WO2007121641A1 - Système d'authentification de la crédibilité d'une clé publique combinée utilisant une puce - Google Patents

Système d'authentification de la crédibilité d'une clé publique combinée utilisant une puce Download PDF

Info

Publication number
WO2007121641A1
WO2007121641A1 PCT/CN2007/000162 CN2007000162W WO2007121641A1 WO 2007121641 A1 WO2007121641 A1 WO 2007121641A1 CN 2007000162 W CN2007000162 W CN 2007000162W WO 2007121641 A1 WO2007121641 A1 WO 2007121641A1
Authority
WO
WIPO (PCT)
Prior art keywords
cpk
module
data
public key
key
Prior art date
Application number
PCT/CN2007/000162
Other languages
English (en)
Chinese (zh)
Inventor
Xianghao Nan
Jianguo Zhao
Original Assignee
Beijing E-Henxen Authentication Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing E-Henxen Authentication Technologies Co., Ltd. filed Critical Beijing E-Henxen Authentication Technologies Co., Ltd.
Publication of WO2007121641A1 publication Critical patent/WO2007121641A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the invention relates to information security technology, in particular to a CPK trusted authentication system in a computer and network environment. Background technique
  • the current encryption technologies can be divided into two categories, namely symmetric key technology and asymmetric key technology.
  • asymmetric key technology has been widely used because it can avoid the need to transmit a decryption key, that is, a private key, through the network.
  • PKI Public Key Infrastructure
  • PKI runs on two major components: a hierarchical CA (Certification Authority) and a large certificate store LDAP.
  • PKI relies on third-party notarization to resolve the binding of identification and keys. To this end, it is necessary to establish a large and hierarchical CA certification body.
  • PKI also relies on the support of the online certificate store.
  • the online operation of the certificate store triggers a large amount of network information traffic. For example, in order to obtain the certificate of the communication partner, one party needs to authenticate to the CA layer. It is precisely because the authentication system based on PKI technology runs online according to the database, and its operation efficiency is very low, and the processing capability is not large.
  • Shamir proposed an identity-based cryptographic scheme, called IBC, and for the first time implemented an identity-based digital signature and predicted the existence of an identity-based key exchange mechanism.
  • the development and application of the public network has proposed new requirements for building a trusted network system.
  • the authentication system is the core technology of the trusted network system, and the core technology of the authentication system is to solve the massive digital signature technology and key exchange technology.
  • CPK technology solves these two difficulties at the same time, and creates conditions for realizing a large-scale public online realization of a trusted system.
  • the CPK algorithm is also an identity-based public key algorithm.
  • CPK does not require online support for the database. It can be implemented with one chip. It has the advantages of PKI and IBC/IBE in scale, economy, feasibility and operational efficiency.
  • the present invention proposes a CPK authentication and encryption system based on a proprietary hardware device, which not only can effectively resist user collusion attacks, but also ensures the security of the CPK authentication system, and makes the authentication system easier to manage. It also makes the CPK authentication method suitable for a wider range of applications.
  • the CPK algorithm is implemented by a proprietary hardware device, and the proprietary hardware device is used to store, manage, and protect confidential and sensitive data such as a private key in the CPK algorithm and the authentication system.
  • the proprietary hardware device is used to store, manage, and protect confidential and sensitive data such as a private key in the CPK algorithm and the authentication system.
  • the private key only participates in the operation within the system. Even the legitimate users of the system cannot read the private key data from the system, eliminating the possibility of the attacker obtaining the private key, thus eliminating the possibility of collusion attack. Sex.
  • the main purpose of the present invention is to provide a combined public key (CPK) trusted authentication system, which is implemented by a chip to implement encryption and decryption functions, digital signature and verification functions, and key storage and management functions.
  • COS dedicated software system
  • the implementation is characterized in that the system comprises: a processor for processing various data to control and manage the entire system; the secure memory, only the specific instructions of the processor, or a dedicated external device can access the data therein, An attacker cannot bypass these interfaces to access data in memory, nor can it access data in a logical or physical manner, such as by a slice attack.
  • Public key cryptography engine providing instructions for public key operations, supporting elliptic curve cryptography operations;
  • symmetric cryptography engine providing arithmetic instructions for symmetric encryption, hashing algorithms, etc.;
  • a true random number generator for generating a true random number
  • System protection equipment including protection devices for security packaging of the chip, anti-slice analysis, etc.; communication interface, USB controller, serial interface or smart card interface, for external devices Line communication
  • system also includes:
  • the identification-private key management module is configured to store, manage, process, protect the private key and the identification data, and all operations on the private key are performed by the module, and the module calls the elliptic curve cryptography module to perform elliptic curve signature and elliptic curve public Key encryption decryption operation;
  • the public key factor matrix management module maps the identifier into an index of the public key factor matrix through a mapping algorithm, and calculates a corresponding public key through the CPK algorithm and the public key factor matrix;
  • the access control module protects the system with passwords and cryptography to ensure that only users with passwords can access the system
  • the elliptic curve cryptography module can perform functions such as elliptic curve signature, verification, public key encryption, and decryption;
  • Symmetric cryptography module providing symmetric encryption, hash algorithm, MAC algorithm, etc.
  • the HASH algorithm module calculates the data according to the HASH function
  • a true random number generation module that generates a true random number
  • the CPK data format codec module encodes and decodes data in the CPK format; the communication protocol module implements a communication protocol with the CPK agent, and provides a service to the CPK agent in a request-response command.
  • the system if the system does not include a public key cryptography engine, a symmetric cryptography engine and a true random number generator, then the system calls the corresponding elliptic curve cryptographic module, symmetric cryptography module, and true random number generation.
  • the module completes its function.
  • said data comprises a public key factor matrix, 'the identity of the current user and the corresponding private key, the data being stored in the form of an ID certificate.
  • the main functions include ID attribute management, encryption function, signature function, cooperative execution function, key storage and management function, and the like, and are plug and play.
  • the system comprises at least one of a smart card chip, a stand-alone memory device and a secure computer integrated with a processor and a memory.
  • the chip may be at least one of a smart card, a USB key, a flash memory card, and a mobile phone SIM card, depending on the package and the interface.
  • Figure 1 shows the basic structure of a CPK system according to the present invention
  • FIG. 2 shows the detailed structure of a CPK system according to the present invention
  • FIG. 3 illustrates a signature process in accordance with the present invention
  • FIG. 4 illustrates a verification process in accordance with the present invention
  • FIG. 5 illustrates a public key encryption process in accordance with the present invention
  • FIG. 6 shows the public key decryption process in accordance with the present invention. detailed description
  • the CPK key management system is a system based on identification (identity) generation and management of discrete logarithm problems. It constructs the public key and the private key matrix according to the mathematical principle of the discrete logarithm problem. The hash function and the cryptographic transformation are used to map the identity of the entity into the row coordinate and column coordinate sequence of the matrix, which are used to select and combine the matrix elements. A large number of public and private key pairs consisting of public and private keys are generated to achieve very large-scale key production and distribution based on identification.
  • the CPK key algorithm utilizes discrete logarithm and elliptic curve cryptography to construct public and private key pairs.
  • the mapping algorithm binds the public and private key variables with the user ID to solve the identity-based key management.
  • the key management of CPK adopts the centralized production of key centralized distribution mode, which has the advantages of controllability and manageability, and is convenient for constructing a top-down network trust system.
  • CPK's key management adopts a key-distributed storage and static call operation mode, so that third-party and non-prior authentication can be realized.
  • the CPK combined public key algorithm constructs a public/private factor matrix using a finite public/private factor, and an extremely large number of public/private key pairs can be derived based on the public/private key matrix, and the mapping algorithm will participate.
  • a new technique for binding a party's identity to its key public/private key).
  • the CPK-based authentication system is a very large-scale identity-based key management system that can be used on dedicated authentication and public authentication networks, including but not limited to email, electronic Credible applications such as notes, e-logistics logos, and e-offices provide proof of credibility.
  • the CPK trusted authentication system is a chip-implemented authentication system, and the chip includes a dedicated COS, a CPK algorithm, an ID certificate, a signature protocol and a key exchange protocol, an encryption algorithm, and a HASH function, etc., according to the package and the interface. Different, it is divided into smart card, USB Key, Flash memory card, mobile phone SIM card and other different forms.
  • the public key matrix is written into the chip as needed, and the public key of the other party can be calculated in situ, and a chip bears the functions of the cryptographic machine, the signature verification function, and the database key storage function, and has the function of a card in different identification domains and security domains. , can easily build a trusted authentication system.
  • the chip includes - a dedicated COS supporting CPK trusted authentication system; a related algorithm supporting CPK operation; an ID certificate, including multiple identification domains, multiple scopes, authorization levels, parameters and keys for role division; CPK digital signature protocol, CPK secret Key exchange protocol; hierarchical encryption protocol, password change protocol, running format protocol; private key protection technical measures.
  • proprietary hardware devices may have different forms such as smart cards, USB keys, Flash memory cards, and SIM cards.
  • Figure 1 shows the basic structure of a CPK system in accordance with the present invention.
  • the system consists of at least one device as a CPK proprietary hardware device. Depending on the implementation and environment, it may consist of multiple hardware devices including computers and networks and related software.
  • the system has two main components in logic: CPK core system and CPK agent (Agent).
  • the CPK core system implements the CPK algorithm as a separate logical component that provides authentication and encryption through a hardware interface or software interface.
  • the CPK Agent is usually embedded in an application system or application environment to provide CPK authentication and encryption services.
  • the interface of the service can take many forms, such as API, middleware, system services, network services, etc., but is not limited thereto.
  • the CPK Agent itself does not implement the basic functions of CPK. Instead, it calls its functions through specific communication protocols with the CPK core system and provides these services to the application environment.
  • the CPK Agent also encapsulates or enhances the functions of the core system to meet the needs of the application system.
  • Fig. 2 shows the detailed structure of a CPK system according to the present invention.
  • the CPK Built-in proprietary hardware architecture consists of a combination of software and hardware running on proprietary hardware devices and a common network and computer platform.
  • the CPK Built-in chip includes hardware systems and software. System (ie CPKCOS) and internal related data.
  • the hardware system consists of multiple IP cores with different functions, providing basic processor, memory, cryptography engine, random number generator and other modules.
  • the software system is stored in the flash memory inside the chip or directly burned in the ROM memory.
  • the software system calls and packages the basic functions provided by the corresponding hardware modules to implement various CPK algorithms and protocols. Some modules in the software system also read and write some data storage related to the CPK algorithm, including the public key factor matrix and the identification-private key list.
  • Public key cryptography engine Provides instructions for public key operations and supports elliptic curve cryptography.
  • Symmetric cryptography engine Provides arithmetic instructions for symmetric encryption, hashing algorithms, and so on.
  • a true random number generator for generating a true random number.
  • Communication interface including USB controller, serial interface or smart card interface, for communicating with external devices.
  • the software of this system includes the following components -
  • Identification - private key management module This module is used to store, manage, process, protect private keys and identify data. All operations on the private key are performed by the module, which invokes the elliptic curve cryptography module to perform elliptic curve signatures and elliptic curve public key encryption decryption operations.
  • the module maps the identifier to the index of the public key factor matrix through the mapping algorithm, and calculates the corresponding public key through the CPK algorithm and the public key factor matrix.
  • Access control module Protect your system with passwords and cryptography to ensure that only users with passwords can access the system. .
  • Elliptic curve cryptography module Elliptic curve signature, verification, public key encryption, decryption, etc. can be performed.
  • a symmetric cryptography module that provides symmetric encryption, hashing algorithms, MAC algorithms, and so on.
  • the HASH algorithm module calculates the data according to the HASH function.
  • a true random number generator that generates a true random number.
  • CPK data format codec module which encodes and decodes data in CPK format.
  • Communication protocol module The communication protocol between the implementation and the CPK proxy provides services to the CPK proxy in the form of a request-response command.
  • the data in the system includes a public key factor matrix, an identification of the current user, and a corresponding private key, and the data is stored in the form of an ID certificate.
  • the hardware device provides a corresponding implementation, the elliptic curve crypto module, the symmetric cryptography module, and the true random number generator directly call the hardware function, otherwise it is implemented by software.
  • the CPKCOS is explained in detail below.
  • CPKCOS provides identity-based, third-party, non-online authentication.
  • CPKCOS implements the CPK algorithm on the chip, and can provide one or more globally unique identifiers for each entity, and each entity can mutually authenticate through the identifier.
  • CPKCOS can support multiple identifiers within a chip (the number is determined by the space of the secure memory area), and through a variable mapping algorithm, one chip can support multiple applications, and can flexibly revoke and update the logo.
  • CPKCOS supports the construction of a multi-level authentication system.
  • CPKCOS generates a globally unique security domain identifier for each CPK public key factor matrix to identify a security domain.
  • Different levels and regions of the authentication system are divided into different security domains by having different public key factor matrices, and the security domains can identify each other and obtain each other's public key factor matrix through unique security domain identifiers, thus different
  • the security domains are logically connected to form a unified authentication network.
  • CPKCOS sets a dense level representation for each identifier. Only the operation that meets the confidentiality limit will be executed by CPKCOS, thus supporting the multi-level security requirements in systems such as the military.
  • CPKCOS provides ECDSA digital signature, ECDH key exchange, ECIES public key encryption, AES and TripleDES symmetric encryption algorithm, SHA series hash algorithm, can be used for authentication, encryption and other security applications, and can also be used as an auxiliary security algorithm module.
  • CPKCOS supports system software upgrades, adds other cryptographic algorithms, and adds extensions. To ensure system security, the software system is designed to work with proprietary hardware for security. The software system is represented by CPKCOS below. CPKCOS logically guarantees the security of secret data such as systems and private keys in a variety of ways.
  • CPKCOS divides memory into secure storage and non-secure storage, and secure storage is secured by Enhanced EEPROM memory construction, non-secure memory area consists of normal Flash memory.
  • CPKCOS stores important programs and data such as confidential programs such as system programs and private keys, and blocks for operating confidential data in secure storage areas. Publicly available data such as public key factor matrices are stored in non-secure storage areas.
  • the CPKCOS system program segment ensures that the data has not been tampered with by verifying the signature or integrity code of the data or program in the non-secure storage area, and encrypting to ensure the confidentiality of the data in the storage area.
  • the design of the non-secure memory area allows CPKCOS to support the flash memory external to the chip to ensure its security.
  • the CPKCOS system does not provide a read interface for secret data such as private keys. It can only use these interfaces for normal signature and decryption functions, and cannot obtain secret data. Even legitimate users cannot read the private key data.
  • CPKCOS protects the chip and internal sensitive data with a password.
  • the user can only use the CPK security chip after entering the verification password.
  • the CPKCOS system greatly increases the time taken by the attacker to try the password by adding a delay in the password verification process, and maintains the verification failure counter inside the chip. If the number of failures of the password verification exceeds the maximum limit, the sensitive information on the chip will self-destruct.
  • CPKCOS protection private key factor matrix is not cracked.
  • the CPK algorithm has weaknesses that cannot resist collusion attacks. If an attacker can collect a large number of private keys, the entire private key factor matrix can be restored by computational solution.
  • the CPK security chip guarantees that the private key data cannot be read by legitimate users even through the hardware protection and the external interface of CPKCOS, and encrypts the sensitive data such as the private key with the password and the true random number generated and stored only inside the chip, even if the attack The chip hardware is cracked by slice analysis, etc., and data is read therefrom. If there is no password, the private key cannot be obtained.
  • CPKCOS also supports storing the public key factor matrix in external memory, thereby increasing the matrix size and increasing the number of cracked chips required for collusion attacks by one to three orders of magnitude (128MB of external storage space).
  • the system includes four basic CPK functions: signature, verification, public key encryption and decryption based on the CPK algorithm.
  • the basic flow of the four operations is illustrated by four diagrams of FIG. 3, FIG. 4, FIG. 5, and FIG. 6, respectively, wherein the frame represents the system module, the line segment represents the data, and the arrow represents the flow direction of the data.
  • the sequence of operations is represented in the figure as top-down.
  • Figure 3 shows a flow chart of the CPK digital signature.
  • the digital signature process based on CPK Built-in is as follows:
  • the Hash algorithm module in the CPK Built-in chip calculates the hash value of the data to be signed.
  • the random number generator in the CPK Built-in chip generates a random number for signing.
  • the private key management module in the CPK Built-in chip reads the corresponding private key by the user's identification.
  • the elliptic curve cryptography module generates an ECDSA digital signature by hash value, random number and private key.
  • the data encoding module uniformly encodes the ECDSA digital signature value and the identifier used for the signature into a digital signature data packet in the CPK format, and transmits the CPK Built-in chip to the user.
  • FIG. 4 shows the signature verification flow chart for the CPK digital signature. As shown in Figure 4, the signature verification process based on CPK Built-in digital signature is as follows:
  • the CPK Built-in chip reads the CPK digital signature and the signed original data from the outside.
  • the Hash algorithm module calculates the hash value of the signed data.
  • the CPK data format codec module obtains the signer ID and ECDSA digital signature data from the CPK digital signature.
  • the identity-public key mapping algorithm module maps the signer identity to the public key that the signer uses for signing.
  • the elliptic curve cryptography module verifies that the signature is valid by the hash value, the ECDSA digital signature, and the signer public key, and returns the result to the user.
  • FIG. 5 shows the encryption flow chart of the CPK public key encryption algorithm.
  • a user can send data encrypted by the public key to any other user.
  • the data is encrypted by the CPK public key encryption algorithm.
  • the key is the identifier of the recipient, and the recipient can use his own private key.
  • the data is decrypted.
  • the detailed process is as follows:
  • the CPK Built-in chip reads the recipient's logo and the encrypted data plaintext from the outside.
  • the public key mapping algorithm module calculates the recipient's public key by means of the identity and public key factor matrix.
  • the random number generator generates a symmetric key as the encrypted data and a random number for the public key encryption operation. .
  • the elliptic curve cryptography module encrypts the plaintext with a symmetric key algorithm, and encrypts the symmetric key with an elliptic curve public key through the public key of the receiver to generate an ECIES encrypted ciphertext.
  • CPK data format encoding and decoding module encodes ciphertext and receiver identification into CPK ciphertext data Package, and return to the user.
  • FIG. 6 shows the decryption flow chart of the CPK public key encryption algorithm. As shown in Figure 6, the detailed process is as follows:
  • the CPK Built-in chip reads the CPK encrypted ciphertext packet from the outside.
  • the CPK data format encoding and decoding module decodes the data packet, and reads out the identifier and ECIES encrypted data. .
  • the private key management module obtains the corresponding private key through the internal identification-private key list.
  • the elliptic curve cryptography module decrypts the ECIES encrypted data by the private key.
  • the decryption process first uses the elliptic curve public key encryption and decryption algorithm and the private key to solve the symmetric key of the encrypted data, and then uses the symmetric key to solve the ciphertext solution. In plain text, and return the plaintext to the user.
  • proprietary hardware devices can take many different forms. Due to the difference in storage and processing capabilities of different proprietary hardware devices and the differences in specific application environments, different functional modules of the system are evenly distributed between the CPK core system and the CPK agent. The stronger the function of the proprietary hardware device, the more the functional modules of the system are implemented on the proprietary hardware device. ⁇ Conversely, if the hardware device function of the proprietary device is stronger, the more functional modules of the system are implemented in the application. Above the CPK agent in the environment.
  • the three representative proprietary hardware devices are smart card chips, security computers, and memory cards without processing capabilities. Specific implementation schemes are proposed for these three representative hardware.
  • the performance and storage capacity of the current mainstream smart card chip can support all functions of the CPK core system, so all programs and data can be built on the hardware platform, usually implementing the extended function in the CPK proxy.
  • the symmetric encryption function of the data can also be implemented on the smart card chip, thereby forming a separate product of soft and hard combination.
  • the CPK agent only needs to directly call the function of the smart card chip and package the communication protocol with the hardware as a software interface for the host environment, such as API or system service.
  • Smart card chips have weak processing capabilities and cannot support intensive service requests. Since the smart card has a small on-chip storage space, its storage space is expanded by an external memory chip to support a larger public key factor matrix.
  • Security computers are usually protected by specialized hardware design, additional security chips, and the like.
  • Safety The computer has more processing power and more storage space than the smart card chip, and can support all the functions of the CPK core system.
  • the CPK core system and the CPK agent can coexist on a secure computer hardware platform that also supports the functionality of the application system.
  • the CPK trusted authentication system based on the secure computer and the application system can form an independent product form, such as a CPK-based VPN, a trusted router, and the like.
  • the memory card itself does not have a separate processor, but has a certain amount of storage space.
  • the memory card is cheap, suitable for large-scale application of bank cards, but does not have a processor itself, so it needs to protect the confidential data in the memory by cryptography, and must be used with a special security reading device for reading. Private key.
  • the certification system used CA institutions and databases as the necessary means of authentication, which was expensive and complicated to maintain.
  • the system implemented the authentication system with one chip, canceled the CA organization and database, and greatly simplified the authentication process. , improve the efficiency of certification, greatly reduce the cost, save operating costs and maintenance costs.

Abstract

L'invention porte sur un système d'authentification de la crédibilité d'une clé publique combinée (cpc) utilisant une puce, cette puce comportant le système COS dédié, l'arithmétique CPC, le certificat d'identification et le protocole de signature et le protocole d'échange de clé, la la logoque de calcul cryptage arithmétique de cryptage et la fonction HASH, etc. Les puces sont classées selon leur format, à savoir carte à puce, clé USB, carte de mémoire Flash, carte SIM de téléphone portable, etc., en fonction des types d'encapsulations et d'interfaces. La fonction de la machine à chiffrer, la vérification de signature, le stockage et la gestion de clé sont sont réalisés sur une seule puce, et il existe une fonction carte banalisée dans les différents domaines d'identification et de sécurité. Cette invention est de type prêt-à-tourner et permet facilement de constituer le système d'authentification de crédibilité.
PCT/CN2007/000162 2006-04-24 2007-01-16 Système d'authentification de la crédibilité d'une clé publique combinée utilisant une puce WO2007121641A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610076019.X 2006-04-24
CN 200610076019 CN100586065C (zh) 2006-04-24 2006-04-24 Cpk可信认证系统

Publications (1)

Publication Number Publication Date
WO2007121641A1 true WO2007121641A1 (fr) 2007-11-01

Family

ID=36994428

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000162 WO2007121641A1 (fr) 2006-04-24 2007-01-16 Système d'authentification de la crédibilité d'une clé publique combinée utilisant une puce

Country Status (2)

Country Link
CN (1) CN100586065C (fr)
WO (1) WO2007121641A1 (fr)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103457742A (zh) * 2013-09-18 2013-12-18 浪潮电子信息产业股份有限公司 一种基于usb key的安全套件库系统
CN103914642A (zh) * 2014-04-15 2014-07-09 浪潮电子信息产业股份有限公司 一种基于usb key的安全套件结构系统
CN104469750A (zh) * 2013-09-13 2015-03-25 东方斯泰克信息技术研究院(北京)有限公司 自主可控移动互联网的业务方法和装置
CN109840431A (zh) * 2017-11-28 2019-06-04 中天安泰(北京)信息技术有限公司 安全网络芯片及安全网卡及网络终端设备
CN112087301A (zh) * 2020-08-13 2020-12-15 北京市凌怡科技有限公司 一种基于国密算法的燃气表安全认证系统
CN112187447A (zh) * 2020-10-22 2021-01-05 南方电网科学研究院有限责任公司 一种加解密算法密钥生成方法和装置
CN112948797A (zh) * 2021-03-09 2021-06-11 北方实验室(沈阳)股份有限公司 一种基于协同密码算法的非对称密钥管理系统及方法
CN112966254A (zh) * 2021-02-27 2021-06-15 郑州信大捷安信息技术股份有限公司 用于主机与可信密码模块的安全通信方法及系统
CN113068164A (zh) * 2021-02-09 2021-07-02 国网上海能源互联网研究院有限公司 一种基于蓝牙通信的配电终端本地安全运维方法及系统
CN113422753A (zh) * 2021-02-09 2021-09-21 阿里巴巴集团控股有限公司 数据处理方法、装置、电子设备及计算机存储介质
CN114157410A (zh) * 2021-11-25 2022-03-08 国网浙江省电力有限公司信息通信分公司 一种面向电力终端的轻量级5g硬加密通信模组
CN114422261A (zh) * 2022-02-15 2022-04-29 北京无字天书科技有限公司 管理方法、管理系统、计算机设备和计算机可读存储介质
CN114996724A (zh) * 2022-04-25 2022-09-02 麒麟软件有限公司 一种基于国密算法模块的安全操作系统
CN115001709A (zh) * 2022-05-31 2022-09-02 赵瑞 适用于数字医疗数据的可信采集与隐私保护方法
CN115174145A (zh) * 2022-05-30 2022-10-11 青岛海尔科技有限公司 设备控制方法及边缘网关设备
CN115834061A (zh) * 2023-02-15 2023-03-21 深圳市永达电子信息股份有限公司 一种基于cpk的标识密钥生成方法

Families Citing this family (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018123B (zh) * 2007-02-14 2011-06-22 四川易恒科技发展有限公司 一种基于Linux操作系统的带CPK认证的语音通信方法
CN101038568B (zh) * 2007-04-16 2010-05-19 丁万年 外置式计算机硬盘数据加密方法及其装置
CN101321060B (zh) * 2007-06-07 2011-06-08 管海明 一种用于编码和译码数字消息的方法和系统
CN101321059B (zh) * 2007-06-07 2011-02-16 管海明 一种用于编码和译码数字消息的方法和系统
CN101242271B (zh) * 2008-01-24 2010-12-29 陕西海基业高科技实业有限公司 可信的远程服务方法及其系统
CN101420300B (zh) * 2008-05-28 2013-05-29 北京易恒信认证科技有限公司 双因子组合公钥生成和认证方法
EP2151947A1 (fr) * 2008-08-05 2010-02-10 Irdeto Access B.V. Schéma de chiffrage et de signature simultanée basé sur une cryptographie à courbe elliptique
CN101729502B (zh) * 2008-10-23 2012-09-05 中兴通讯股份有限公司 密钥分发方法和系统
CN101727707B (zh) * 2008-10-30 2011-11-09 范磊 多功能卡系统和通过该系统应用多功能卡的方法
CN101442522B (zh) * 2008-12-25 2011-08-10 中国电子科技集团公司第五十四研究所 一种基于组合公钥的通信实体标识认证方法
CN101540673B (zh) * 2009-04-24 2011-02-16 武汉大学 公钥加解密方法及其数字签名方法
CN101576948B (zh) * 2009-06-09 2011-12-21 航天科工深圳(集团)有限公司 单片机编程器的许可保护方法
CN101763677B (zh) * 2009-10-23 2012-03-07 北京派瑞根科技开发有限公司 对信息介质上背书签名进行认证的系统
CN101873215A (zh) * 2010-05-27 2010-10-27 大唐微电子技术有限公司 一种安全芯片、无线控制模块及终端
CN101944997A (zh) * 2010-08-25 2011-01-12 北京市劳动信息中心 基于双密钥及数字证书体制的ic卡签验方法及系统
CN101931537B (zh) * 2010-09-15 2012-08-29 北京数字认证股份有限公司 一种用于限定签名内容的数字证书生成方法
CN102195990A (zh) * 2011-06-27 2011-09-21 北京虎符科技有限公司 Cpk认证加密方法在voip上的应用
CN102664732B (zh) * 2012-03-07 2016-06-22 南相浩 Cpk公钥体制抗量子计算攻击的实现方法及系统
US9467283B2 (en) 2013-06-24 2016-10-11 Blackberry Limited Securing method for lawful interception
CN104283860A (zh) * 2013-07-10 2015-01-14 全联斯泰克科技有限公司 一种基于代码签名的elf文件鉴别方法和装置
CN103414564A (zh) * 2013-08-07 2013-11-27 成都卫士通信息产业股份有限公司 一种密钥卡、密钥设备及其保护私钥的方法
CN104468111A (zh) * 2013-09-25 2015-03-25 同方股份有限公司 一种用usbkey公钥矩阵实现密钥及数据交换的方法
CN103473592B (zh) * 2013-09-25 2016-05-11 成都市易恒信科技有限公司 一种基于cpk体制的标签离线鉴真方法及装置
CN104753671A (zh) * 2013-12-27 2015-07-01 东方斯泰克信息技术研究院(北京)有限公司 网络实体间互联方法与装置和网际网的构建方法与装置
CN103888259B (zh) * 2014-03-12 2017-11-10 天地融科技股份有限公司 一种用户身份识别卡
CN103888942B (zh) * 2014-03-14 2017-04-19 天地融科技股份有限公司 一种基于协商密钥的数据处理方法
CN103945375B (zh) * 2014-04-18 2018-04-13 天地融科技股份有限公司 一种基于协商密钥的数据处理方法
CN103944724B (zh) * 2014-04-18 2017-10-03 天地融科技股份有限公司 一种用户身份识别卡
CN104902473A (zh) * 2014-04-21 2015-09-09 孟俊 一种基于cpk标识认证的无线网络接入认证的方法及装置
CN104113543B (zh) * 2014-07-18 2017-03-15 中国科学院软件研究所 一种基于分组密码的消息鉴别方法
CN104363099A (zh) * 2014-11-27 2015-02-18 南京泽本信息技术有限公司 一种手机安全协处理芯片
CN104901940A (zh) * 2015-01-13 2015-09-09 易兴旺 一种基于cpk标识认证的802.1x网络接入方法
CN105988713B (zh) * 2015-01-29 2019-01-08 深圳市硅格半导体有限公司 存储装置及存储方法
CN104899480A (zh) * 2015-05-05 2015-09-09 易兴旺 一种基于cpk标识认证技术的软件版权保护管理方法
CN105426734B (zh) * 2015-11-12 2018-04-13 山东超越数控电子股份有限公司 一种基于可信计算的身份认证方法及装置
CN105246172A (zh) * 2015-11-24 2016-01-13 成都微讯云通科技有限公司 移动终端网络传输方法
CN105577373B (zh) * 2015-12-15 2018-10-19 四川长虹电器股份有限公司 标识密匙的生成方法
CN108012268B (zh) * 2017-12-08 2021-07-09 北京虎符信息技术有限公司 一种保证应用软件在手机终端上安全使用的sim卡
CN108063667A (zh) * 2018-01-03 2018-05-22 广州杰赛科技股份有限公司 密钥分配方法和装置
CN111901117A (zh) * 2019-05-06 2020-11-06 深圳大普微电子科技有限公司 基于jtag接口的安全认证方法及系统
CN110278086A (zh) * 2019-06-24 2019-09-24 晋商博创(北京)科技有限公司 基于cpk和pki的兼容方法、装置、终端、系统及存储介质
CN110460448A (zh) * 2019-08-20 2019-11-15 丹东瑞银科技有限公司 一种cpk文件加密方法、加密机、加密通信系统及储存介质
CN111130761B (zh) * 2019-11-12 2022-07-29 丁爱民 数权身份标识方法及系统
CN111901303A (zh) * 2020-06-28 2020-11-06 北京可信华泰信息技术有限公司 设备认证方法和装置、存储介质及电子装置
CN112291230B (zh) * 2020-10-26 2023-04-07 公安部第一研究所 一种用于物联网终端的数据安全认证传输方法及装置
CN115967584B (zh) * 2023-03-16 2023-07-04 深圳市永达电子信息股份有限公司 一种基于pki与cpk混合认证的零信任网关实现方法及系统

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
HOUSLEY ET AL.: "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC2459, January 1999 (1999-01-01), pages 1 - 129 *
NAN X.-H.: "THE ACTIVE AUTHENTICATION SYSTEM AND NATIONAL COMBINED PUBLIC KEY(CPK) INFRASTRUCTURE", September 2005 (2005-09-01), pages 1 - 43 *
WANG Y.-G.: "Technique characteristic and applications of CPK authentication system", REVIEW OF ELECTRONICS SCIENCE AND TECHNOLOGY, no. 2, 2005 *
ZHOU J.-F., MA TAO, LI Y.-F.: "Comparison and Analysis of PKI, CPK and IBC", JOURNAL OF INFORMATION ENGINEERING UNIVERSITY, vol. 6, no. 3, September 2005 (2005-09-01), pages 1 - 6 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469750A (zh) * 2013-09-13 2015-03-25 东方斯泰克信息技术研究院(北京)有限公司 自主可控移动互联网的业务方法和装置
CN103457742A (zh) * 2013-09-18 2013-12-18 浪潮电子信息产业股份有限公司 一种基于usb key的安全套件库系统
CN103914642A (zh) * 2014-04-15 2014-07-09 浪潮电子信息产业股份有限公司 一种基于usb key的安全套件结构系统
CN109840431A (zh) * 2017-11-28 2019-06-04 中天安泰(北京)信息技术有限公司 安全网络芯片及安全网卡及网络终端设备
CN112087301A (zh) * 2020-08-13 2020-12-15 北京市凌怡科技有限公司 一种基于国密算法的燃气表安全认证系统
CN112187447A (zh) * 2020-10-22 2021-01-05 南方电网科学研究院有限责任公司 一种加解密算法密钥生成方法和装置
CN113422753A (zh) * 2021-02-09 2021-09-21 阿里巴巴集团控股有限公司 数据处理方法、装置、电子设备及计算机存储介质
CN113068164A (zh) * 2021-02-09 2021-07-02 国网上海能源互联网研究院有限公司 一种基于蓝牙通信的配电终端本地安全运维方法及系统
CN113068164B (zh) * 2021-02-09 2022-10-28 国网上海能源互联网研究院有限公司 一种基于蓝牙通信的配电终端本地安全运维方法及系统
CN112966254A (zh) * 2021-02-27 2021-06-15 郑州信大捷安信息技术股份有限公司 用于主机与可信密码模块的安全通信方法及系统
CN112966254B (zh) * 2021-02-27 2022-04-05 郑州信大捷安信息技术股份有限公司 用于主机与可信密码模块的安全通信方法及系统
CN112948797A (zh) * 2021-03-09 2021-06-11 北方实验室(沈阳)股份有限公司 一种基于协同密码算法的非对称密钥管理系统及方法
CN112948797B (zh) * 2021-03-09 2023-07-28 北方实验室(沈阳)股份有限公司 一种基于协同密码算法的非对称密钥管理系统及方法
CN114157410A (zh) * 2021-11-25 2022-03-08 国网浙江省电力有限公司信息通信分公司 一种面向电力终端的轻量级5g硬加密通信模组
CN114157410B (zh) * 2021-11-25 2024-04-19 国网浙江省电力有限公司信息通信分公司 一种面向电力终端的轻量级5g硬加密通信模组
CN114422261A (zh) * 2022-02-15 2022-04-29 北京无字天书科技有限公司 管理方法、管理系统、计算机设备和计算机可读存储介质
CN114996724A (zh) * 2022-04-25 2022-09-02 麒麟软件有限公司 一种基于国密算法模块的安全操作系统
CN114996724B (zh) * 2022-04-25 2024-05-03 麒麟软件有限公司 一种基于国密算法模块的安全操作系统
CN115174145A (zh) * 2022-05-30 2022-10-11 青岛海尔科技有限公司 设备控制方法及边缘网关设备
CN115174145B (zh) * 2022-05-30 2023-12-19 青岛海尔科技有限公司 设备控制方法及边缘网关设备
CN115001709A (zh) * 2022-05-31 2022-09-02 赵瑞 适用于数字医疗数据的可信采集与隐私保护方法
CN115001709B (zh) * 2022-05-31 2024-03-12 赵瑞 适用于数字医疗数据的可信采集与隐私保护方法
CN115834061A (zh) * 2023-02-15 2023-03-21 深圳市永达电子信息股份有限公司 一种基于cpk的标识密钥生成方法

Also Published As

Publication number Publication date
CN100586065C (zh) 2010-01-27
CN1832403A (zh) 2006-09-13

Similar Documents

Publication Publication Date Title
WO2007121641A1 (fr) Système d'authentification de la crédibilité d'une clé publique combinée utilisant une puce
Zhang et al. Data security and privacy-preserving in edge computing paradigm: Survey and open issues
Huang et al. Secure data access control with ciphertext update and computation outsourcing in fog computing for Internet of Things
CN112836229B (zh) 属性基加密和区块链结合的可信数据访问控制方案
Attkan et al. Cyber-physical security for IoT networks: a comprehensive review on traditional, blockchain and artificial intelligence based key-security
Lee et al. Security enhancement on a new authentication scheme with anonymity for wireless environments
Tsai et al. Novel anonymous authentication scheme using smart cards
Sun et al. On the security and improvement of a two-factor user authentication scheme in wireless sensor networks
Bhattasali et al. Secure and trusted cloud of things
Obert et al. Recommendations for trust and encryption in DER interoperability standards
Zhang et al. Lightweight multidimensional encrypted data aggregation scheme with fault tolerance for fog-assisted smart grids
Kumari et al. Optimal integrity policy for encrypted data in secure storage using cloud computing
Wei et al. A provably secure anonymous two-factor authenticated key exchange protocol for cloud computing
Mao et al. BTAA: Blockchain and TEE Assisted Authentication for IoT Systems
Sun et al. Webcloud: web-based cloud storage for secure data sharing across platforms
Al-Zubi et al. Efficient signcryption scheme based on El-Gamal and Schnorr
Khashan et al. Innovative energy-efficient proxy Re-encryption for secure data exchange in Wireless sensor networks
CN115694922A (zh) 在国产cpu和os下的文件传输加密方法及设备
Ramkumar Trustworthy computing under resource constraints with the DOWN policy
Patil et al. A Secure and Efficient Identity based Proxy Signcryption Scheme for Smart Grid Network.
KR20180068537A (ko) 고유 일련번호 및 대칭키를 이용한 암복호화 시스템
Suo et al. Encryption technology in information system security
Liu et al. Consortium Blockchain based Lightweight Message Authentication and Auditing in Smart Home
Archana et al. Exploring State-of-the-Art Cryptography: A Systematic Exploration of Advanced Approaches for IoT Device Authentication
Zhang et al. KPaM: a key protection framework for mobile devices based on two-party computation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07702094

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702094

Country of ref document: EP

Kind code of ref document: A1