TWI611316B - Text processing method for safe input method, text processing device and text processing system - Google Patents

Text processing method for safe input method, text processing device and text processing system Download PDF

Info

Publication number
TWI611316B
TWI611316B TW105135989A TW105135989A TWI611316B TW I611316 B TWI611316 B TW I611316B TW 105135989 A TW105135989 A TW 105135989A TW 105135989 A TW105135989 A TW 105135989A TW I611316 B TWI611316 B TW I611316B
Authority
TW
Taiwan
Prior art keywords
security
ciphertext
security domain
symmetric key
text processing
Prior art date
Application number
TW105135989A
Other languages
Chinese (zh)
Other versions
TW201723919A (en
Inventor
楊賢偉
Xian Wei Yang
Original Assignee
國民技術股份有限公司
Nationz Technologies Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 國民技術股份有限公司, Nationz Technologies Inc. filed Critical 國民技術股份有限公司
Publication of TW201723919A publication Critical patent/TW201723919A/en
Application granted granted Critical
Publication of TWI611316B publication Critical patent/TWI611316B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/38Encryption being effected by mechanical apparatus, e.g. rotating cams, switches, keytape punchers

Abstract

本發明公開了一種安全輸入法的文本處理方法、裝置和系統,其中,所述方法,包括:註冊安全域,獲取所述安全域標識;申請並獲取所述安全域對應的對稱密鑰;使用所述對稱密鑰對使用者輸入的明文進行加密;將加密得到的密文與所述安全域標識一同輸出。 The invention discloses a text processing method, device and system of a secure input method, wherein the method includes: registering a security domain, obtaining the security domain identifier; applying for and obtaining a symmetric key corresponding to the security domain; using The symmetric key encrypts the plain text input by the user; and outputs the encrypted cipher text together with the security domain identifier.

Description

安全輸入法之文本處理方法、文本處理裝置及文本處理系統 Text processing method, text processing device and text processing system for safe input method

本發明系關於訊息安全技術領域,尤其關於一種安全輸入法的文本處理方法、裝置和系統。 The present invention relates to the technical field of information security, and in particular, to a text processing method, device, and system for a secure input method.

隨著移動網際網路的發展,文本通訊成為人們重要的溝通方式,但是智慧設備和傳輸通道本身並不安全,人們的聊天訊息、短訊訊息、電子郵件訊息都面臨被木馬盜取或者駭客攔截的可能,時常出現使用者在網路通訊內容中包含的銀行賬號、登錄密碼等訊息被惡意第三方截獲而給使用者造成重大損失的情況。針對使用者資金安全和隱私訊息會面臨重大威脅的問題。 With the development of the mobile Internet, text communication has become an important way for people to communicate, but smart devices and transmission channels are not secure by themselves. People ’s chat messages, short messages, and email messages are all being stolen by trojans or hackers. The possibility of interception often occurs that users' bank account numbers, login passwords, and other information contained in online communication content are intercepted by malicious third parties and cause significant losses to users. There are major threats to user security and privacy.

目前,有部分通訊軟體,比如微信,會對自身通訊訊息進行加密傳輸,但這種方式只適用於這些特定的通訊軟體之間的訊息傳輸,加解密能力只限定在應用程式內部,比如微信客戶端對微信客戶端,並不能保證智慧設備中通過其他應用程式軟體訊息傳輸的安全,比如安卓系統中的短訊應用程式,並沒有加密功能。此外,在這種方式下,使用者的通訊訊息對通訊軟體運營商來說是可見的,一旦通訊軟體運營商疏於管理,內部員工完全有可能通過非法方式獲取使用者的通訊訊息。且這種方式都是由通訊軟體 以軟體加解密方式實現,很容易被惡意軟體攻克。 At present, some communication software, such as WeChat, encrypts and transmits its own communication messages, but this method is only applicable to the transmission of messages between these specific communication software. The encryption and decryption capabilities are limited to applications, such as WeChat customers. The end-to-end WeChat client does not guarantee the security of message transmission through other application software in smart devices, such as the SMS application in Android system, which does not have encryption function. In addition, in this way, the user's communication information is visible to the communication software operator. Once the communication software operator is neglected in management, it is entirely possible for internal employees to obtain the user's communication information through illegal means. And this way is all by communication software Implemented by software encryption and decryption, it can be easily attacked by malware.

本發明期望提供一種安全輸入法的文本處理方法、裝置和系統,能夠在保證輸入法的文本加解密安全性和使用者使用方便性的前提下,簡化了密鑰管理並保證密鑰儲存和傳輸的安全性。 The present invention hopes to provide a text processing method, device and system for a secure input method, which can simplify key management and ensure key storage and transmission on the premise of ensuring the security of text encryption and decryption of the input method and user convenience. Security.

本發明實施例的技術方案是這樣實現的。 The technical solution of the embodiment of the present invention is implemented in this way.

本發明實施例提供了一種安全輸入法的文本處理方法,該方法包括:註冊安全域,獲取所述安全域標識;申請並獲取所述安全域對應的對稱密鑰;使用所述對稱密鑰對使用者輸入的明文進行加密;將加密得到的密文與所述安全域標識一同輸出。 An embodiment of the present invention provides a text processing method for a secure input method. The method includes: registering a security domain and obtaining the security domain identifier; applying for and obtaining a symmetric key corresponding to the security domain; and using the symmetric key pair The plain text input by the user is encrypted; the encrypted cipher text is output together with the security domain identifier.

上述方案中,所述使用所述對稱密鑰對使用者輸入的明文進行加密包括:每次使用所述對稱密鑰對使用者輸入的明文進行加密時,隨機生成一初始向量,並使用所述初始向量參與密碼運算;相應的,所述將加密得到的密文與所述安全域標識一同輸出包括:將加密得到的密文、所述安全域標識和所述密文對應的初始向量一同輸出。 In the above solution, the encrypting the plain text input by the user using the symmetric key includes: each time the plain text input by the user is encrypted using the symmetric key, randomly generating an initial vector and using the The initial vector participates in the cryptographic operation; correspondingly, outputting the encrypted ciphertext together with the security domain identifier includes outputting the encrypted ciphertext, the security domain identifier, and the initial vector corresponding to the ciphertext together. .

上述方案中,所述方法還包括:獲取密文和該密文對應的第一安全域標識;當所述第一安全域標識與本地的第二安全域標識相同時,使用所述第二對稱密鑰對所述密文進行解密,獲得解密後的明文並輸出;當所述第一安全域標識與所述第二安全域標識不同時,將所述密文發送至安全管理平台,由所述安全管理平台解密密文後再使用所述 第二安全域對應的第二對稱密鑰加密,再由所述安全管理平台將所述第二安全域標識對應的密文返回,之後使用所述第二對稱密鑰解密所述安全管理平台返回的密文,獲得解密後的明文並輸出。 In the above solution, the method further includes: obtaining a ciphertext and a first security domain identifier corresponding to the ciphertext; when the first security domain identifier is the same as a local second security domain identifier, using the second symmetry The key decrypts the ciphertext, obtains the decrypted plaintext, and outputs it; when the first security domain identifier is different from the second security domain identifier, sending the ciphertext to a security management platform, The security management platform decrypts the ciphertext before using the The second symmetric key corresponding to the second security domain is encrypted, and the ciphertext corresponding to the second security domain identifier is returned by the security management platform, and then the second symmetric key is used to decrypt the security management platform and return Ciphertext, get the decrypted plaintext and output.

上述方案中,當存在與密文對應的初始向量時,所述方法還包括:獲取密文和該密文對應的第一安全域標識的同時,還獲取所述密文對應的初始向量;使用所述初始向量參與解密運算。 In the above solution, when there is an initial vector corresponding to the ciphertext, the method further includes: while acquiring the ciphertext and the first security domain identifier corresponding to the ciphertext, also acquiring the initial vector corresponding to the ciphertext; using The initial vector participates in a decryption operation.

上述方案中,所述申請並獲取所述安全域對應的對稱密鑰包括:使用安全硬體對獲取到的對稱密鑰進行簽名驗證。 In the above solution, applying for and obtaining the symmetric key corresponding to the security domain includes: using security hardware to perform signature verification on the obtained symmetric key.

上述方案中,所述方法還包括:使用安全硬體註冊安全域、獲取所述安全域對應的對稱密鑰。 In the above solution, the method further includes: registering a security domain with security hardware, and obtaining a symmetric key corresponding to the security domain.

本發明實施例還提供一種安全輸入法的文本處理裝置,所述裝置包括:安全域註冊模組、對稱密鑰獲取模組、明文加密模組以及密文輸出模組;其中,安全域註冊模組,用於註冊安全域,獲取所述安全域標識;對稱密鑰獲取模組,用於申請並獲取所述安全域對應的對稱密鑰;明文加密模組,用於使用所述對稱密鑰對使用者輸入的明文進行加密;密文輸出模組,用於將加密得到的密文與所述安全域標識一同輸出。 An embodiment of the present invention also provides a text processing device for a secure input method. The device includes: a security domain registration module, a symmetric key acquisition module, a plaintext encryption module, and a ciphertext output module; wherein the security domain registration module A group for registering a security domain and obtaining the security domain identifier; a symmetric key acquisition module for applying for and obtaining a symmetric key corresponding to the security domain; a plaintext encryption module for using the symmetric key The plain text input by the user is encrypted; the cipher text output module is used to output the encrypted cipher text together with the security domain identifier.

上述方案中,所述裝置還包括:密文獲取模組,用於獲取密文和該密文對應的第一安全域標識;同域解密模組,用於當所述第一安全域標識與本地的第二安全域標識 相同時,使用所述第二對稱密鑰對所述密文進行解密,獲得解密後的明文並輸出;異域解密模組,用於當所述第一安全域標識與所述第二安全域標識不同時,將所述密文發送至安全管理平台,由所述安全管理平台解密密文後再使用所述第二對稱密鑰加密,再由所述安全管理平台將所述第二安全域標識對應的密文返回,之後使用所述第二對稱密鑰解密所述安全管理平台返回的密文,獲得解密後的明文並輸出。 In the above solution, the device further includes: a ciphertext acquisition module for acquiring the ciphertext and a first security domain identifier corresponding to the ciphertext; a same domain decryption module for when the first security domain identifier and Local Second Security Domain ID At the same time, the second symmetric key is used to decrypt the ciphertext to obtain the decrypted plaintext and output; the foreign domain decryption module is used to identify the first security domain identifier and the second security domain identifier. At different times, the ciphertext is sent to a security management platform, the ciphertext is decrypted by the security management platform, and then encrypted with the second symmetric key, and the second security domain is identified by the security management platform The corresponding ciphertext is returned, and then the second symmetric key is used to decrypt the ciphertext returned by the security management platform to obtain the decrypted plaintext and output it.

上述方案中,所述裝置還包括:安全硬體,用於使用非對稱密碼算法進行註冊安全域、獲取所述安全域對應的對稱密鑰。 In the above solution, the device further includes security hardware for registering a security domain using an asymmetric cryptographic algorithm and obtaining a symmetric key corresponding to the security domain.

上述方案中,所述安全硬體由智慧卡、聲波卡/Key、藍牙卡/Key、嵌入式安全元件或者智慧可穿戴裝置實現。 In the above solution, the security hardware is implemented by a smart card, a sound wave card / Key, a Bluetooth card / Key, an embedded security element, or a smart wearable device.

本發明實施例提供一種安全輸入法的文本處理系統,該系統包括:上述任意一種安全輸入法的文本處理裝置和安全管理平台;其中,所述安全管理平台,用於創建和管理安全域,為安全輸入法的文本處理裝置分配安全域,向文本處理裝置下發安全域標識和對應的對稱密鑰;並用於將文本處理裝置發送的異域密文轉換為所述文本處理裝置的同域密文後返回。 An embodiment of the present invention provides a text processing system for a secure input method. The system includes the text processing device and a security management platform of any one of the secure input methods described above. The security management platform is used to create and manage a security domain. The text processing device of the secure input method assigns a security domain, and issues a security domain identifier and a corresponding symmetric key to the text processing device; and is used to convert the foreign domain ciphertext sent by the text processing device to the same domain ciphertext of the text processing device. After returning.

本發明技術方案的有益效果在於:利用一種安全輸入法的文本處理裝置,包括:安全域註冊模組、對稱密鑰獲取模組、明文加密模組以及密文輸出模組,通過使用安全 輸入法註冊安全域,獲取所述安全域標識;申請並獲取所述安全域對應的對稱密鑰;使用所述對稱密鑰對使用者輸入的明文進行加密;將加密得到的密文與所述安全域標識一同輸出,能夠在保證輸入法的文本加解密安全性和使用者使用方便性的前提下,簡化了密鑰管理並保證密鑰儲存和傳輸的安全性。 The technical solution of the present invention has the beneficial effect that a text processing device using a secure input method includes a security domain registration module, a symmetric key acquisition module, a plaintext encryption module, and a ciphertext output module. The input method registers a security domain to obtain the security domain identifier; applies for and obtains a symmetric key corresponding to the security domain; uses the symmetric key to encrypt a plain text input by a user; and encrypts the encrypted cipher text with the cipher text The security domain identifier is output together, which can simplify the key management and ensure the security of key storage and transmission on the premise of ensuring the security of the text encryption and decryption of the input method and the convenience of the user.

101-104‧‧‧步驟 101-104‧‧‧step

201-204‧‧‧步驟 201-204‧‧‧ steps

圖1為本發明實施例提供的安全輸入法的文本處理方法的實現流程示意圖。 FIG. 1 is a schematic diagram of an implementation process of a text processing method of a secure input method according to an embodiment of the present invention.

圖2為本發明實施例提供的安全輸入法的文本處理裝置的組成結構示意圖。 FIG. 2 is a schematic structural diagram of a text processing device of a secure input method according to an embodiment of the present invention.

圖3為本發明實施例1的結構示意圖。 FIG. 3 is a schematic structural diagram of Embodiment 1 of the present invention.

為了更清楚地說明本發明實施例和技術方案,下面將結合圖式及實施例對本發明的技術方案進行更詳細的說明,顯然,所描述的實施例是本發明的一部分實施例,而不是全部實施例。基於本發明的實施例,所屬技術領域中具有通常知識者在不逸離本發明精神的前提下所獲得的所有其他實施例,都屬於本發明保護的範圍。 In order to explain the embodiments and technical solutions of the present invention more clearly, the technical solutions of the present invention will be described in more detail with reference to the drawings and the embodiments. Obviously, the described embodiments are part of the present invention, but not all of them. Examples. Based on the embodiments of the present invention, all other embodiments obtained by those with ordinary knowledge in the technical field without departing from the spirit of the present invention belong to the protection scope of the present invention.

在本發明實施例中,系統提供一種安全輸入法,該安全輸入法除了具有普通輸入法的基礎功能以外,還提供安全輸入模式,在安全模式下,在安全輸入法內部對使用者輸入的明文進行加密,主要包括:使用第一編輯區接收使用者輸入的明文;將所述明文交由加解密模組進行加密, 獲取加密後的密文;按照預設規則對所述密文進行格式化,返回格式化密文。而當使用者希望解密密文時,安全輸入法在內部解密後顯示明文,主要包括:接收使用者選定的格式化密文;將所述選定的格式化密文交由所述加解密模組進行解密,獲取解密後明文;顯示所述解密後明文。如此,實現了明文不出輸入法,增加了對使用者輸入訊息的安全保護。 In the embodiment of the present invention, the system provides a secure input method. In addition to the basic functions of the ordinary input method, the secure input method also provides a secure input mode. In the secure mode, the plain text input to the user is performed inside the secure input method. Encryption mainly includes: using the first editing area to receive the plaintext input by the user; passing the plaintext to the encryption and decryption module for encryption, Obtain the encrypted ciphertext; format the ciphertext according to a preset rule, and return the formatted ciphertext. When the user wishes to decrypt the ciphertext, the secure input method displays the plaintext after internal decryption, which mainly includes: receiving the formatted ciphertext selected by the user; and passing the selected formatted ciphertext to the encryption and decryption module. Perform decryption to obtain the decrypted plaintext; and display the decrypted plaintext. In this way, the plain text input method is realized, and the security of the user's input message is increased.

針對這樣的安全輸入法,如何更安全的對安全輸入法的文本進行加密解密處理,是個關鍵問題。為了進一步加強安全輸入法的安全性,本發明實施例提供一種安全輸入法的文本處理系統,該系統包括安全管理平台和安全輸入法的文本處理裝置;其中,所述安全管理平台用於創建和管理安全域,為安全輸入法的文本處理裝置分配安全域,向文本處理裝置下發安全域標識和對應的對稱密鑰;並用於將文本處理裝置發送的異域密文轉換為所述文本處理裝置的同域密文後返回。 Aiming at such a secure input method, how to more securely encrypt and decrypt the text of the secure input method is a key issue. In order to further strengthen the security of the secure input method, an embodiment of the present invention provides a text processing system for a secure input method. The system includes a security management platform and a text processing device for the secure input method. The security management platform is used to create and Manage a security domain, assign a security domain to a text processing device of a secure input method, and issue a security domain identifier and a corresponding symmetric key to the text processing device; and be used to convert foreign domain cipher text sent by the text processing device to the text processing device Returns the same domain ciphertext.

圖1為本發明實施例提供的安全輸入法的文本處理方法的實現流程示意圖,如圖1所示,該方法包括以下步驟。 FIG. 1 is a schematic flowchart of a text processing method of a secure input method provided by an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps.

步驟101,註冊安全域,獲取所述安全域標識;具體的,安全輸入法需要向安全管理平台註冊安全域,獲取自身所在安全域標識。 Step 101: Register a security domain to obtain the security domain identifier. Specifically, the security input method needs to register a security domain with a security management platform to obtain the security domain identifier where the security domain is located.

步驟102,申請並獲取所述安全域對應的對稱密鑰;具體的,安全輸入法申請並獲取所述安全域對應的對稱密鑰;同一安全域中所有安全輸入法使用相同的對稱密鑰。 Step 102: Apply for and obtain a symmetric key corresponding to the security domain; specifically, a secure input method applies for and obtain a symmetric key corresponding to the security domain; all secure input methods in the same security domain use the same symmetric key.

步驟103,使用所述對稱密鑰對使用者輸入的明文進行加密;具體的,安全輸入法通過第一編輯區接收到的明文傳輸至加解密模組,交由加解密模組進行加密。 Step 103: Use the symmetric key to encrypt the plain text input by the user. Specifically, the secure input method transmits the plain text received by the first editing area to the encryption / decryption module, and the encryption / decryption module performs encryption.

進一步的,每次使用所述對稱密鑰對使用者輸入的明文進行加密時,隨機生成一初始向量,並使用所述初始向量參與密碼運算。 Further, each time the plain text input by the user is encrypted using the symmetric key, an initial vector is randomly generated, and the initial vector is used to participate in cryptographic operations.

相應的,所述將加密得到的密文與所述安全域標識一同輸出包括:將加密得到的密文、所述安全域標識和所述密文對應的初始向量一同輸出。 Accordingly, outputting the encrypted ciphertext together with the security domain identifier includes outputting the encrypted ciphertext, the security domain identifier, and an initial vector corresponding to the ciphertext together.

步驟104,將加密得到的密文與所述安全域標識一同輸出;具體的,待加解密模組完成加密後,安全輸入法在從加解密模組獲取加密後的密文;並將加密得到的密文與所述安全域標識一同輸出;使用安全輸入法安全模式輸入的應用程式程式或者使用者,將加密得到的密文與所述安全域標識一同傳輸、保存、複製或刪除。 Step 104: output the encrypted ciphertext together with the security domain identifier. Specifically, after the encryption and decryption module completes encryption, the secure input method obtains the encrypted ciphertext from the encryption and decryption module; The ciphertext is output together with the security domain identifier; an application or user inputted using the secure input method security mode transmits, saves, copies, or deletes the encrypted ciphertext together with the security domain identifier.

當需要對密文進行解密時,所述安全輸入法獲取密文和該密文對應的第一安全域標識。 When the ciphertext needs to be decrypted, the secure input method obtains the ciphertext and the first security domain identifier corresponding to the ciphertext.

當所述第一安全域標識與本地的第二安全域標識相同時,使用所述第二對稱密鑰對所述密文進行解密,獲得解密後的明文並輸出。 When the first security domain identifier is the same as the local second security domain identifier, the ciphertext is decrypted by using the second symmetric key, and the decrypted plaintext is obtained and output.

當所述第一安全域標識與所述第二安全域標識不同時,將所述密文發送至安全管理平台,由所述安全管理平台解密密文後再使用所述第二對稱密鑰加密,再由所述安全管理平台將所述第二安全域標識對應的密文返回,之後 使用所述第二對稱密鑰解密所述安全管理平台返回的密文,獲得解密後的明文並輸出。 When the first security domain identifier is different from the second security domain identifier, the ciphertext is sent to a security management platform, the ciphertext is decrypted by the security management platform, and then encrypted by using the second symmetric key , And then the security management platform returns the ciphertext corresponding to the second security domain identifier, and thereafter Use the second symmetric key to decrypt the ciphertext returned by the security management platform, obtain the decrypted plaintext, and output.

進一步的,當存在與密文對應的初始向量時,即在加密時有初始向量參與密碼運算,則所述安全輸入法獲取密文和該密文對應的第一安全域標識的同時,還獲取所述密文對應的初始向量;使用所述初始向量參與解密運算。 Further, when there is an initial vector corresponding to the ciphertext, that is, an initial vector participates in the cryptographic operation during encryption, the secure input method obtains the ciphertext and the first security domain identifier corresponding to the ciphertext, and also acquires An initial vector corresponding to the ciphertext; using the initial vector to participate in a decryption operation.

進一步的,所述申請並獲取所述安全域對應的對稱密鑰包括:使用安全硬體對獲取到的對稱密鑰進行簽名驗證。 Further, applying for and obtaining the symmetric key corresponding to the security domain includes: using security hardware to perform signature verification on the obtained symmetric key.

進一步的,所述安全輸入法使用安全硬體註冊安全域、獲取所述安全域對應的對稱密鑰。 Further, the secure input method uses secure hardware to register a secure domain and obtain a symmetric key corresponding to the secure domain.

使用上述實施例提供的安全輸入法的文本處理方法,在保證輸入法的文本加解密安全性和使用者使用方便性的前提下,簡化了密鑰管理並保證密鑰儲存和傳輸的安全性。 The text processing method using the secure input method provided by the above embodiments simplifies key management and guarantees security of key storage and transmission on the premise of ensuring the security of text encryption and decryption of the input method and user convenience.

圖2是本發明實施例提供的安全輸入法的文本處理裝置的組成結構示意圖,如圖2所示,該文本處理裝置包括:安全域註冊模組201、對稱密鑰獲取模組202、明文加密模組203以及密文輸出模組203。 FIG. 2 is a schematic structural diagram of a structure of a text processing device of a secure input method according to an embodiment of the present invention. As shown in FIG. 2, the text processing device includes a security domain registration module 201, a symmetric key acquisition module 202, and plaintext encryption. Module 203 and ciphertext output module 203.

其中,安全域註冊模組201,用於註冊安全域,獲取所述安全域標識。 The security domain registration module 201 is configured to register a security domain and obtain the security domain identifier.

對稱密鑰獲取模組202,用於申請並獲取所述安全域對應的對稱密鑰。 The symmetric key obtaining module 202 is configured to apply for and obtain a symmetric key corresponding to the security domain.

明文加密模組203,用於使用所述對稱密鑰對使用者輸入的明文進行加密。 The plaintext encryption module 203 is configured to use the symmetric key to encrypt the plaintext input by the user.

密文輸出模組204,用於將加密得到的密文與所述安 全域標識一同輸出。 The ciphertext output module 204 is configured to combine the encrypted ciphertext with the security The global ID is output together.

進一步的,所述裝置還包括:密文獲取模組,用於獲取密文和該密文對應的第一安全域標識。 Further, the device further includes: a ciphertext acquisition module, configured to acquire the ciphertext and a first security domain identifier corresponding to the ciphertext.

同域解密模組,用於當所述第一安全域標識與本地的第二安全域標識相同時,使用所述第二對稱密鑰對所述密文進行解密,獲得解密後的明文並輸出。 The same domain decryption module is used to decrypt the ciphertext using the second symmetric key when the first security domain identifier is the same as the local second security domain identifier, obtain the decrypted plaintext, and output .

異域解密模組,用於當所述第一安全域標識與所述第二安全域標識不同時,將所述密文發送至安全管理平台,由所述安全管理平台解密密文後再使用所述第二對稱密鑰識加密,再由所述安全管理平台將所述第二安全域標識對應的密文返回,之後使用所述第二對稱密鑰解密所述安全管理平台返回的密文,獲得解密後的明文並輸出。 A foreign domain decryption module is configured to send the ciphertext to a security management platform when the first security domain identifier is different from the second security domain identifier, and the security management platform decrypts the ciphertext before using the ciphertext. The second symmetric key is encrypted, and the security management platform returns the ciphertext corresponding to the second security domain identifier, and then uses the second symmetric key to decrypt the ciphertext returned by the security management platform, Obtain the decrypted plaintext and output it.

進一步的,所述裝置還包括:安全硬體,用於使用非對稱密碼算法進行註冊安全域、獲取所述安全域對應的對稱密鑰。 Further, the device further includes: security hardware for registering a security domain using an asymmetric cryptographic algorithm, and acquiring a symmetric key corresponding to the security domain.

進一步的,所述安全硬體由智慧卡、聲波卡/Key、藍牙卡/Key、嵌入式安全元件或者智慧可穿戴裝置實現。 Further, the security hardware is implemented by a smart card, a sound wave card / Key, a Bluetooth card / Key, an embedded security element, or a smart wearable device.

這裏,所述智慧卡可以是SIM(Subscriber Identity Module客戶識別模組)卡或SD卡(Secure Digital Memory Card,安全數位記憶卡)等,智慧可穿戴裝置可以是智慧手環、智慧手錶等。而SIM卡可以是標準SIM卡、USIM(Universal Subscriber Identity Module,全球使用者識別)卡、UIM(User Identify Module,使用者識別模組)卡、MicroSIM卡、NanoSIM卡等各種形態和尺寸的通訊卡。 SD卡可以是標準SD卡、miniSD卡等各種形態和尺寸的安全資料卡。 Here, the smart card may be a SIM (Subscriber Identity Module) card or an SD card (Secure Digital Memory Card). The smart wearable device may be a smart bracelet, a smart watch, or the like. The SIM card can be a standard SIM card, a USIM (Universal Subscriber Identity Module) card, a UIM (User Identify Module) card, a MicroSIM card, a NanoSIM card, and other forms and sizes of communication cards. . SD cards can be secure data cards of various forms and sizes, such as standard SD cards, miniSD cards.

具體來說,當安全硬體由智慧卡實現時,加密和解密過程由智慧卡中的安全芯片完成。 Specifically, when the security hardware is implemented by a smart card, the encryption and decryption processes are completed by the security chip in the smart card.

進一步的,為了更好的保證輸入法的安全性,對於使用對稱算法對文本的加密解密過程也可以由上述安全硬體來完成。 Further, in order to better ensure the security of the input method, the process of encrypting and decrypting text using a symmetric algorithm can also be completed by the aforementioned security hardware.

這裏,上述非對稱密碼算法包括但不限於RSA、ECC、SM2、SM9等非對稱密碼算法,上述對稱密碼算法包括但不限於3DES、AES、SM1、SM4、SM7等對稱密碼算法。 Here, the aforementioned asymmetric cryptographic algorithm includes, but is not limited to, asymmetric cryptographic algorithms such as RSA, ECC, SM2, and SM9, and the aforementioned symmetric cryptographic algorithm includes, but is not limited to, 3DES, AES, SM1, SM4, and SM7 symmetrical cipher algorithms.

上述各個模組及各個單元在實際應用程式中,均可由位於安全輸入法的文本處理裝置的中央處理器(CPU)、微處理器(MPU)、數位訊號處理器(DSP)、或現場可編程閘陣列(FPGA)實現。 Each of the above modules and units can be implemented by a central processing unit (CPU), a microprocessor (MPU), a digital signal processor (DSP), or field programmable in a text processing device located in a secure input method. Gate Array (FPGA) implementation.

本發明還提供一種安全輸入法的文本處理系統,該系統包括上述任一項所述的安全輸入法的文本處理裝置和安全管理平台。 The invention also provides a text processing system for a secure input method, which includes a text processing device and a security management platform for the secure input method according to any one of the above.

其中,所述安全管理平台,用於創建和管理安全域,為安全輸入法的文本處理裝置分配安全域,向文本處理裝置下發安全域標識和對應的對稱密鑰;並用於將文本處理裝置發送的異域密文轉換為所述文本處理裝置的同域密文後返回。 The security management platform is used to create and manage a security domain, assign a security domain to a text processing device of a secure input method, and issue a security domain identifier and a corresponding symmetric key to the text processing device; and use the text processing device The sent foreign domain ciphertext is converted into the same domain ciphertext of the text processing device and returned.

這裏,所述安全管理平台可以是獨立運行的服務器平台,也可以是運行於業務系統服務器上的一項系統管理服 務功能。 Here, the security management platform may be an independent server platform or a system management server running on a business system server. Service function.

實施例1: Example 1:

圖式3為本發明實施例1的結構示意圖,如圖3所示,所述安全輸入法包括基本功能和密鑰管理組成。基本功能承接了使用者與所有應用程式進行文本輸入的入口,並調用安全硬體裝置完成所述安全輸入法的文本加密、解密功能。與傳統輸入法不同的是,安全輸入法會緩存使用者編輯的文本,等到使用者確認文本正確之後,觸發加密輸出按鈕,調用安全硬體裝置功能進行加密,並把密文輸出到目標應用程式的輸入框中。 FIG. 3 is a schematic structural diagram of Embodiment 1 of the present invention. As shown in FIG. 3, the secure input method includes basic functions and key management. The basic functions accept the user's entry of text input with all applications, and call the secure hardware device to complete the text encryption and decryption functions of the secure input method. Different from the traditional input method, the secure input method caches the text edited by the user. After the user confirms that the text is correct, the encrypted output button is triggered, the function of the secure hardware device is called for encryption, and the cipher text is output to the target application. Input box.

此外,基本功能負責識別剪貼板應用程式中的輸入法密文並在使用者黏貼時進行自動解密;密鑰管理分別與系統平台和安全硬體裝置互動,完成密鑰管理相關功能。 In addition, the basic function is responsible for identifying the input method ciphertext in the clipboard application and automatically decrypting it when the user pastes it; key management interacts with the system platform and the security hardware device to complete key management related functions.

安全硬體裝置是具有唯一標識(ID)和具有對稱與非對稱加解密能力的硬體模組,並具有產生真隨機數、生成和儲存對稱與非對稱密鑰的功能。 The secure hardware device is a hardware module with a unique identification (ID) and symmetric and asymmetric encryption and decryption capabilities, and has the functions of generating true random numbers, generating and storing symmetric and asymmetric keys.

安全管理平台負責維護和管理安全輸入法安全硬體裝置及其相關密鑰。如維護安全硬體裝置註冊訊息,接收和保存安全硬體裝置上傳的公鑰TermPubKey,生成所述對稱密鑰K,使用安全硬體裝置的公鑰TermPubKey加密所述對稱密鑰K後,下發給安全硬體裝置。 The security management platform is responsible for maintaining and managing the secure input method security hardware device and its related keys. For example, maintaining the registration information of the secure hardware device, receiving and saving the public key TermPubKey uploaded by the secure hardware device, generating the symmetric key K, using the public key TermPubKey of the secure hardware device to encrypt the symmetric key K, and then issuing the symmetric key K Give security hardware.

所述用於安全輸入法的密鑰管理方法和系統,其密鑰管理的基本工作過程包括三個方面:安全硬體裝置註冊、輸入法密鑰申請(密鑰的產生與注入)、輸入法加解密(密 鑰的使用)。 The key management method and system for the secure input method, the basic working process of the key management includes three aspects: registration of the secure hardware device, input method key application (key generation and injection), input method Encryption and decryption Use of keys).

具體說明如下。 The details are as follows.

安全硬體裝置註冊。 Security hardware device registration.

安全硬體裝置註冊包括,利用安全硬體裝置生成公私鑰對(TermPubKey/TermPrvKey),將私鑰TermPrvKey保存在安全硬體裝置內,將安全硬體裝置標識ID與其公鑰TermPubKey一起,通過安全通道發送給安全管理平台進行註冊,安全管理平台負責維護和管理安全輸入法安全硬體裝置訊息(如ID、TermPubKey等),並將所述安全硬體裝置歸屬到一個指定的安全域(以DID標識該安全域),同一安全域中所有安全硬體裝置使用相同的密鑰K,不同安全域中的安全硬體裝置使用不同的密鑰K。所述安全通道可以是在安全硬體裝置的生產階段或發行階段使用的專用系統、專用工具、虛擬專用網路(VPN)等。 Security hardware device registration includes generating a public-private key pair (TermPubKey / TermPrvKey) using the security hardware device, storing the private key TermPrvKey in the security hardware device, and passing the security hardware device identification ID and its public key TermPubKey through a secure channel Sent to a security management platform for registration. The security management platform is responsible for maintaining and managing the security input method security hardware device information (such as ID, TermPubKey, etc.), and assigning the security hardware device to a designated security domain (identified by DID The security domain), all security hardware devices in the same security domain use the same key K, and security hardware devices in different security domains use different keys K. The secure channel may be a dedicated system, a dedicated tool, a virtual private network (VPN), or the like used in the production or distribution phase of the secure hardware device.

除了註冊階段創建和分配的安全域,也可以在應用程式需要的任何時候,由安全管理平台為安全硬體裝置創建一個或多個新的安全域,同一安全域中所有安全硬體裝置使用相同的密鑰K,不同安全域中的安全硬體裝置使用不同的密鑰K。 In addition to the security domains created and assigned during the registration phase, the security management platform can also create one or more new security domains for security hardware devices whenever the application requires them. All security hardware devices in the same security domain use the same Key K, the security hardware devices in different security domains use different keys K.

輸入法密鑰申請(密鑰的產生與注入) Input method key application (key generation and injection)

(1)安全硬體裝置採用自己的私鑰TermPrvKey對安全硬體裝置標識ID進行簽名,然後將ID和簽名一起,通過密鑰管理子模組發送給安全管理平台。 (1) The security hardware device uses its own private key TermPrvKey to sign the security hardware device identification ID, and then sends the ID and signature together to the security management platform through the key management submodule.

(2)安全管理平台認證安全硬體裝置的合法性,生成 和下發安全輸入法加密密鑰K (2) The security management platform authenticates the legality of the security hardware device and generates And issued a secure input method encryption key K

安全管理平台檢查安全硬體裝置ID是否已在安全管理平台上註冊,若已註冊則採用其對應的TermPubKey對ID簽名進行驗證,如果已註冊且ID簽名驗證通過,則安全硬體裝置認證通過。 The security management platform checks whether the security hardware device ID is registered on the security management platform. If it is registered, the corresponding TermPubKey is used to verify the ID signature. If it is registered and the ID signature verification is passed, the security hardware device authentication is passed.

安全管理平台生成對稱加密密鑰K,並將密鑰K與申請密鑰的安全硬體裝置的相關訊息(ID、TermPubKey)進行關聯,即,為該安全硬體裝置分配一個與其安全域對應的對稱密鑰K。所述對稱密鑰K,可由安全管理平台臨時或事先產生和保存,在安全輸入法的安全硬體裝置進行密鑰申請時,安全管理平台為其分配密鑰K。 The security management platform generates a symmetric encryption key K, and associates the key K with the relevant information (ID, TermPubKey) of the security hardware device that applied for the key, that is, assigns a corresponding security domain to the security hardware device. Symmetric key K. The symmetric key K may be generated and stored temporarily or in advance by the security management platform. When the security hardware device of the secure input method applies for a key, the security management platform allocates the key K to it.

安全管理平台使用TermPubKey作為密鑰對K進行非對稱加密運算得到K的密文K’,然後將K’發送給安全硬體裝置,進一步的,安全管理平台使用自己的私鑰PlatPrvKey對K’進行簽名,然後將K’和K’的簽名一起發送給安全硬體裝置。 The security management platform uses TermPubKey as the key to perform an asymmetric encryption operation on K to obtain K's ciphertext K ', and then sends K' to the secure hardware device. Further, the security management platform uses its own private key, PlatPrvKey, to perform K's Sign and then send K 'and K's signature to the secure hardware device.

(3)輸入法密鑰注入 (3) Input method key injection

輸入法密鑰管理子模組將接收到的K’傳遞給安全硬體裝置,安全硬體裝置使用自己的私鑰TermPrvKey對接收到的密文K’進行非對稱解密運算得到密鑰K,安全硬體裝置保存密鑰K;或者,輸入法密鑰管理子模組將接收到的K’和K’的簽名一起傳遞給安全硬體裝置,安全硬體裝置首先使用安全管理平台的公鑰PlatPubKey對K’的簽名進行驗證,若驗證通過,則說明K’為管理平台所簽發,然 後安全硬體裝置再使用自己的私鑰TermPrvKey對接收到的密文K’進行非對稱解密運算得到密鑰K,安全硬體裝置保存密鑰K。 The input method key management sub-module passes the received K 'to the secure hardware device. The secure hardware device uses its own private key TermPrvKey to perform an asymmetric decryption operation on the received cipher text K' to obtain the key K, which is secure. The hardware device saves the key K; or, the input method key management submodule passes the received K 'and K' signatures to the secure hardware device. The secure hardware device first uses the public key of the security management platform PlatPubKey Verify K's signature. If the verification is successful, it means that K 'was issued by the management platform. The security hardware device then uses its own private key TermPrvKey to perform an asymmetric decryption operation on the received ciphertext K 'to obtain the key K, and the security hardware device stores the key K.

輸入法加解密(密鑰的使用) Input method encryption and decryption (use of keys)

完成密鑰配置後,安全輸入法就可以使用安全硬體裝置中的密鑰K對輸入法處理的文本進行加解密操作了。 After the key configuration is completed, the secure input method can use the key K in the secure hardware device to encrypt and decrypt the text processed by the input method.

安全輸入法中的安全硬體裝置使用自己的密鑰K對輸入法處理的文本進行加密操作。 The secure hardware device in the secure input method uses its own key K to encrypt the text processed by the input method.

進一步的,安全輸入法中的安全硬體裝置在使用自己的密鑰K對輸入法處理的文本進行加密操作時,還使用一個初始向量IV參與密碼運算,使得安全輸入法對相同文本每次加密的結果都不相同,進一步提高文本的安全性。所述初始向量IV由安全硬體裝置產生的真隨機數構成,與密文綁定在一起,隨密文資料一起傳輸、保存、複製或刪除。 Further, when the secure hardware device in the secure input method uses its own key K to encrypt the text processed by the input method, it also uses an initial vector IV to participate in the cryptographic operation, so that the secure input method encrypts the same text each time. The results are all different, further improving the security of the text. The initial vector IV is composed of a true random number generated by a secure hardware device, is bound to the ciphertext, and is transmitted, saved, copied, or deleted along with the ciphertext data.

進一步的,除IV外,隨密文資料一起傳輸、保存、複製或删除的,還包括安全硬體裝置所在安全域的標識DID。 Further, in addition to the IV, the DID that is transmitted, saved, copied, or deleted with the ciphertext data also includes the identification DID of the security domain where the security hardware device is located.

安全輸入法中的安全硬體裝置進行解密時,若判斷密文所帶安全域標識DID與本安全域標識相同,說明該密文是本安全域的安全硬體裝置所產生的,則安全輸入法通過安全硬體裝置使用自己的密鑰K解密得到明文;否則,當安全輸入法進行解密時,若判斷密文所帶安全域標識(記為DIDb)與本安全域標識(記為DIDa)不同,說明該密 文(記為Cb)是由非本安全域的安全硬體裝置所產生的,則安全輸入法通過密鑰管理子模組將密文Cb提交給安全管理平台,安全管理平台使用該密文Cb所屬安全域DIDb的密鑰(記為Kb)進行解密得到明文(記為P),然後使用安全域DIDa的密鑰Ka對明文P進行加密,得到密文Ca,最後把加密得到的密文Ca返回給安全輸入法,安全輸入法再通過安全硬體裝置使用自己的密鑰Ka解密得到明文P。 When the secure hardware device in the secure input method performs decryption, if it is determined that the security domain identifier DID carried in the ciphertext is the same as the security domain identifier, it means that the ciphertext was generated by the security hardware device of the security domain, and the security input The plaintext can be obtained through decryption by the secure hardware device using its own key K; otherwise, when the secure input method is used for decryption, if the security domain identifier (denoted as DIDb) carried by the ciphertext and the security domain identifier (denoted as DIDa) are determined Different, indicating the secret The text (referred to as Cb) is generated by a secure hardware device that is not in the security domain. The secure input method submits the ciphertext Cb to the security management platform through the key management submodule, and the security management platform uses the ciphertext Cb. Decrypt the key of the security domain DIDb (denoted as Kb) to obtain the plaintext (denoted as P), and then use the key of the security domain DIDa to encrypt the plaintext P to obtain the ciphertext Ca, and finally encrypt the encrypted ciphertext Ca Return to the secure input method. The secure input method then decrypts the plaintext P through the secure hardware device using its own key Ka.

進一步的,安全管理平台在使用安全域DIDa的密鑰Ka對明文P進行加密得到密文Ca時,還使用一個初始向量IV2參與密碼運算,使得安全管理平台對相同明文P每次加密的結果都不相同,進一步提高文本的安全性。所述初始向量IV2由安全管理平台或者與安全管理平台連接的可信硬體產生的真隨機數構成,與密文Ca綁定在一起,隨密文資料Ca一起返回給安全輸入法,安全輸入法再通過安全硬體裝置使用自己的密鑰Ka解密得到明文P。 Further, when the security management platform encrypts the plaintext P using the key Ka of the security domain DIDa to obtain the ciphertext Ca, it also uses an initial vector IV2 to participate in the cryptographic operation, so that the security management platform encrypts the same plaintext P every time. Not the same, further improving the security of the text. The initial vector IV2 is composed of a true random number generated by the security management platform or trusted hardware connected to the security management platform, and is bound to the ciphertext Ca, and is returned to the secure input method along with the ciphertext data Ca. The secure input The method then decrypts the plaintext P by the security hardware device using its own key Ka.

本實施例的安全輸入法的文本處理裝置的各個模組對應執行上述安全輸入法的文本處理方法實施例所描述的步驟,因此具有相同的有益效果。另外,應該理解到,以上所描述的文本處理裝置的實施方式僅僅是示意性的,所描述模組的劃分,僅僅為一種邏輯功能劃分,實際實現時可以有另外的劃分方式。另外,模組相互之間的耦合或通訊連接可以是通過一些介面,也可以是電性或其它的形式。 Each module of the text processing device of the secure input method in this embodiment corresponds to the steps described in the text processing method embodiment of the secure input method, and therefore has the same beneficial effects. In addition, it should be understood that the implementation of the text processing device described above is only schematic, and the division of the described modules is only a logical function division, and there may be another division manner in actual implementation. In addition, the coupling or communication connection between the modules may be through some interfaces, and may also be electrical or other forms.

上述各個功能模組作為文本處理裝置的組成部分,可 以是或者也可以不是物理框,既可以位於一個地方,也可以分布到多個網路單元上,既可以採用硬體的形式實現,也可以採用軟體功能框的形式實現。可以根據實際的需要選擇其中的部分或者全部模組來實現本發明方案的目的。 Each of the above functional modules, as a component of a text processing device, can It may or may not be a physical frame, may be located in one place, or may be distributed on multiple network units, and may be implemented in the form of hardware or in the form of a software functional frame. Some or all of the modules can be selected according to actual needs to achieve the objective of the solution of the present invention.

所屬技術領域中具有通常知識者應明白,本發明的實施例可提供為方法、系統、或電腦程式產品。因此,本發明可採用硬體實施例、軟體實施例、或結合軟體和硬體方面的實施例的形式。而且,本發明可採用在一個或多個其中包含有電腦可用程式代碼的電腦可用儲存介質(包括但不限於磁碟儲存器和光學儲存器等)上實施的電腦程式產品的形式。 Those with ordinary knowledge in the art should understand that the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to magnetic disk storage, optical storage, etc.) containing computer-usable program code therein.

本發明是參照根據本發明實施例的方法、設備(系統)、和電腦程式產品的流程圖和/或方框圖來描述的。應理解可由電腦程式指令實現流程圖和/或方框圖中的每一流程和/或方框、以及流程圖和/或方框圖中的流程和/或方框的結合。可提供這些電腦程式指令到通用電腦、專用電腦、嵌入式處理機或其他可編程資料處理設備的處理器以產生一個機器,使得通過電腦或其他可編程資料處理設備的處理器執行的指令產生用於實現在流程圖一個流程或多個流程和/或方框圖一個方框或多個方框中指定的功能的裝置。 The present invention is described with reference to flowcharts and / or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and / or block in the flowchart and / or block diagram, and a combination of the process and / or block in the flowchart and / or block diagram may be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing device to generate a machine, so that the instructions generated by the processor of the computer or other programmable data processing device can be used to generate instructions. Means for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.

這些電腦程式指令也可儲存在能引導電腦或其他可編程資料處理設備以特定方式工作的電腦可讀儲存器中,使得儲存在該電腦可讀儲存器中的指令產生包括指令裝置的 製造品,該指令裝置實現在流程圖一個流程或多個流程和/或方框圖一個方框或多個方框中指定的功能。 These computer program instructions can also be stored in a computer-readable storage that can guide a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable storage generate instructions including the instruction device. An article of manufacture, the instruction device implements a function specified in a flow chart or flow and / or a block diagram or blocks.

這些電腦程式指令也可裝載到電腦或其他可編程資料處理設備上,使得在電腦或其他可編程設備上執行一系列操作步驟以產生電腦實現的處理,從而在電腦或其他可編程設備上執行的指令提供用於實現在流程圖一個流程或多個流程和/或方框圖一個方框或多個方框中指定的功能的步驟。 These computer program instructions can also be loaded on a computer or other programmable data processing device, so that a series of operating steps can be performed on the computer or other programmable device to generate a computer-implemented process, which can be executed on the computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more flowcharts and / or one or more blocks of the block diagrams.

再次說明,以上所述僅為本發明的實施例,並非因此限制本發明的專利範圍,凡是利用本發明說明書及圖式內容所作的等效結構或等效流程變換,例如各實施例之間技術特徵的相互結合,或直接或間接運用在其他相關的技術領域,均同理包括在本發明的專利保護範圍內。 Once again, the above description is only an embodiment of the present invention, and does not limit the patent scope of the present invention. Any equivalent structure or equivalent process transformation made by using the description and drawings of the present invention, such as the technology between the embodiments The combination of features, or direct or indirect use in other related technical fields, is also included in the scope of patent protection of the present invention.

101-104‧‧‧步驟 101-104‧‧‧step

Claims (9)

一種安全輸入法的文本處理方法,包括:註冊安全域,獲取安全域標識;申請並獲取該安全域對應的對稱密鑰;使用該對稱密鑰對使用者輸入的明文進行加密;將加密得到的密文與該安全域標識一同輸出;獲取密文及該密文對應的第一安全域標識;當該第一安全域標識與本地的第二安全域標識相同時,使用該第二對稱密鑰對該密文進行解密,獲得解密後的明文並輸出;當該第一安全域標識與該第二安全域標識不同時,將該密文發送至安全管理平台,由該安全管理平台解密該密文後再使用該第二安全域對應的該第二對稱密鑰加密,再由該安全管理平台將該第二安全域標識對應的密文返回,之後使用該第二對稱密鑰解密該安全管理平台返回的密文,獲得解密後的明文並輸出。 A text processing method for a secure input method includes: registering a security domain and obtaining a security domain identifier; applying for and obtaining a symmetric key corresponding to the security domain; using the symmetric key to encrypt a plain text input by a user; The ciphertext is output together with the security domain identifier; the ciphertext and the first security domain identifier corresponding to the ciphertext are obtained; when the first security domain identifier is the same as the local second security domain identifier, the second symmetric key is used Decrypt the ciphertext, obtain the decrypted plaintext, and output; when the first security domain identifier is different from the second security domain identifier, send the ciphertext to a security management platform, and the security management platform decrypts the ciphertext After that, the second symmetric key corresponding to the second security domain is used for encryption, and the ciphertext corresponding to the second security domain identifier is returned by the security management platform, and then the second symmetric key is used to decrypt the security management. The ciphertext returned by the platform, the decrypted plaintext is obtained and output. 如請求項1所記載的文本處理方法,其中該使用該對稱密鑰對使用者輸入的明文進行加密包括:每次使用該對稱密鑰對使用者輸入的明文進行加密時,隨機生成初始向量,並使用該初始向量參與密碼運算;相應的,將該加密得到的密文與該安全域標識一同輸出包括: 將該加密得到的密文、該安全域標識及該密文對應的該初始向量一同輸出。 The text processing method described in claim 1, wherein the encrypting the plaintext input by the user using the symmetric key includes: each time the plaintext input by the user is encrypted using the symmetric key, an initial vector is randomly generated, And use the initial vector to participate in cryptographic operations; correspondingly, the output of the encrypted ciphertext along with the security domain identifier includes: The encrypted ciphertext, the security domain identifier, and the initial vector corresponding to the ciphertext are output together. 如請求項1所記載的文本處理方法,其中當存在與密文對應的初始向量時,該方法還包括:獲取密文及該密文對應的第一安全域標識的同時,還獲取該密文對應的初始向量;使用該初始向量參與解密運算。 The text processing method described in claim 1, wherein when an initial vector corresponding to the ciphertext exists, the method further includes: acquiring the ciphertext and the first security domain identifier corresponding to the ciphertext, and also acquiring the ciphertext The corresponding initial vector; use this initial vector to participate in the decryption operation. 如請求項1所記載的文本處理方法,其中該申請並獲取該安全域對應的對稱密鑰包括:使用安全硬體對獲取到的對稱密鑰進行簽名驗證。 The text processing method as described in claim 1, wherein applying for and obtaining the symmetric key corresponding to the security domain includes: using security hardware to perform signature verification on the obtained symmetric key. 如請求項1所記載的文本處理方法,其中該方法還包括:使用安全硬體註冊安全域並獲取該安全域對應的對稱密鑰。 The text processing method as described in claim 1, wherein the method further comprises: registering a security domain with security hardware and obtaining a symmetric key corresponding to the security domain. 一種安全輸入法的文本處理裝置,包括:安全域註冊模組、對稱密鑰獲取模組、明文加密模組以及密文輸出模組;其中,安全域註冊模組,用於註冊安全域,獲取該安全域標識;對稱密鑰獲取模組,用於申請並獲取該安全域對應的對稱密鑰;明文加密模組,用於使用該對稱密鑰對使用者輸入的明文進行加密; 密文輸出模組,用於將加密得到的密文與該安全域標識一同輸出;密文獲取模組,用於獲取密文及該密文對應的第一安全域標識;同域解密模組,用於當該第一安全域標識與本地的第二安全域標識相同時,使用該第二對稱密鑰對該密文進行解密,獲得解密後的明文並輸出;異域解密模組,用於當該第一安全域標識與該第二安全域標識不同時,將該密文發送至安全管理平台,由該安全管理平台解密該密文後再使用該第二對稱密鑰加密,再由該安全管理平台將該第二安全域標識對應的密文返回,之後使用該第二對稱密鑰解密該安全管理平台返回的該密文,獲得解密後的明文並輸出。 A text processing device for a secure input method includes a security domain registration module, a symmetric key acquisition module, a plaintext encryption module, and a ciphertext output module; wherein the security domain registration module is used to register a security domain and obtain The security domain identifier; a symmetric key acquisition module for applying for and obtaining the symmetric key corresponding to the security domain; a plaintext encryption module for using the symmetric key to encrypt the plaintext entered by the user; The ciphertext output module is used to output the encrypted ciphertext together with the security domain identifier; the ciphertext acquisition module is used to acquire the ciphertext and the first security domain identifier corresponding to the ciphertext; the same domain decryption module For decrypting the ciphertext using the second symmetric key when the first security domain identifier is the same as the local second security domain identifier, obtaining the decrypted plaintext and outputting it; the foreign domain decryption module is used for When the first security domain identifier is different from the second security domain identifier, the ciphertext is sent to a security management platform, the ciphertext is decrypted by the security management platform, and then encrypted by the second symmetric key, and then the The security management platform returns the ciphertext corresponding to the second security domain identifier, and then uses the second symmetric key to decrypt the ciphertext returned by the security management platform, obtains the decrypted plain text, and outputs it. 如請求項6所記載的文本處理裝置,其中該裝置還包括:安全硬體,用於使用非對稱密碼算法進行註冊安全域、獲取該安全域對應的對稱密鑰。 The text processing apparatus according to claim 6, wherein the apparatus further includes: security hardware, which is used to register a security domain using an asymmetric cryptographic algorithm and obtain a symmetric key corresponding to the security domain. 如請求項7所記載的文本處理裝置,其中該安全硬體由智慧卡、聲波卡/Key、藍牙卡/Key、嵌入式安全元件或者智慧可穿戴裝置實現。 The text processing device according to claim 7, wherein the security hardware is implemented by a smart card, a sound wave card / Key, a Bluetooth card / Key, an embedded security element, or a smart wearable device. 一種安全輸入法的文本處理系統,該系統包括:如請求項6至8任一項所記載的安全輸入法的文本處理裝置及安全管理平台; 其中,該安全管理平台,用於創建及管理安全域,為安全輸入法的文本處理裝置分配安全域,向文本處理裝置下發安全域標識及對應的對稱密鑰;並用於將文本處理裝置發送的異域密文轉換為該文本處理裝置的同域密文後返回。 A text processing system for a secure input method, the system comprising: a text processing device for a secure input method as described in any one of claims 6 to 8 and a security management platform; The security management platform is used to create and manage a security domain, assign a security domain to a text processing device of a secure input method, and issue a security domain identifier and a corresponding symmetric key to the text processing device; and send the text processing device. The foreign-domain ciphertext is converted to the same-domain ciphertext of the text processing device and returned.
TW105135989A 2015-12-22 2016-11-04 Text processing method for safe input method, text processing device and text processing system TWI611316B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510967166.5A CN106911625B (en) 2015-12-22 2015-12-22 Text processing method, device and system for safe input method

Publications (2)

Publication Number Publication Date
TW201723919A TW201723919A (en) 2017-07-01
TWI611316B true TWI611316B (en) 2018-01-11

Family

ID=59089075

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105135989A TWI611316B (en) 2015-12-22 2016-11-04 Text processing method for safe input method, text processing device and text processing system

Country Status (3)

Country Link
CN (1) CN106911625B (en)
TW (1) TWI611316B (en)
WO (1) WO2017107642A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111177739B (en) * 2019-10-28 2023-11-03 腾讯云计算(北京)有限责任公司 Data processing method, information interaction system and computer storage medium
CN111212068B (en) * 2019-12-31 2022-02-08 北京升鑫网络科技有限公司 Method for encrypting and decrypting characters by input method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW563047B (en) * 2001-06-12 2003-11-21 Financial Information Service Shared system of mobile bank and its operating method
TWI224455B (en) * 2001-01-19 2004-11-21 Mitake Data Co Ltd End-to-end encryption procedure and module of M-commerce WAP data transport layer
WO2014165747A1 (en) * 2013-04-05 2014-10-09 Interdigital Patent Holdings, Inc. Securing peer-to-peer and group communications

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100641824B1 (en) * 2001-04-25 2006-11-06 주식회사 하렉스인포텍 A payment information input method and mobile commerce system using symmetric cipher system
CN101064595B (en) * 2006-04-27 2011-07-27 联想(北京)有限公司 Computer network safe input authentication system and method
CN101169815A (en) * 2007-11-27 2008-04-30 华为技术有限公司 Computer system and data input method
CN101729246B (en) * 2008-10-24 2012-02-08 中兴通讯股份有限公司 Method and system for distributing key
CN101739756B (en) * 2008-11-10 2012-01-11 中兴通讯股份有限公司 Method for generating secrete key of smart card
CN101894232B (en) * 2010-07-26 2012-09-12 深圳市永达电子股份有限公司 Safe input method applied to identity authentication
CN102355353A (en) * 2011-08-12 2012-02-15 无锡城市云计算中心有限公司 Encrypted input method and encrypted communication method and device
US20140109176A1 (en) * 2012-10-15 2014-04-17 Citrix Systems, Inc. Configuring and providing profiles that manage execution of mobile applications
WO2015162688A1 (en) * 2014-04-22 2015-10-29 株式会社日立製作所 Data processing system and data processing method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI224455B (en) * 2001-01-19 2004-11-21 Mitake Data Co Ltd End-to-end encryption procedure and module of M-commerce WAP data transport layer
TW563047B (en) * 2001-06-12 2003-11-21 Financial Information Service Shared system of mobile bank and its operating method
WO2014165747A1 (en) * 2013-04-05 2014-10-09 Interdigital Patent Holdings, Inc. Securing peer-to-peer and group communications

Also Published As

Publication number Publication date
CN106911625A (en) 2017-06-30
TW201723919A (en) 2017-07-01
CN106911625B (en) 2020-04-24
WO2017107642A1 (en) 2017-06-29

Similar Documents

Publication Publication Date Title
US10601801B2 (en) Identity authentication method and apparatus
JP6797828B2 (en) Cloud-based cryptographic machine key injection methods, devices, and systems
US9673975B1 (en) Cryptographic key splitting for offline and online data protection
US9860064B2 (en) Encrypted password transport across untrusted cloud network
WO2019020051A1 (en) Method and apparatus for security authentication
RU2018103181A (en) CONFIDENTIAL AUTHENTICATION AND SECURITY
CN106487765B (en) Authorized access method and device using the same
US11210658B2 (en) Constructing a distributed ledger transaction on a cold hardware wallet
JP2015130633A (en) authentication system
KR20150079489A (en) Instant messaging method and system
WO2019127265A1 (en) Blockchain smart contract-based data writing method, device and storage medium
KR101879758B1 (en) Method for Generating User Digital Certificate for Individual User Terminal and for Authenticating Using the Same Digital Certificate
WO2018137225A1 (en) Fingerprint data processing method and processing apparatus
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN103546289A (en) USB (universal serial bus) Key based secure data transmission method and system
US10439809B2 (en) Method and apparatus for managing application identifier
TW201409990A (en) Communication method utilizing fingerprint information for authentication
CN109800586A (en) A kind of pair of tender documents realize that a side encrypts the system and method decrypted in many ways
CN109005184A (en) File encrypting method and device, storage medium, terminal
US11288381B2 (en) Calculation device, calculation method, calculation program and calculation system
CN112351037A (en) Information processing method and device for secure communication
GB2522445A (en) Secure mobile wireless communications platform
WO2017050152A1 (en) Password security system adopted by mobile apparatus and secure password entering method thereof
TW201720093A (en) Secure input method, device and system
TWI734729B (en) Method and device for realizing electronic signature and signature server

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees