryption program includes the following steps. Obtain a first PIN. Generate a first random number. A first key is obtained based on the personal identification number and the first random number. According to the first key, a first security checksum is obtained. Store the first random number and part of the first security checksum. Encrypt data or perform an authentication procedure based on the first key.
根據本發明之第二方面,提供一種用以加密之資料安全系統(data securing system)。資料安全系統包括一輸入單元(inputting unit)、一亂數產生單元(random number generating unit)、一金鑰產生單元(key generating unit)、一加解密單元(crypto unit)及一儲存單元(storage unit)。輸入單元用以輸入 一第一個人識別碼(personal identification number)。亂數產生單元用以產生一第一亂數(random number)。金鑰產生單元用以根據第一個人識別碼及第一亂數,獲得一第一金鑰(key)。加解密單元用以根據第一金鑰獲得一第一安全核對和(secure checksum)並用以根據第一金鑰加密(encrypting)一資料。儲存單元用以儲存部份之第一安全核對和、第一亂數及已加密之資料。 According to a second aspect of the present invention, a data securing system for encryption is provided. The data security system includes an input unit, a random number generating unit, a key generating unit, a crypto unit, and a storage unit. ). Input unit for input A first personal identification number. The random number generating unit is configured to generate a first random number. The key generation unit is configured to obtain a first key according to the first personal identification code and the first random number. The encryption and decryption unit is configured to obtain a first secure checksum according to the first key and to encrypt a data according to the first key. The storage unit is configured to store a portion of the first security checksum, the first random number, and the encrypted data.
根據本發明之第三方面,提供一種資料載體(data carrier)。資料載體用以儲存與加密一資料。一第一安全核對和(secure checksum)係根據一第一金鑰(key)而獲得,並且資料根據第一金鑰而加密(encrypt)。資料載體包括一儲存單元(storage unit)。加解密單元用以根據一第一金鑰(key)獲得一第一安全核對和(secure checksum),並用以根據第一金鑰加密(encrypting)資料。儲存單元用以儲存一第一亂數(random number)、部份之第一安全核對和及已加密之資料。第一金鑰係根據一第一個人識別碼(personal identification number)及第一亂數所獲得。 According to a third aspect of the present invention, a data carrier (data) is provided Carrier). The data carrier is used to store and encrypt a data. A first secure checksum is obtained based on a first key, and the data is encrypted according to the first key. The data carrier includes a storage unit. The encryption and decryption unit is configured to obtain a first security checksum according to a first key, and to encrypt the data according to the first key. The storage unit is configured to store a first random number, a partial first security check, and an encrypted data. The first key is obtained based on a first personal identification number and a first random number.
根據本發明之第四方面,提供一種用以認證之資料安全系統(data securing system)。資料安全系統包括一輸入單元(inputting unit)、一亂數產生單元(random number generating unit)、一金鑰產生單元(key generating unit)、一加解密單元(crypto unit)及一儲存單元(storage unit)。輸入單元用以輸入一第一個人識別碼(personal identification number)。亂數產生單 元用以產生一第一亂數(random number)。金鑰產生單元用以根據第一個人識別碼及第一亂數,獲得一第一金鑰(key)。加解密單元用以根據第一金鑰進行一認證程序。儲存單元用以儲存第一亂數。 According to a fourth aspect of the present invention, a data securing system for authentication is provided. The data security system includes an input unit, a random number generating unit, a key generating unit, a crypto unit, and a storage unit. ). The input unit is configured to input a first personal identification number. Random number generation The element is used to generate a first random number. The key generation unit is configured to obtain a first key according to the first personal identification code and the first random number. The encryption and decryption unit is configured to perform an authentication procedure according to the first key. The storage unit is configured to store the first random number.
為了對本發明之上述及其他方面有更佳的瞭解,下文特舉較佳實施例,並配合所附圖式,作詳細說明如下: In order to better understand the above and other aspects of the present invention, the preferred embodiments are described below, and in conjunction with the drawings, the detailed description is as follows:
110‧‧‧輸入單元 110‧‧‧Input unit
120‧‧‧亂數產生單元 120‧‧‧ random number generating unit
130‧‧‧金鑰產生單元 130‧‧‧Key Generation Unit
140‧‧‧加解密單元 140‧‧‧Addition and decryption unit
150‧‧‧儲存單元 150‧‧‧storage unit
200、200’‧‧‧主機 200, 200’‧‧‧ host
210‧‧‧近距離無線通訊安全元件 210‧‧‧Short-range wireless communication security components
300、300’‧‧‧資料載體 300, 300’ ‧ ‧ data carrier
310‧‧‧控制器 310‧‧‧ Controller
1000、1000’、1000”‧‧‧資料安全系統 1000, 1000’, 1000” ‧‧‧ data security system
AD‧‧‧欲認證資訊 AD‧‧‧ wants to certify information
AD’‧‧‧已加密之認證資訊 AD’‧‧‧ Encrypted Certification Information
D‧‧‧原始之資料 D‧‧‧ original information
D’‧‧‧已加密之資料 D’‧‧‧Encrypted material
KEY1‧‧‧第一金鑰 KEY1‧‧‧ first key
KEY2‧‧‧第二金鑰 KEY2‧‧‧ second key
PIN1‧‧‧第一個人識別碼 PIN1‧‧‧first PIN
PIN2‧‧‧第二個人識別碼 PIN2‧‧‧Second Personal Identification Number
PIN3‧‧‧第三個人識別碼 PIN3‧‧‧ third PIN
PN‧‧‧預定碼 PN‧‧‧ booking code
RN1‧‧‧第一亂數 RN1‧‧‧ first random number
RN2‧‧‧第二亂數 RN2‧‧‧Second chaos
S201~S206、S501~S505、S701~S703‧‧‧流程步驟 S201~S206, S501~S505, S701~S703‧‧‧ process steps
SC1‧‧‧第一安全核對和 SC1‧‧‧ first safety check and
SC2‧‧‧第二安全核對和 SC2‧‧‧Second safety check and
TN‧‧‧暫存碼 TN‧‧‧ temporary storage code
第1A圖繪示資料安全系統之示意圖。 Figure 1A shows a schematic diagram of a data security system.
第1B圖繪示資料安全系統之另一示意圖。 Figure 1B depicts another schematic of a data security system.
第1C圖繪示資料安全系統之另一示意圖。 Figure 1C depicts another schematic diagram of a data security system.
第2圖繪示資料安全加密方法之加密程序的流程圖。 Figure 2 is a flow chart showing the encryption procedure of the data security encryption method.
第3圖繪示第2圖之邏輯圖。 Figure 3 is a diagram showing the logic of Figure 2.
第4圖繪示第3圖之另一實施例。 Fig. 4 is a view showing another embodiment of Fig. 3.
第5圖繪示資料安全加密方法之解密程序的流程圖。 Figure 5 is a flow chart showing the decryption procedure of the data security encryption method.
第6圖繪示第5圖之邏輯圖。 Figure 6 is a diagram showing the logic diagram of Figure 5.
第7圖繪示資料安全加密方法之個人識別碼變更程序之流程。圖 Figure 7 shows the flow of the personal identification code change procedure of the data security encryption method. Figure
第8圖繪示第7圖之邏輯圖。 Figure 8 is a diagram showing the logic diagram of Figure 7.
以下係提出各種實施例進行詳細說明,個人識別碼 (personal identification number)及金鑰(key)未儲存於資料載 體。即使駭客取得資料載體,仍無法得知個人識別碼或金鑰。因此,已加密之資料不會被駭客所解密。然而,實施例僅用以作為範例說明,並不會限縮本發明欲保護之範圍。此外,實施例中之圖式係省略部份元件,以清楚顯示本發明之技術特點。 The following is a detailed description of various embodiments, personal identification code (personal identification number) and key (key) are not stored in the information body. Even if the hacker obtains the data carrier, the PIN or key cannot be known. Therefore, the encrypted data will not be decrypted by the hacker. However, the examples are for illustrative purposes only and are not intended to limit the scope of the invention. Further, the drawings in the embodiments are omitted to partially illustrate the technical features of the present invention.
請參照第1A圖,其繪示資料安全系統(data securing system)1000之示意圖。資料安全系統1000用以加密(encrypting)一資料或解密(decrypting)已加密之資料。資料安全系統1000包括一輸入單元(inputting unit)110、一亂數產生單元(random number generating unit)120、一金鑰產生單元(key generating unit)130、一加解密單元(crypto unit)140及一儲存單元(storage unit)150。 Please refer to Figure 1A, which shows the data security system. System) 1000 schematic diagram. The data security system 1000 is used to encrypt a data or decrypt the encrypted data. The data security system 1000 includes an input unit 110, a random number generating unit 120, a key generating unit 130, a crypto unit 140, and a A storage unit 150.
輸入單元110用以由使用者輸入各種資料或資訊。 舉例來說,輸入單元110可以是一觸控面板、一鍵盤、一掃描器、連接於一輸入裝置之一傳輸線、或具有輸入各種資料之功能的電路。 The input unit 110 is configured to input various materials or information by the user. For example, the input unit 110 can be a touch panel, a keyboard, a scanner, a transmission line connected to one of the input devices, or a circuit having a function of inputting various materials.
亂數產生單元120用以產生一亂數。舉例來說,亂數產生單元120可以是一晶片、具有韌體之一電路板、儲存數組程式碼之一儲存媒體、或具有產生亂數功能之電路。 The random number generating unit 120 is configured to generate a random number. For example, the random number generating unit 120 may be a chip, a circuit board having a firmware, a storage medium storing one of the array codes, or a circuit having a function of generating random numbers.
金鑰產生單元130用以藉由一演算法來獲得一金鑰。舉例來說,金鑰產生單元130可以是一晶片、具有韌體之電路板、儲存數組程式碼之一儲存媒體、或具有獲得金鑰之功能的 電路。 The key generation unit 130 is configured to obtain a key by an algorithm. For example, the key generation unit 130 may be a chip, a board with a firmware, a storage medium storing one of the array codes, or having a function of obtaining a key. Circuit.
加解密單元140用以加密、解密或驗證資料。加解密單元140用第一金鑰KEY1進行一認證程序,如終端與使用者端,或手機APP與NFC SE端進行認證確認第一金鑰KEY1是否正確。舉例來說,加解密單元140可以是一晶片、具有韌體之一電路板、儲存數組程式碼之一儲存媒體、或具有加密、解密或驗證資料功能之電路。 The encryption and decryption unit 140 is used to encrypt, decrypt or verify data. The encryption/decryption unit 140 performs an authentication procedure using the first key KEY1, such as the terminal and the user end, or the mobile APP and the NFC SE end to perform authentication to confirm whether the first key KEY1 is correct. For example, the encryption and decryption unit 140 can be a chip, a circuit board having a firmware, a storage medium storing one of the array codes, or a circuit having the functions of encrypting, decrypting, or verifying data.
儲存單元150用以儲存各種資料。舉例來說,儲存單元150可以是一記憶體、一暫存器、或一硬碟。 The storage unit 150 is configured to store various materials. For example, the storage unit 150 can be a memory, a scratchpad, or a hard disk.
在第1A圖中,輸入單元110及亂數產生單元120可設置於一主機(host)200內或一資料載體(data carrier)300之一控制器310內。金鑰產生單元130、加解密單元140可設置於資料載體300之控制器310內,且儲存單元150可儲存於資料載體300內。舉例來說,主機200可以是一智慧型手機、一平板電腦、一桌上型電腦、或一伺服器電腦。資料載體300可以是一USB隨身碟、一隨身硬碟、或一記憶卡。 In FIG. 1A, the input unit 110 and the random number generating unit 120 may be disposed in a host 200 or in a controller 310 of a data carrier 300. The key generation unit 130 and the encryption and decryption unit 140 may be disposed in the controller 310 of the data carrier 300, and the storage unit 150 may be stored in the data carrier 300. For example, the host 200 can be a smart phone, a tablet, a desktop computer, or a server computer. The data carrier 300 can be a USB flash drive, a portable hard drive, or a memory card.
請參照第1B圖,其繪示資料安全系統1000’之另一示意圖。在另一實施例中,輸入單元110、亂數產生單元120、金鑰產生單元130及加解密單元140可設置於主機200’內。儲存單元150設置於資料載體300’內。也就是說,輸入單元110、亂數產生單元120、金鑰產生單元130及加解密單元140可以設置於主機(如第1A圖之主機200)或資料載體(如第1B圖之資 料載體300’)。 Please refer to FIG. 1B, which shows another schematic diagram of the data security system 1000'. In another embodiment, the input unit 110, the random number generating unit 120, the key generating unit 130, and the encryption and decryption unit 140 may be disposed in the host 200'. The storage unit 150 is disposed within the data carrier 300'. That is, the input unit 110, the random number generating unit 120, the key generating unit 130, and the encryption and decryption unit 140 may be disposed on a host (such as the host 200 in FIG. 1A) or a data carrier (such as the first FIG. Material carrier 300').
請參照第1C圖,其繪示資料安全系統1000”之另一示意圖。在另一實施例中,亂數產生單元120、金鑰產生單元130、加解密單元140與儲存單元150可以設置於一近距離無線通訊(NCF)安全元件(SE)210內。 Please refer to FIG. 1C, which illustrates another schematic diagram of the data security system 1000. In another embodiment, the random number generating unit 120, the key generating unit 130, the encryption and decryption unit 140, and the storage unit 150 may be disposed in one. Near Field Communication (NCF) Secure Element (SE) 210.
本發明並不侷限於第1A~1C圖。舉例來說,加解密單元140可以設置於資料載體300、300’或主機200、200’。加解密單元140所執行之演算法並不侷限儲存於加解密單元140所在之裝置。加解密單元140所執行之演算法可以儲存於主機200、200’或資料載體300、300’。 The present invention is not limited to the first to third embodiments. For example, the encryption and decryption unit 140 can be disposed on the data carrier 300, 300' or the host 200, 200'. The algorithm executed by the encryption/decryption unit 140 is not limited to the device stored in the encryption/decryption unit 140. The algorithm executed by the encryption and decryption unit 140 can be stored in the host 200, 200' or the data carrier 300, 300'.
在另一方面,金鑰產生單元130所執行之演算法並不局限儲存於金鑰產生單元130所在之裝置。金鑰產生單元130所執行之演算法可以儲存於主機200、200’或資料載體300、300’。 On the other hand, the algorithm executed by the key generation unit 130 is not limited to the device in which the key generation unit 130 is located. The algorithm executed by the key generation unit 130 can be stored in the host 200, 200' or the data carrier 300, 300'.
資料安全系統1000、1000’、1000”之上述元件可以透過一資料安全加密方法來做詳細描述。資料安全加密方法包括一加密程序(encryption procedure)、一解密程序(decryption procedure)及一個人識別碼變更程序(personal identification number changing procedure)。 The above components of the data security system 1000, 1000', 1000" can be described in detail by a data security encryption method. The data security encryption method includes an encryption procedure, a decryption procedure, and a person identification code change. Personal identification number changing procedure.
請參照第2圖及第3圖,第2圖繪示資料安全加密方法之加密程序的流程圖,第3圖繪示第2圖之邏輯圖。在步驟S201中,輸入單元110從使用者獲得一第一個人識別碼(personal identification number)PIN1。第一個人識別碼PIN1可以由按鍵輸入、點選螢幕上之動態虛擬鍵盤、掃描一維條碼或二維條碼等方式來輸入。舉例來說,第一個人識別碼PIN1例如是「0x3132333435363738393a3b3c3d3e3f30」。 Please refer to FIG. 2 and FIG. 3, FIG. 2 is a flow chart showing an encryption program of the data security encryption method, and FIG. 3 is a logic diagram of FIG. In step S201, the input unit 110 obtains a first personal identification code (personal) from the user. Identification number) PIN1. The first personal identification number PIN1 can be input by means of key input, clicking a dynamic virtual keyboard on the screen, scanning a one-dimensional barcode or a two-dimensional barcode. For example, the first personal identification number PIN1 is, for example, "0x3132333435363738393a3b3c3d3e3f30".
在步驟S202,亂數產生單元120產生一第一亂數(random number)RN1。第一亂數RN1可以儲存於資料載體300、300’之儲存單元150或儲存於主機200、200’之非揮發記體。 舉例來說,第一亂數RN1例如是「0xC4F87A6290AEE1ACFC1F26083974CE94」。在步驟S202中,第一亂數RN1可以藉由第1A圖之主機200或資料載體300來產生。 In step S202, the random number generating unit 120 generates a first random number RN1. The first random number RN1 may be stored in the storage unit 150 of the data carrier 300, 300' or the non-volatile record stored in the host 200, 200'. For example, the first random number RN1 is, for example, "0xC4F87A6290AEE1ACFC1F26083974CE94". In step S202, the first random number RN1 can be generated by the host 200 of FIG. 1A or the data carrier 300.
在步驟S203中,金鑰產生單元130根據第一個人識別碼PIN1及第一亂數RN1獲得第一金鑰KEY1。在步驟S203中,第一金鑰KEY1可以藉由一多對一演算法(many-to-one algorithm)或一一對一演算法(one-to-one algorithm)來獲得。 多對一演算法可以是一互斥或邏輯運算(exclusive-OR)。一對一演算法可以是一線性函數演算法(linear function algorithm)。以互斥或邏輯運算為例,第一金鑰KEY1可以藉由下列方程式(1)來獲得。經過計算,第一金鑰KEY1為「0xF5CA4956A598D694C5251D34044AF1A4」。 In step S203, the key generation unit 130 obtains the first key KEY1 based on the first personal identification code PIN1 and the first random number RN1. In step S203, the first key KEY1 can be obtained by a many-to-one algorithm or a one-to-one algorithm. The many-to-one algorithm can be a mutually exclusive or exclusive-OR. The one-to-one algorithm can be a linear function algorithm. Taking a mutually exclusive or logical operation as an example, the first key KEY1 can be obtained by the following equation (1). After calculation, the first key KEY1 is "0xF5CA4956A598D694C5251D34044AF1A4".
PIN1⊕RN1=KEY1………………………………(1) PIN1⊕RN1=KEY1..............................(1)
在步驟S204中,加解密單元140根據第一金鑰 KEY1獲得一第一安全核對和(secure checksum)SC1。在步驟S204中,第一安全核對和SC1可以根據第一金鑰KEY1及一預定碼(predetermined number)PN(例如是「0X00…00」)來獲得。 第一安全核對和SC1可以藉由多對一演算法或一對一演算法來獲得。舉例來說,第一安全核對和SC1可以藉由一Hash演算法、一對稱加密演算法、一非對稱加密演算法、或一CRC32演算法來獲得。舉例來說,第一安全核對和SC1可以藉由方程式(2)之AES128加密演算法來獲得。經過計算,第一安全核對和SC1為「0xED56716F3B78D8741758ED0B34E3A2DD」。 In step S204, the encryption and decryption unit 140 is based on the first key. KEY1 obtains a first secure checksum (SC1). In step S204, the first security check and SC1 may be obtained according to the first key KEY1 and a predetermined number PN (for example, "0X00...00"). The first security check and SC1 can be obtained by a many-to-one algorithm or a one-to-one algorithm. For example, the first security check and SC1 can be obtained by a hash algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, or a CRC32 algorithm. For example, the first security check and SC1 can be obtained by the AES128 encryption algorithm of equation (2). After calculation, the first security check and SC1 are "0xED56716F3B78D8741758ED0B34E3A2DD".
SC1=AES_ENC(KEY1,PN)…………………(2) SC1=AES_ENC(KEY1, PN)........................(2)
在步驟S205中,第一亂數RN1及部份之第一安全核對和SC1儲存於儲存單元150中。在步驟S205中,第一安全核對和SC1的一預定字元(byte)數可以被儲存。舉例來說,第一安全核對和SC1之前8字元「ED56716F3B78D874」被儲存於儲存單元150中。 In step S205, the first random number RN1 and a part of the first security check and SC1 are stored in the storage unit 150. In step S205, the first security check and a predetermined number of bytes of SC1 may be stored. For example, the first security check and the first eight characters "ED56716F3B78D874" of SC1 are stored in the storage unit 150.
在步驟S206中,加解密單元140根據第一金鑰KEY1加密資料D為已加密之資料D’,或者加解密單元140根據第一金鑰KEY1加密一欲認證資訊(Authentication Data)AD為已加密之認證資訊(Authtication Data)AD’。 In step S206, the encryption/decryption unit 140 encrypts the data D into the encrypted data D' according to the first key KEY1, or the encryption/decryption unit 140 encrypts an authentication data AD (Authentication Data) AD according to the first key KEY1. Authentiation Data AD'.
請參照第3圖,第一個人識別碼PIN1及第一金鑰KEY1並未儲存於儲存單元150中。即使駭客取得資料載體300、300’,他仍然無法竊取第一個人識別碼PIN1及第一金鑰KEY1。 因此,已加密之資料D’並不會被駭客所解密。 Referring to FIG. 3, the first personal identification code PIN1 and the first key KEY1 are not stored in the storage unit 150. Even if the hacker obtains the data carrier 300, 300', he cannot steal the first personal identification number PIN1 and the first key KEY1. Therefore, the encrypted material D' is not decrypted by the hacker.
請參照第4圖,其繪示第3圖之另一實施例。在另一實施例中,第一金鑰KEY1可以根據一暫存碼(temporary number)TN及第一亂數RN1來獲得。藉由多對一演算法或一對一演算法,暫存碼TN係根據第一個人識別碼PIN1來獲得。舉例來說,暫存碼TN可以藉由Hash演算法來獲得,或者暫存碼TN也可以直接等於第一個人識別碼PIN1(即為第3圖之實施例)。 Please refer to FIG. 4, which illustrates another embodiment of FIG. In another embodiment, the first key KEY1 can be obtained according to a temporary number TN and a first random number RN1. The temporary storage code TN is obtained based on the first personal identification code PIN1 by a many-to-one algorithm or a one-to-one algorithm. For example, the temporary storage code TN can be obtained by a hash algorithm, or the temporary storage code TN can also be directly equal to the first personal identification code PIN1 (ie, the embodiment of FIG. 3).
請參照第5圖及第6圖,第5圖繪示資料安全加密方法之解密程序的流程圖,第6圖繪示第5圖之邏輯圖。在步驟S501中,輸入單元110從使用者獲得第二個人識別碼PIN2。 Please refer to FIG. 5 and FIG. 6 , FIG. 5 is a flowchart of a decryption program of the data security encryption method, and FIG. 6 is a logic diagram of FIG. 5 . In step S501, the input unit 110 obtains the second personal identification code PIN2 from the user.
在步驟S502,金鑰產生單元130根據第二個人識別碼PIN2及第一亂數RN1獲得一第二金鑰KEY2。在步驟S503中,第二金鑰KEY2可以藉由多對一演算法或一對一演算法來獲得。 多對一演算法例如是一互斥或邏輯運算(exclusive-OR)。一對一演算法例如是一線性函數演算法(linear function algorithm)。以互斥或邏輯運算為例,第二金鑰KEY2可以藉由方程式(3)來獲得。 In step S502, the key generation unit 130 obtains a second key KEY2 according to the second personal identification code PIN2 and the first random number RN1. In step S503, the second key KEY2 can be obtained by a many-to-one algorithm or a one-to-one algorithm. The many-to-one algorithm is, for example, a mutual exclusion or an exclusive-OR. The one-to-one algorithm is, for example, a linear function algorithm. Taking a mutually exclusive or logical operation as an example, the second key KEY2 can be obtained by equation (3).
KEY2=PIN2⊕RN1………………………………(3) KEY2=PIN2⊕RN1..............................(3)
在步驟S503中,加解密單元140根據第二金鑰KEY2獲得一第二安全核對和SC2。在步驟S503中,第二安全核對和SC2可以根據第二金鑰KEY2及步驟S204之預定碼PN(如「0X00…00」)來獲得。第二安全核對和SC2可以藉由多對一演 算法或一對多演算法來獲得。舉例來說,第二安全核對和SC2可以藉由Hash演算法、一對稱加密演算法、一非對稱加密演算法、或一CRC32演算法來獲得。舉例來說,第二安全核對和SC2可以藉由方程式(4)來獲得。 In step S503, the encryption and decryption unit 140 obtains a second security check and SC2 according to the second key KEY2. In step S503, the second security check and SC2 may be obtained according to the second key KEY2 and the predetermined code PN of step S204 (such as "0X00...00"). The second security check and SC2 can be played by many-to-one Algorithm or one-to-many algorithm to get. For example, the second security check and SC2 can be obtained by a hash algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, or a CRC32 algorithm. For example, the second security check and SC2 can be obtained by equation (4).
AES_ENC(KEY2,PN)=SC2……………………(4) AES_ENC(KEY2,PN)=SC2........................(4)
在步驟S504中,加解密單元140判斷部份之第二安全核對和SC2是否相同於已儲存之部份第一安全核對和SC1。若部份之第二安全核對和SC2相同於已儲存之部份第一安全核對和SC1,則進入步驟S505;若部份之第二安全核對和SC2不同於已儲存之部份第一安全核對和SC1,則進入步驟S501。 In step S504, the encryption/decryption unit 140 determines whether part of the second security check and SC2 are the same as the stored partial first security check and SC1. If part of the second security check and SC2 are the same as the stored first security check and SC1, proceed to step S505; if part of the second security check and SC2 are different from the stored first secure check And SC1, then proceeds to step S501.
在步驟S505中,加解密單元140根據第二金鑰KEY2解密已加密之資料D’為原始之資料D。 In step S505, the encryption/decryption unit 140 decrypts the encrypted material D' as the original material D based on the second key KEY2.
請參照第6圖,即使第一個人識別碼PIN1及第一金鑰KEY1沒有儲存於儲存單元150,使用者仍然可以藉由輸入第二個人識別碼PIN2來取出原始的資料D。 Referring to FIG. 6, even if the first personal identification code PIN1 and the first key KEY1 are not stored in the storage unit 150, the user can still retrieve the original data D by inputting the second personal identification number PIN2.
請參照第7圖及第8圖,第7圖繪示資料安全加密方法之個人識別碼變更程序之流程圖,第8圖繪示第7圖之邏輯圖。在步驟S701中,輸入單元110從使用者獲得一第三個人識別碼PIN3。 Please refer to FIG. 7 and FIG. 8 , FIG. 7 is a flowchart of a personal identification code change procedure of the data security encryption method, and FIG. 8 is a logic diagram of FIG. 7 . In step S701, the input unit 110 obtains a third personal identification number PIN3 from the user.
在步驟S702中,金鑰產生單元130根據第一個人識別碼PIN1、第三個人識別碼PIN3及第一亂數RN1獲得一第二亂數RN2。在步驟S203中,請參照方程式(5),藉由一邏輯運算 或一演算法,第一金鑰KEY1可以根據第一個人識別碼PIN1及第一亂數RN1來獲得。在方程式(5)中,符號「@」表示一邏輯運算或一演算法。請參照方程式(5),藉由同樣的邏輯運算或演算法,第一金鑰KEY1也可以根據第三個人識別碼PIN3及第二亂數RN2來獲得。 In step S702, the key generation unit 130 obtains a second random number RN2 according to the first personal identification code PIN1, the third personal identification number PIN3, and the first random number RN1. In step S203, please refer to equation (5), by a logic operation Or an algorithm, the first key KEY1 can be obtained according to the first personal identification code PIN1 and the first random number RN1. In equation (5), the symbol "@" represents a logical operation or an algorithm. Referring to equation (5), the first key KEY1 can also be obtained according to the third personal identification code PIN3 and the second random number RN2 by the same logical operation or algorithm.
KEY1=PIN1@RN1=PIN3@RN2………………(5) KEY1=PIN1@RN1=PIN3@RN2..................(5)
根據方程式(5),第二亂數RN2可以透過方程式(6)來獲得。 According to equation (5), the second random number RN2 can be obtained by equation (6).
RN2=PIN1@RN1@PIN3………………………(6) RN2=PIN1@RN1@PIN3........................(6)
在步驟S703中,將第二亂數RN2儲存於儲存單元150中,以取代第一亂數RN1。接著,使用者可以輸入第三個人識別碼PIN3來取出原始的資料D。 In step S703, the second random number RN2 is stored in the storage unit 150 instead of the first random number RN1. Then, the user can input the third personal identification number PIN3 to retrieve the original data D.
請參照第8圖,當使用者將第一個人識別碼PIN1變更為第三個人識別碼PIN3時,第一金鑰KEY1並未變更。因此,已加密之資料D’無須解密及加密一次。 Referring to FIG. 8, when the user changes the first personal identification number PIN1 to the third personal identification number PIN3, the first key KEY1 is not changed. Therefore, the encrypted material D' does not need to be decrypted and encrypted once.
此外,根據另一方面應用,請參照第1C圖,手機APP調用NFC SE或其他硬體時,利用本方法產生之第一金鑰KEY1可作為與NFC SE或其他硬體認證之金鑰。 In addition, according to another application, please refer to FIG. 1C. When the mobile APP calls NFC SE or other hardware, the first key KEY1 generated by the method can be used as a key to NFC SE or other hardware authentication.
綜上所述,雖然本發明已以較佳實施例揭露如上,然其並非用以限定本發明。本發明所屬技術領域中具有通常知識者,在不脫離本發明之精神和範圍內,當可作各種之更動與潤 飾。因此,本發明之保護範圍當視後附之申請專利範圍所界定者 為準。 In conclusion, the present invention has been disclosed in the above preferred embodiments, and is not intended to limit the present invention. Those skilled in the art to which the invention pertains can make various changes and changes without departing from the spirit and scope of the invention. Decoration. Therefore, the scope of protection of the present invention is defined by the scope of the appended claims. Prevail.
S201~S206‧‧‧流程步驟 S201~S206‧‧‧ Process steps
Claims (40)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW102149392A TWI526036B (en) | 2013-12-31 | 2013-12-31 | Data securing method, data securing system for encryption or authentication and data carrier |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW102149392A TWI526036B (en) | 2013-12-31 | 2013-12-31 | Data securing method, data securing system for encryption or authentication and data carrier |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201526592A TW201526592A (en) | 2015-07-01 |
TWI526036B true TWI526036B (en) | 2016-03-11 |
Family
ID=54197877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW102149392A TWI526036B (en) | 2013-12-31 | 2013-12-31 | Data securing method, data securing system for encryption or authentication and data carrier |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI526036B (en) |
-
2013
- 2013-12-31 TW TW102149392A patent/TWI526036B/en active
Also Published As
Publication number | Publication date |
---|---|
TW201526592A (en) | 2015-07-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7257561B2 (en) | computer-implemented method, host computer, computer-readable medium | |
US10237064B2 (en) | Using everyday objects as cryptographic keys | |
US10616215B1 (en) | Virtual smart card to perform security-critical operations | |
WO2021114891A1 (en) | Key encryption method and decryption method, and, data encryption method and decryption method | |
CN102156843B (en) | Data encryption method and system as well as data decryption method | |
US11115394B2 (en) | Methods and systems for encrypting data for a web application | |
CN103427983A (en) | Apparatus and method for content encryption and decryption based on storage device ID | |
US20150242332A1 (en) | Self-encrypting flash drive | |
CN111316596B (en) | Encryption chip with identity verification function | |
GB2556638A (en) | Protecting usage of key store content | |
JP2016519544A5 (en) | ||
KR102460069B1 (en) | Security certification apparatus using biometric information and security certification method | |
US9432186B2 (en) | Password-based key derivation without changing key | |
KR102028151B1 (en) | Encryption method and system using authorization key of device | |
US8769301B2 (en) | Product authentication based upon a hyperelliptic curve equation and a curve pairing function | |
US10642962B2 (en) | Licensable function for securing stored data | |
JP4684714B2 (en) | File management system and program | |
KR101485968B1 (en) | Method for accessing to encoded files | |
CN113826096A (en) | User authentication and signature apparatus and method using user biometric identification data | |
TWI526036B (en) | Data securing method, data securing system for encryption or authentication and data carrier | |
JP2013171581A (en) | Recording device and method for performing access to recording device | |
JP2018006896A (en) | Terminal registration method and terminal registration system | |
JP2007150780A (en) | Enciphering method, apparatus and program | |
CN104778421A (en) | Data securing encryption method, data securing system used for encryption or authentication, and data carrier | |
US20080104414A1 (en) | Apparatus And Method For Decryption, Electronic Apparatus And Method For Inputting Password Encryption, And Electronic System With A Password |