WO2017050152A1 - Password security system adopted by mobile apparatus and secure password entering method thereof - Google Patents

Password security system adopted by mobile apparatus and secure password entering method thereof Download PDF

Info

Publication number
WO2017050152A1
WO2017050152A1 PCT/CN2016/098824 CN2016098824W WO2017050152A1 WO 2017050152 A1 WO2017050152 A1 WO 2017050152A1 CN 2016098824 W CN2016098824 W CN 2016098824W WO 2017050152 A1 WO2017050152 A1 WO 2017050152A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
mobile device
ciphertext
security
module
Prior art date
Application number
PCT/CN2016/098824
Other languages
French (fr)
Chinese (zh)
Inventor
陈成钱
周钰
郭伟
曾望年
李定洲
严翔翔
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2017050152A1 publication Critical patent/WO2017050152A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to mobile communication technologies, and in particular to a cryptographic security system for a mobile device and a cryptographic security input method for the mobile device.
  • the existing common technical means uses a password method, that is, the user sets a password.
  • the user wants to protect the personal information
  • the user is required to input the password, and the smart mobile device determines whether the password is correct. If correct, the personal information is correct. Encryption is performed; after that, if the user needs to view the personal information, the password is also input, and after the system determines that the password is correct, the personal information is decrypted for the user to view.
  • the current password uses a character form and requires a certain complex combination, which gives the password enhanced security, reduces the risk of being cracked, and brings a real problem, that is, if the password has a period of time No, the user will easily forget, which may result in the inability of the personal information to be decrypted, which is inconvenient for the user.
  • the present invention is directed to a password security system for a mobile device and a password security input method for a mobile device capable of solving the problem of difficulty in memory and easy to be stolen during password use and implementing secure input of a password. .
  • the security device is configured to acquire a password according to the password and generate a password ciphertext according to the password, and then transmit the password to the first mobile device, where the password is used to verify the password sent from the first mobile device to be used.
  • a first mobile device in a password generation phase, for receiving a generated password ciphertext from the security device and transmitting to a second mobile device for reading a password from a second mobile device to be described later in a password verification phase Ciphertext and sent to the security device;
  • the second mobile device is configured to store a password ciphertext received from the first mobile device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
  • the security device is constructed as part of the first mobile device.
  • the security device is a cloud device or a security unit.
  • the first mobile device is a smart phone or a tablet
  • the second mobile device is a wearable device.
  • the security device is configured to acquire a password in the password generation phase and generate a password ciphertext according to the password, and then transmit the password to the second mobile device, where the password is used to verify the password ciphertext sent from the first mobile device described below. ;
  • a first mobile device in the password verification phase, for reading a password ciphertext from the second mobile device described below and transmitting the ciphertext to the security device;
  • the second mobile device is configured to store a password ciphertext received from the security device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
  • the security device is constructed as part of the first mobile device.
  • the security device has:
  • a trusted storage module configured to store the original password
  • the encryption and decryption module is used to generate a password ciphertext according to the original password in the password generation phase, in the password verification phase. It is used to decrypt and verify the password ciphertext extracted from the following password data generating module;
  • a password data generating module configured to generate password data according to the password ciphertext in a password generation phase, and to extract a password ciphertext from password data from a second mobile device:
  • a first information receiving module configured to perform data interaction between the security device and the first mobile device, and/or between the security device and the second mobile device,
  • the second mobile device is provided with:
  • a storage module configured to store the password data sent from the security module in a password generation phase
  • a password data display module for displaying the password data stored by the storage module in a password verification phase
  • the first mobile device is provided with:
  • a password data reading module configured to read password data displayed by the password data display module
  • a second information receiving module configured to perform data interaction between the first mobile device and the security device and/or between the first mobile device and the second mobile device.
  • the password data generating module is a two-dimensional code generating module.
  • the two-dimensional code generating module is configured to generate a two-dimensional code according to the password ciphertext in a password generation phase, and to extract a two-dimensional code from the password data from the second mobile device in the password verification phase,
  • the password data display module is a two-dimensional code display module.
  • the two-dimensional code display module is configured to display a two-dimensional code as password data stored by the storage module in a password verification phase.
  • the password data reading module is a camera, and the camera is configured to read a two-dimensional code displayed by the two-dimensional code display module.
  • the password data generating module is a barcode generating module
  • the barcode generating module is configured to generate a barcode according to the password ciphertext in a password generation phase, and to use the password data from the second mobile device in the password verification phase. Extract the barcode,
  • the password data display module is a barcode display module.
  • the barcode display module is configured to display a barcode as password data stored by the storage module in a password verification phase
  • the password data reading module is a camera, and the camera is used to read a barcode displayed by the barcode display module.
  • the first mobile device is a smart phone or a tablet
  • the second mobile device is a wearable device
  • the security device is disposed in a TEEI of the smart phone as part of the smart phone.
  • data transmission between the security device and the second mobile device is implemented by non-contact communication.
  • the cryptographic security input method for a mobile device of the present invention is implemented by using a security device, a first mobile device, and a second mobile device, and includes the following steps:
  • the security device obtains a password and encrypts the password to generate a password ciphertext, and then transmits the data to the second mobile device through the first mobile device or directly to the second mobile device;
  • the second mobile device stores the password ciphertext
  • a password input step when the user needs to input a password, the second mobile device displays the password ciphertext to the first mobile device, and the first mobile device obtains the password ciphertext and sends the password to the security device;
  • the security device decrypts the encrypted ciphertext sent from the first mobile device and verifies the decrypted password.
  • data transmission between the security device and the second mobile device is implemented by non-contact communication.
  • the password ciphertext uses a two-dimensional code or a barcode.
  • the cryptographic security system for a mobile device of the present invention includes: a background system, a first mobile device, and a second mobile device,
  • the background system has:
  • a first counter for generating a count value and counting the count value comparison times
  • a public-private key generating unit for generating a public key and a private key
  • the encryption and decryption module is configured to acquire a user password in the password generation phase, and encrypt the user password, the count value generated by the first counter, and the public key generated by the public-private key generating unit, and generate a password ciphertext to be sent to the first mobile
  • the device in the password verification phase, is configured to parse the count value from the second password ciphertext sent by the first mobile device, and compare the parsed count value with the count value stored by the first counter, The password verification of the second password ciphertext is performed only when the count value comparison is passed;
  • a first network security channel for transmitting data between the background system and the first mobile device
  • the first mobile device has:
  • a cryptographic processing unit in a password generation phase, receiving a first ciphertext transmitted from the background system and transmitting the first ciphertext and the public key to the second mobile device, and in the password verification phase, the second The counter value stored by the counter is sent to the second mobile device and receives the following second password ciphertext returned from the second mobile device, and the second password ciphertext is sent to the background system;
  • a second network security channel configured to perform data transmission between the background system and the first mobile device
  • the second mobile device is provided with:
  • a storage module for storing a password ciphertext and a public key sent from the first mobile device during the password generation phase
  • the encryption and decryption module generates a second password ciphertext together with the password ciphertext public key that has been stored by the first mobile device during the password verification phase.
  • the first mobile device is a smart phone or a tablet
  • the second mobile device is a wearable device.
  • the first mobile device and the second mobile device communicate in a non-connected manner.
  • the cryptographic security system for a mobile device and the cryptographic security input method for the mobile device of the present invention use a mobile device such as a wearable device to store a password instead of a human brain, without using a memory password.
  • a mobile device such as a wearable device to store a password instead of a human brain
  • This makes it possible to set up a very complex combination of passwords, which increases the difficulty of password cracking and greatly enhances the user experience.
  • the password ciphertext form is adopted, which can effectively prevent the malicious stealing, and can improve the security of the password use.
  • FIG. 1 is a block diagram showing a cryptographic security system for a mobile device of the present invention.
  • FIG. 2 is a flow chart showing the specific steps of the cryptographic security input method of the present invention.
  • FIG. 3 is a configuration diagram of a cryptographic security system for a mobile device according to a first embodiment of the present invention.
  • FIG. 4 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
  • Fig. 5 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
  • the invention utilizes the advantages of the user carrying a plurality of mobile devices with him, and provides a password security system and a password security input method capable of inputting the user password reliably and conveniently.
  • FIG. 1 is a block diagram showing a cryptographic security system for a mobile device of the present invention.
  • the cryptographic security system for a mobile device of the present invention includes: a security device 100, a first mobile device 200, and a second mobile device 300.
  • the security device 100 is configured to encrypt a password set by the user in the password generation phase to generate a password ciphertext and transmit the generated password ciphertext to the first mobile device 200 for verification in the password verification phase from the first mobile device to be described below.
  • the sent password is decrypted and verified.
  • the first mobile device 200 is configured to receive the generated password ciphertext from the security device 100 and transmit to the second mobile device 300 during the password generation phase, and to read the password ciphertext from the second mobile device 300 during the password verification phase. Sent to the security device 100.
  • the second mobile device 300 is configured to store the password ciphertext received from the first mobile device 200 during the password generation phase, and to provide the stored password ciphertext to the first mobile device 100 during the password verification phase.
  • the security device 100 acquires a password that is required to be input by the first mobile device 200 (generally input by the user), generates an encrypted ciphertext according to the password, and transmits the first mobile device 200 through the communication channel.
  • the first mobile device 200 And then transmitted to the second mobile device 300 through the communication channel, and the second mobile device 300 stores the password ciphertext.
  • the password read by the first mobile device 200 and read from the second mobile device 300 is sent to the security device 100, and the security device 100 verifies the read password. And notifying the first mobile device 200 whether the password verification is passed according to the verification result.
  • the second mobile device 300 is used instead of the human brain to memorize the password of the first mobile device 200, and the mobile device can improve the password input by using the powerful computing power and communication interface capability of the human brain. The security and convenience of the way.
  • the security device 100 may exist independently as a separate device, for example, The security device 100 is a cloud device or a security unit. Of course, the security device 100 may also be part of the first mobile device 200.
  • the first mobile device 100 may be a smart phone or a tablet computer, and the security device 100 may be a part of the smart phone or the tablet, as long as the password generation and verification functions can be completed.
  • the second mobile device 300 can be a wearable device.
  • Figure 2 is a flow chart showing a method of cryptographic security input of the present invention.
  • the password security input method of the present invention includes the following steps:
  • a password generating step S100 using the security device 100 to obtain a password and encrypting the password to generate a password ciphertext, then transmitting to the second mobile device 300 through the first mobile device 200 or directly to the second mobile device 300;
  • Password storage step S200 the second mobile device 300 stores the password ciphertext
  • Password input step S300 when the user needs to input a password, the second mobile device 300 displays the password ciphertext to the first mobile device 200, and the first mobile device 200 obtains the password ciphertext and sends it to the security device 100;
  • Password verification step S400 The secure device 100 decrypts the encrypted ciphertext sent from the first mobile device 200 and verifies the decrypted password.
  • FIG. 3 is a configuration diagram of a cryptographic security system for a mobile device according to a first embodiment of the present invention.
  • the cryptographic security system for a mobile device of the first embodiment of the present invention includes a smart phone 400 and a wearable device 500.
  • the smart phone 400 includes a TEEI area (Trusted Executive Environment Integration) 410 and an Android area 420.
  • TEEI area 410 corresponds to the above-described security device
  • the Android area 420 corresponds to the above-described first mobile device
  • the wearable device 500 corresponds to the above-described second mobile device.
  • TEEI Trusted Execution Environment Integration
  • TEEI constructs a mobile intelligent terminal operating system (such as Android, iOS, WindowsPhone) A safe operating environment.
  • the TEEI can be a secure area located in the main processor of the mobile intelligent terminal, which ensures the storage, processing and protection of sensitive data in a trusted environment.
  • TEEI provides a secure execution environment for authorized security software (trusted software), enabling end-to-end security by performing protection, confidentiality, integrity and data access.
  • the TEEI area 410 has:
  • the trusted interaction interface module 411 is configured to obtain an original password input by the user
  • a trusted storage module 412 configured to store the original password
  • the encryption and decryption module 413 is configured to generate a password ciphertext according to the original password in the password generation phase, and to decrypt and verify the password ciphertext extracted from the two-dimensional code generation module 414 in the password verification phase;
  • the two-dimensional code generating module 414 is configured to generate a two-dimensional code according to the password ciphertext in a password generation phase, and to extract a password ciphertext from the wearable device 500 in a password verification phase;
  • the first information receiving module 415 is configured to perform data interaction between the TEEI area 410 and the Android area 420 and/or between the TEEI area 410 and the wearable device 500.
  • the Android area 420 has:
  • the camera 421 is configured to read the password ciphertext displayed by the two-dimensional code display module 512;
  • the second information receiving module 422 is configured to perform data interaction between the Android area 420 and the TEEI area 410 and/or the wearable device 500.
  • the wearable device 500 is provided with:
  • the storage module 511 is configured to store the password ciphertext sent from the TEEI area 410 in the password generation phase;
  • the two-dimensional code display module 512 is used to display the password ciphertext stored by the storage module 511 in the password verification phase.
  • the data transmission between the TEEI area 410 and the wearable device 500 is implemented by non-contact communication, such as NFC or Bluetooth.
  • the TEEI area 410 in the smart phone is used as a security platform for supporting password processing to ensure the security of the password generation process.
  • the wearable device 500 stores the password to avoid the problem of the user remembering the password.
  • the password generation process is:
  • the trusted interaction interface module 411 provided by the TEEI area 410 obtains the password input by the user, and transmits it to the encryption and decryption module 413;
  • the encryption and decryption module 413 uses the trusted storage module 412 to store the password, and uses the key to encrypt the password using a common encryption method such as 3DES, AES, etc., to generate a password ciphertext, which is transmitted to the two-dimensional code module 414;
  • the two-dimensional code module 414 generates a two-dimensional code based on the ciphertext, and prompts the user to generate a prompt sound or the like.
  • the user passes the wearable device 500 to the mobile phone, so that the password ciphertext, that is, the two-dimensional code is transmitted to the NFC through the NFC.
  • the storage module 511 of the wearable device 500 stores.
  • the encryption application prompts the user to input the password by opening the camera;
  • the user displays the encrypted ciphertext two-dimensional code by operating the wearable device 500.
  • the camera 421 transmits the data to the two-dimensional code module 414, and the two-dimensional code module 414 analyzes and extracts the password ciphertext. Then, it is sent to the encryption and decryption module 413 for decryption and verification, and the verification is passed to notify the system to encrypt the user's personal information.
  • the user when the user wants to view the encrypted personal information, the user opens the camera 421 to read the two-dimensional code on the wearable device 500 and extracts the password and verifies in the same manner as described above, and the encryption/decryption module 413 notifies the system to decrypt the personal information. For users to view. In this process, whether or not the notification system needs to perform personal information encryption and decryption is issued by the encryption and decryption module 413 under TEEI, thereby greatly reducing the risk of personal information being illegally encrypted and decrypted by malicious programs.
  • the password security input method of the present invention can be changed from the original password manual input to the camera shooting, and the operation is simple and easy to use, and the password can be input only once during setting.
  • the user does not need to remember the password, and can set a very complicated combination of passwords, which improves the difficulty of being cracked and greatly improves the user experience.
  • FIG. 4 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
  • the cryptographic security system for a mobile device of the second embodiment of the present invention includes a smart phone 600 and a wearable device 700.
  • the smart phone 600 includes a TEEI (Trusted Executive Environment Integration) 610 and an Android area 620.
  • TEEI area 610 corresponds to the above-described security device
  • the Android area 620 corresponds to the above-described first mobile device
  • the wearable device 700 corresponds to the above-described second mobile device.
  • TEEI District 610 has:
  • the trusted interaction interface module 611 is configured to obtain an original password input by the user
  • a trusted storage module 612 configured to store the original password
  • the encryption and decryption module 613 is configured to generate a password ciphertext according to the original password in the password generation phase, and to decrypt and verify the password ciphertext extracted from the barcode generation module 414 in the password verification phase;
  • the barcode generating module 614 is configured to generate a barcode according to the password ciphertext in a password generation phase, and to extract a password ciphertext from the wearable device 700 in the password verification phase;
  • the first information receiving module 615 is configured to perform data interaction between the TEEI area 610 and the Android area 620 and/or between the TEEI area 610 and the wearable device 700.
  • the Android area 620 has:
  • a camera 621 configured to read a password ciphertext displayed by the barcode display module 712;
  • the second information receiving module 622 is configured to perform data interaction between the Android area 620 and the TEEI area 610 and/or the wearable device 700.
  • the wearable device 700 is provided with:
  • the storage module 711 is configured to store the password ciphertext sent from the TEEI area 610 in the password generation phase;
  • the barcode display module 712 is configured to display the password ciphertext stored by the storage module 711 in the password verification phase.
  • the data transmission between the TEEI area 610 and the wearable device 700 is implemented by non-contact communication, such as NFC or Bluetooth.
  • the TEEI area 610 in the smart phone is used as a security platform for supporting password processing to ensure the security of the password generation process.
  • the wearable device 700 stores the password, which can avoid the problem of the user remembering the password.
  • a two-dimensional code is adopted in the first embodiment, and a barcode is used in the second embodiment, where the two-dimensional code or the barcode is only a form of displaying the ciphertext, as long as the security device and the first mobile device It is ok to agree on this form of presentation. Therefore, from this point of view, as long as it can represent the text, numbers and other information, it is possible to directly display the password ciphertext number.
  • the improvement of the password protection measure in the present invention mainly uses an additional mobile smart device to replace the human brain for password input, so that the password is freed from the human brain.
  • the input styles that are not matched with the computing devices are too single and fixed.
  • the inventor further found that if the encrypted password is dynamically changed, the encrypted ciphertext generated by each wearable device is dynamically generated once, which can better eliminate the risk of being copied.
  • such a scheme is applied to the existing user login protection without card payment, which can solve the problem that the existing cardless payment is easily stolen when the user is logged in.
  • the problem is to improve the security of the login process while improving the user experience.
  • Fig. 5 is a configuration diagram of a cryptographic security system for a mobile device according to a third embodiment of the present invention.
  • the password security system for a mobile device includes a background system 800, a smart phone 900, and a wearable device 920.
  • the background system 800 has:
  • the first counter 811 generates a count value and counts the number of times the count value compares the count value
  • a public and private key generating unit 812 configured to generate a public key and a private key
  • the encryption/decryption module 813 is configured to acquire a user password in the password generation phase, and encrypt the user password, the counter value generated by the counter, and the public key generated by the public-private key generating unit to generate a password for transmitting the password ciphertext to the smart phone 900.
  • the processing unit 912 is configured to parse the count value from the second password ciphertext sent by the smart phone 900 in the password verification phase, and compare the parsed count value with the count value stored by the first counter 811. The password verification of the second password ciphertext is performed only when the count value comparison is passed;
  • the first network security channel 814 is configured to perform data transmission between the background system 800 and the smart phone 900.
  • the smartphone 900 has:
  • a second counter 911 storing a count value from the background system 800
  • the cryptographic processing unit 912 receives the first ciphertext transmitted from the cryptographic module of the background system 800 and transmits the first ciphertext and the public key to the wearable device 900 during the password generation phase. In the password verification phase, Transmitting the count value stored by the second counter 911 to the wearable device 900 and receiving the following second password ciphertext returned from the wearable device 920, and the second password ciphertext (which may also include the username) Together) sent to the background system 800;
  • a second network security channel 913 configured to perform data transmission between the background system 800 and the smart phone 900 (actually, the second network security channel 913 and the first network security channel 814 are a two-way secure transmission channel);
  • the wearable device 920 is provided with:
  • the storage module 921 is configured to store the password ciphertext and the public key sent from the smart phone 900 in the password generation phase;
  • the encryption and decryption module 922 generates a second password ciphertext together with the password ciphertext public key that has been stored by the cryptographic processing unit 921 of the smart phone 900 in the password verification phase.
  • the secure password input method implemented by the cryptographic security system for a mobile device of the third embodiment is also similar to the above embodiment, and there are also two processes: a password setting process and a user login process.
  • the password setting process is:
  • the password is generated by the encryption/decryption module 813 of the background system 800 based on the key to generate the first password ciphertext, and is determined by the background system 800.
  • a counter 811 randomly generates a count value, the counter value, the public key and the first password ciphertext combined data is transmitted to the cryptographic processing unit 912 of the smart phone 900 via the first network security channel 814 and the second network security channel 913;
  • the cryptographic processing unit 912 After receiving the data, the cryptographic processing unit 912 stores the count value in the second counter 911, and prompts the user to bring the wearable device 920 closer to the smart phone 900 by means of a prompt tone or the like, and receives the received data from the background system 800.
  • the public key and the first password ciphertext are transmitted to the storage module 921 of the wearable device 900 via a NFC or the like.
  • the user login process flow is:
  • the encryption and decryption module 912 of the wearable device 900 generates a new password ciphertext, that is, the second password ciphertext, based on the previously stored public key and the received count value, and then transmits the message through a non-contact method such as NFC.
  • the password processing unit 912 of the smart phone 900 at this time, the cryptographic processing unit 912 increments the count value of the second counter 911 by 1, and prompts the password input to be completed in a prompt tone or the like;
  • the login application obtains the second password ciphertext through the cryptographic processing unit 913, and transmits it to the background system 800 through the second network security channel 913 and the first network security channel 814 together with the user name;
  • the background system 800 parses the second password ciphertext using the private key of the public-private key generation unit 812, and compares the extracted count value with the count value of the first counter of the background system 800, regardless of whether the comparison is successful or not.
  • the background counter is incremented by 1. After the comparison is passed, the extracted second password ciphertext is decrypted to verify the password, the password verification is passed, and the user identity login process is completed.
  • the user only needs to bring the wearable device 920 close to the smart phone 900 to complete the login, which is simple and easy to use.
  • the password ciphertext generated by the wearable device 920 is dynamically generated every time, it is valid once and cannot be copied and used.
  • the wearable device 920 is lost, the stolen person cannot obtain the actual password because the password is stored in the password.
  • the stealer's own mobile phone cannot cooperate with the wearable device 920 and pass through the background due to the lack of the count value.
  • the authentication of the system 900 similarly, if the user smartphone 900 device is lost, the identity verification of the user in the background cannot be completed due to the lack of the password ciphertext on the wearable device 900.
  • the thief can not obtain the password through network monitoring, cracking, etc. These methods greatly improve the security of the user password and improve the security protection of the user identity login. Of course, since the device is lost and still needs to be used, the user can synchronize the counter with the background and regenerate a password ciphertext by other security mechanisms, which will not be described in detail here.
  • the cryptographic security system for a mobile device and the cryptographic security input method for the mobile device of the present invention use a mobile device such as a wearable device to store a password instead of a human brain, without using a memory password.
  • a mobile device such as a wearable device to store a password instead of a human brain
  • This makes it possible to set up a very complex combination of passwords, which increases the difficulty of password cracking and greatly enhances the user experience.
  • the password ciphertext form is adopted, which can effectively prevent the malicious stealing, and can improve the security of the password use.

Abstract

The invention relates to a password security system adopted by a mobile apparatus and a secure password entering method thereof. The system comprises: a security apparatus configured, in a password generation stage, to obtain a password, generate, according to the password, a password ciphertext, and transmit the same to a first mobile apparatus, and in a password validation stage, to validate a password ciphertext transmitted from the first mobile apparatus; the first mobile apparatus configured, in the password generation stage, to receive the password ciphertext from the security apparatus, and transmit the same to a second mobile apparatus, and in the password validation stage, to read the password ciphertext from the second mobile apparatus and transmit the same to the security apparatus; and the second mobile apparatus configured, in the password generation stage, to store a password ciphertext received from the first mobile apparatus, and in the password validation stage, to provide the stored password ciphertext to the first mobile apparatus. The embodiment can increase security and convenience of using a password.

Description

用于移动设备的密码安全系统及其密码安全输入方法Password security system for mobile device and password security input method thereof 技术领域Technical field
本发明涉及移动通信技术,具体地涉及一种用于移动设备的密码安全系统以及用于移动设备的密码安全输入方法。The present invention relates to mobile communication technologies, and in particular to a cryptographic security system for a mobile device and a cryptographic security input method for the mobile device.
背景技术Background technique
随着智能移动设备逐渐成为个人生活小助理,越来越多的个人信息存储在智能移动设备中,这些信息包含有个人密切相关的隐私信息,如个人照片、社交账户、游戏账户等信息,如何对这些个人隐私信息进行安全保护是用户对智能手机的一大安全需求。As smart mobile devices become personal assistants, more and more personal information is stored in smart mobile devices. This information contains personally relevant private information, such as personal photos, social accounts, game accounts, etc. Security protection of these personal privacy information is a major security requirement for users.
现有的常用技术手段使用的是密码的方式,即让用户设置一个密码,当用户要保护个人信息时,则要求用户输入密码之后,智能移动设备判断密码是否正确,若正确,则对个人信息进行加密;之后,若用户需要查看个人信息时,同样输入密码,系统判断密码正确后,对个人信息进行解密以供用户查看。The existing common technical means uses a password method, that is, the user sets a password. When the user wants to protect the personal information, the user is required to input the password, and the smart mobile device determines whether the password is correct. If correct, the personal information is correct. Encryption is performed; after that, if the user needs to view the personal information, the password is also input, and after the system determines that the password is correct, the personal information is decrypted for the user to view.
然而,这种方式也会存在以下两个问题:However, there are two problems with this approach:
(1)为了保证安全性,当前密码使用的是字符形式且需要一定的复杂组合,这给密码增强安全度,降低被破解风险的同时,也带来一个现实的问题,即密码若有一段时间不用,用户将容易忘记,从而造成个人信息无法解密,为用户带来不便。(1) In order to ensure security, the current password uses a character form and requires a certain complex combination, which gives the password enhanced security, reduces the risk of being cracked, and brings a real problem, that is, if the password has a period of time No, the user will easily forget, which may result in the inability of the personal information to be decrypted, which is inconvenient for the user.
(2)密码以本地存储方式存在智能手机上,而由于智能手机在安全性方面的欠缺,无法防御恶意程序窃取,就算主密钥以密文形式进行存储,则对主密钥进行加密的密钥也是存在智能手机上,也无法从根本上防御密码被破解的风险。同时,由于用户每次查看个人隐私信息时,都需要输入密码,这也大大增加了被恶意程序以中间人攻击方式窃取密码的风险。(2) The password exists on the smartphone in local storage mode, and because the smartphone lacks security, it cannot defend against malicious program stealing. Even if the master key is stored in cipher text, the master key is encrypted. The key is also present on the smartphone, and it is not possible to fundamentally defend against the risk of the password being cracked. At the same time, since the user needs to input a password every time he views the personal privacy information, this greatly increases the risk of the malicious program stealing the password by means of a man-in-the-middle attack.
发明内容 Summary of the invention
鉴于上述问题,本发明旨在提供一种能够解决密码使用过程中记忆困难和容易被窃取的问题并且实现密码的安全输入的用于移动设备的密码安全系统以及用于移动设备的密码安全输入方法。In view of the above problems, the present invention is directed to a password security system for a mobile device and a password security input method for a mobile device capable of solving the problem of difficulty in memory and easy to be stolen during password use and implementing secure input of a password. .
本发明的用于移动设备的密码安全系统,其特征在于,具备:A cryptographic security system for a mobile device of the present invention is characterized by comprising:
安全设备,在密码生成阶段用于获取密码并根据该密码生成密码密文后传输给下述的第一移动设备,在密码验证阶段用于验证从下述的第一移动设备发送来的密码密文;The security device is configured to acquire a password according to the password and generate a password ciphertext according to the password, and then transmit the password to the first mobile device, where the password is used to verify the password sent from the first mobile device to be used. Text
第一移动设备,在密码生成阶段用于从所述安全设备接收生成的密码密文并且传输到下述的第二移动设备,在密码验证阶段用于从下述的第二移动设备读取密码密文并发送到所述安全设备;a first mobile device, in a password generation phase, for receiving a generated password ciphertext from the security device and transmitting to a second mobile device for reading a password from a second mobile device to be described later in a password verification phase Ciphertext and sent to the security device;
第二移动设备,在密码生成阶段用于存储从所述第一移动设备接收到的密码密文,在密码验证阶段用于向所述第一移动设备提供存储的密码密文。The second mobile device is configured to store a password ciphertext received from the first mobile device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
优选地,所述安全设备作为所述第一移动设备的一部分而构成。Preferably, the security device is constructed as part of the first mobile device.
优选地,所述安全设备为云设备或者安全单元。Preferably, the security device is a cloud device or a security unit.
优选地,所述第一移动设备为智能手机或平板电脑,所述第二移动设备为穿戴设备。Preferably, the first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device.
本发明的用于移动设备的密码安全系统,其特征在于,具备:A cryptographic security system for a mobile device of the present invention is characterized by comprising:
安全设备,在密码生成阶段用于获取密码并且根据该密码生成密码密文后传输给下述第二移动设备,在密码验证阶段用于验证从下述的第一移动设备发送来的密码密文;The security device is configured to acquire a password in the password generation phase and generate a password ciphertext according to the password, and then transmit the password to the second mobile device, where the password is used to verify the password ciphertext sent from the first mobile device described below. ;
第一移动设备,在密码验证阶段用于从下述的第二移动设备读取密码密文并发送到所述安全设备;a first mobile device, in the password verification phase, for reading a password ciphertext from the second mobile device described below and transmitting the ciphertext to the security device;
第二移动设备,在密码生成阶段用于存储从所述安全设备接收到的密码密文,在密码验证阶段用于向所述第一移动设备提供存储的密码密文。The second mobile device is configured to store a password ciphertext received from the security device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
优选地,所述安全设备作为所述第一移动设备中的一部分而构成。Preferably, the security device is constructed as part of the first mobile device.
优选地,所述安全设备具备:Preferably, the security device has:
交互界面模块,用于获取用户输入的原始密码;An interface module for obtaining an original password input by a user;
可信存储模块,用于存储所述原始密码;a trusted storage module, configured to store the original password;
加解密模块,在密码生成阶段用于根据原始密码生成密码密文,在密码验证阶段 用于对从下述密码数据生成模块提取的密码密文进行解密并进行验证;The encryption and decryption module is used to generate a password ciphertext according to the original password in the password generation phase, in the password verification phase. It is used to decrypt and verify the password ciphertext extracted from the following password data generating module;
密码数据生成模块,在密码生成阶段用于根据所述密码密文生成密码数据,在密码验证阶段用于从来自下述第二移动设备的密码数据中提取密码密文;a password data generating module, configured to generate password data according to the password ciphertext in a password generation phase, and to extract a password ciphertext from password data from a second mobile device:
第一信息接收模块,用于在所述安全设备和所述第一移动设备之间以及/或者所述安全设备和所述第二移动设备之间进行数据交互,a first information receiving module, configured to perform data interaction between the security device and the first mobile device, and/or between the security device and the second mobile device,
所述第二移动设备具备:The second mobile device is provided with:
存储模块,在密码生成阶段用于存储从安全模块发送来的所述密码数据;a storage module, configured to store the password data sent from the security module in a password generation phase;
密码数据展示模块,在密码验证阶段用于展示由所述存储模块存储的所述密码数据,a password data display module for displaying the password data stored by the storage module in a password verification phase,
所述第一移动设备具备:The first mobile device is provided with:
密码数据读取模块,用于读取所述密码数据展示模块所展示的密码数据;a password data reading module, configured to read password data displayed by the password data display module;
第二信息接收模块,用于在所述第一移动设备和所述安全设备之间以及/或者所述第一移动设备和所述第二移动设备之间进行数据交互。And a second information receiving module, configured to perform data interaction between the first mobile device and the security device and/or between the first mobile device and the second mobile device.
优选地,所述密码数据生成模块是二维码生成模块,Preferably, the password data generating module is a two-dimensional code generating module.
所述二维码生成模块在密码生成阶段用于根据所述密码密文生成二维码,在密码验证阶段用于从来自第二移动设备的密码数据中提取二维码,The two-dimensional code generating module is configured to generate a two-dimensional code according to the password ciphertext in a password generation phase, and to extract a two-dimensional code from the password data from the second mobile device in the password verification phase,
所述密码数据展示模块是二维码展示模块,The password data display module is a two-dimensional code display module.
所述二维码展示模块在密码验证阶段用于展示作为由所述存储模块存储的密码数据的二维码,The two-dimensional code display module is configured to display a two-dimensional code as password data stored by the storage module in a password verification phase.
所述密码数据读取模块是摄像头,所述摄像头用于读取所述二维码展示模块展示的二维码。The password data reading module is a camera, and the camera is configured to read a two-dimensional code displayed by the two-dimensional code display module.
优选地,所述密码数据生成模块是条形码生成模块,所述条形码生成模块在密码生成阶段用于根据所述密码密文生成条形码,在密码验证阶段用于从来自第二移动设备的密码数据中提取条形码,Preferably, the password data generating module is a barcode generating module, and the barcode generating module is configured to generate a barcode according to the password ciphertext in a password generation phase, and to use the password data from the second mobile device in the password verification phase. Extract the barcode,
所述密码数据展示模块是条形码展示模块,The password data display module is a barcode display module.
所述条形码展示模块在密码验证阶段用于展示作为由所述存储模块存储的密码数据的条形码,The barcode display module is configured to display a barcode as password data stored by the storage module in a password verification phase,
所述密码数据读取模块是摄像头,所述摄像头用于读取所述条形码展示模块展示的条形码。 The password data reading module is a camera, and the camera is used to read a barcode displayed by the barcode display module.
优选地,所述第一移动设备为智能手机或平板电脑,所述第二移动设备是可穿戴设备,所述安全设备作为所述智能手机的一部分而设置在所述智能手机的TEEI中。Preferably, the first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device, and the security device is disposed in a TEEI of the smart phone as part of the smart phone.
优选地,所述安全设备与所述第二移动设备之间的数据传送通过非接通信实现。Preferably, data transmission between the security device and the second mobile device is implemented by non-contact communication.
本发明的用于移动设备的密码安全输入方法,该方法利用安全设备、第一移动设备以及第二移动设备实现,其特征在于,包括下述步骤:The cryptographic security input method for a mobile device of the present invention is implemented by using a security device, a first mobile device, and a second mobile device, and includes the following steps:
密码生成步骤,安全设备获取密码并且将该密码加密生成密码密文后通过第一移动设备传输到第二移动设备或者直接传送到第二移动设备;a password generating step, the security device obtains a password and encrypts the password to generate a password ciphertext, and then transmits the data to the second mobile device through the first mobile device or directly to the second mobile device;
密码存储步骤,第二移动设备存储所述密码密文;a password storage step, the second mobile device stores the password ciphertext;
密码输入步骤,用户在需要输入密码时,第二移动设备向第一移动设备展示密码密文,由第一移动设备获取密码密文并发送到安全设备;a password input step, when the user needs to input a password, the second mobile device displays the password ciphertext to the first mobile device, and the first mobile device obtains the password ciphertext and sends the password to the security device;
密码验证步骤,安全设备将从第一移动设备发送来的密码密文解密并验证解密后的密码。In the password verification step, the security device decrypts the encrypted ciphertext sent from the first mobile device and verifies the decrypted password.
优选地,所述安全设备与所述第二移动设备之间的数据传送通过非接通信实现。Preferably, data transmission between the security device and the second mobile device is implemented by non-contact communication.
优选地,所述密码密文采用二维码或者条形码。Preferably, the password ciphertext uses a two-dimensional code or a barcode.
本发明的用于移动设备的密码安全系统包括,其特征在于,包括:后台系统、第一移动设备、以及第二移动设备,The cryptographic security system for a mobile device of the present invention includes: a background system, a first mobile device, and a second mobile device,
其中,后台系统具备:Among them, the background system has:
第一计数器,用于产生计数值并且对计数值比对次数进行计数;a first counter for generating a count value and counting the count value comparison times;
公私钥生成单元,用于生成公钥和私钥;a public-private key generating unit for generating a public key and a private key;
加解密模块,在密码生成阶段,用于获取用户密码,并且将用户密码、上述第一计数器产生的计数值以及上述公私钥生成单元生成的公钥一起加密后生成密码密文发送到第一移动设备,在密码验证阶段,用于从第一移动设备发送来的下述第二密码密文中解析出计数值并且将该解析出的计数值与所述第一计数器存储的计数值进行比对,仅在计数值比对通过的情况下才对第二密码密文进行密码验证;The encryption and decryption module is configured to acquire a user password in the password generation phase, and encrypt the user password, the count value generated by the first counter, and the public key generated by the public-private key generating unit, and generate a password ciphertext to be sent to the first mobile The device, in the password verification phase, is configured to parse the count value from the second password ciphertext sent by the first mobile device, and compare the parsed count value with the count value stored by the first counter, The password verification of the second password ciphertext is performed only when the count value comparison is passed;
第一网络安全通道,用于在后台系统和第一移动设备之间进行数据传输, a first network security channel for transmitting data between the background system and the first mobile device,
第一移动设备具备:The first mobile device has:
第二计数器,存储来自后台系统的计数值;a second counter that stores the count value from the background system;
密码处理单元,在密码生成阶段,接收从所述后台系统传输来的第一密码密文并且将第一密码密文和公钥传输给第二移动设备,在密码验证阶段,将所述第二计数器所存储的计数值发送给第二移动设备并且接收从所述第二移动设备返回的下述的第二密码密文,将所述第二密码密文发送到后台系统;a cryptographic processing unit, in a password generation phase, receiving a first ciphertext transmitted from the background system and transmitting the first ciphertext and the public key to the second mobile device, and in the password verification phase, the second The counter value stored by the counter is sent to the second mobile device and receives the following second password ciphertext returned from the second mobile device, and the second password ciphertext is sent to the background system;
第二网络安全通道,用于在后台系统和第一移动设备之间进行数据传输;a second network security channel, configured to perform data transmission between the background system and the first mobile device;
所述第二移动设备具备:The second mobile device is provided with:
存储模块,在密码生成阶段用于存储从第一移动设备发送来的密码密文和公钥;以及a storage module for storing a password ciphertext and a public key sent from the first mobile device during the password generation phase;
加解密模块,在密码验证阶段将从所述第一移动设备发送来的计数值与所述存储模块已经存储的密码密文公钥一起生成第二密码密文。The encryption and decryption module generates a second password ciphertext together with the password ciphertext public key that has been stored by the first mobile device during the password verification phase.
优选地,所述第一移动设备为智能手机或者平板电脑,所述第二移动设备是可穿戴设备。Preferably, the first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device.
优选地,所述第一移动设备和所述第二移动设备之间通过非接方式进行通讯。Preferably, the first mobile device and the second mobile device communicate in a non-connected manner.
综上所述,本发明的用于移动设备的密码安全系统以及用于移动设备的密码安全输入方法,通过来利用另一个移动设备例如穿戴设备来代替人脑对密码进行存储,不用记忆密码,由此可以设置非常复杂的密码组合,提高了密码被破解的难度,大大提升了用户的体验。而且,在密码的传输中都是采用密码密文形式,能够有效地防止不被恶意窃取,能够提高密码使用的安全性。In summary, the cryptographic security system for a mobile device and the cryptographic security input method for the mobile device of the present invention use a mobile device such as a wearable device to store a password instead of a human brain, without using a memory password. This makes it possible to set up a very complex combination of passwords, which increases the difficulty of password cracking and greatly enhances the user experience. Moreover, in the transmission of the password, the password ciphertext form is adopted, which can effectively prevent the malicious stealing, and can improve the security of the password use.
附图说明DRAWINGS
图1是表示本发明的用于移动设备的密码安全系统的框架图。1 is a block diagram showing a cryptographic security system for a mobile device of the present invention.
图2是表示本发明的密码安全输入方法的具体步骤的流程图。Figure 2 is a flow chart showing the specific steps of the cryptographic security input method of the present invention.
图3是本发明第一实施方式的用于移动设备的密码安全系统的构造图。3 is a configuration diagram of a cryptographic security system for a mobile device according to a first embodiment of the present invention.
图4是本发明第二实施方式的用于移动设备的密码安全系统的构造图。4 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
图5是本发明第二实施方式的用于移动设备的密码安全系统的构造图。 Fig. 5 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
具体实施方式detailed description
下面介绍的是本发明的多个实施例中的一些,旨在提供对本发明的基本了解。并不旨在确认本发明的关键或决定性的要素或限定所要保护的范围。The following are some of the various embodiments of the invention, which are intended to provide a basic understanding of the invention. It is not intended to identify key or critical elements of the invention or the scope of the invention.
随着新技术的发展,各种移动设备不断涌现,用户随身携带多个移动设备已经成为可能,例如同时携带智能手机和各种可穿戴设备等。本发明就是利用用户随身携带多个移动设备的优势,提供一种能够可靠、便利地输入用户密码的密码安全系统以及密码安全输入方法。With the development of new technologies, various mobile devices are constantly emerging, and it has become possible for users to carry multiple mobile devices with them, such as carrying smart phones and various wearable devices at the same time. The invention utilizes the advantages of the user carrying a plurality of mobile devices with him, and provides a password security system and a password security input method capable of inputting the user password reliably and conveniently.
下面对于本发明的用于移动设备的密码安全系统进行说明。The cryptographic security system for a mobile device of the present invention will now be described.
图1是表示本发明的用于移动设备的密码安全系统的框架图。1 is a block diagram showing a cryptographic security system for a mobile device of the present invention.
如图1所示,本发明的用于移动设备的密码安全系统具备:安全设备100、第一移动设备200、第二移动设备300。As shown in FIG. 1, the cryptographic security system for a mobile device of the present invention includes: a security device 100, a first mobile device 200, and a second mobile device 300.
安全设备100在密码生成阶段用于对用户设定的密码加密生成密码密文并且将生成的密码密文传输给第一移动设备200在密码验证阶段用于验证将从下述的第一移动设备发送来的密码解密后进行验证。The security device 100 is configured to encrypt a password set by the user in the password generation phase to generate a password ciphertext and transmit the generated password ciphertext to the first mobile device 200 for verification in the password verification phase from the first mobile device to be described below. The sent password is decrypted and verified.
第一移动设备200在密码生成阶段用于从所述安全设备100接收生成的密码密文并且传输到第二移动设备300,在密码验证阶段用于从第二移动设备300读取密码密文并发送到安全设备100。The first mobile device 200 is configured to receive the generated password ciphertext from the security device 100 and transmit to the second mobile device 300 during the password generation phase, and to read the password ciphertext from the second mobile device 300 during the password verification phase. Sent to the security device 100.
第二移动设备300在密码生成阶段用于存储从第一移动设备200接收到的密码密文,在密码验证阶段用于向第一移动设备100提供存储的密码密文。The second mobile device 300 is configured to store the password ciphertext received from the first mobile device 200 during the password generation phase, and to provide the stored password ciphertext to the first mobile device 100 during the password verification phase.
其中,安全设备100获取第一移动设备200使用时需要输入的密码(一般可以由用户进行输入),根据该密码生成加密的密文,通过通信通道传递第一移动设备200,第一移动设备200再通过通信通道传递给第二移动设备300,由第二移动设备300对密码密文进行存储。这样,在第一移动设备100上需要使用密码时,由第一移动设备200展示存储的从第二移动设备300读入密码后,发送到安全设备100,安全设备100对读入的密码进行验证,根据验证结果通知第一移动设备200密码验证是否通过。在本发明中,用第二移动设备300代替了人脑来记忆第一移动设备200的密码,利用移动设备相比人脑所具备的强大的计算能力和通讯接口能力,由此能够提升密码输入方式的安全形和便捷性。The security device 100 acquires a password that is required to be input by the first mobile device 200 (generally input by the user), generates an encrypted ciphertext according to the password, and transmits the first mobile device 200 through the communication channel. The first mobile device 200 And then transmitted to the second mobile device 300 through the communication channel, and the second mobile device 300 stores the password ciphertext. In this way, when the password is required to be used on the first mobile device 100, the password read by the first mobile device 200 and read from the second mobile device 300 is sent to the security device 100, and the security device 100 verifies the read password. And notifying the first mobile device 200 whether the password verification is passed according to the verification result. In the present invention, the second mobile device 300 is used instead of the human brain to memorize the password of the first mobile device 200, and the mobile device can improve the password input by using the powerful computing power and communication interface capability of the human brain. The security and convenience of the way.
在本发明中,安全设备100可以是作为一个单独的设备独立存在,例如, 安全设备100是云设备或者一个安全单元。当然,安全设备100也可以是属于第一移动设备200的一部分而存在。In the present invention, the security device 100 may exist independently as a separate device, for example, The security device 100 is a cloud device or a security unit. Of course, the security device 100 may also be part of the first mobile device 200.
这里,例如作为一个优选方式,第一移动设备100可以是智能手机、平板电脑,安全设备100可以是设置在该智能手机、平板电脑中的一部分单元,只要是能够完成密码生成和验证功能即可,另一方面,第二移动设备300可以是一种穿戴设备。Here, for example, as a preferred manner, the first mobile device 100 may be a smart phone or a tablet computer, and the security device 100 may be a part of the smart phone or the tablet, as long as the password generation and verification functions can be completed. On the other hand, the second mobile device 300 can be a wearable device.
接着,对于利用本发明的用于移动设备的密码安全系统实现的密码安全输入方法进行说明。图2是表示本发明的密码安全输入方法的流程图。Next, a password security input method implemented by the cryptographic security system for a mobile device of the present invention will be described. Figure 2 is a flow chart showing a method of cryptographic security input of the present invention.
如图2所示,本发明的密码安全输入方法包括下述步骤:As shown in FIG. 2, the password security input method of the present invention includes the following steps:
密码生成步骤S100:利用安全设备100获取密码并且将该密码加密生成密码密文后通过第一移动设备200传输到第二移动设备300或者直接传送到第二移动设备300;a password generating step S100: using the security device 100 to obtain a password and encrypting the password to generate a password ciphertext, then transmitting to the second mobile device 300 through the first mobile device 200 or directly to the second mobile device 300;
密码存储步骤S200:第二移动设备300存储所述密码密文;Password storage step S200: the second mobile device 300 stores the password ciphertext;
密码输入步骤S300:用户在需要输入密码时,第二移动设备300向第一移动设备200展示密码密文,由第一移动设备200获取密码密文并发送到安全设备100;Password input step S300: when the user needs to input a password, the second mobile device 300 displays the password ciphertext to the first mobile device 200, and the first mobile device 200 obtains the password ciphertext and sends it to the security device 100;
密码验证步骤S400:安全设备100将从第一移动设备200发送来的密码密文解密并验证解密后的密码。Password verification step S400: The secure device 100 decrypts the encrypted ciphertext sent from the first mobile device 200 and verifies the decrypted password.
第一实施方式First embodiment
接着,对于本发明第一实施方式的用于移动设备的密码安全系统进行说明。Next, a password security system for a mobile device according to the first embodiment of the present invention will be described.
图3是本发明第一实施方式的用于移动设备的密码安全系统的构造图。3 is a configuration diagram of a cryptographic security system for a mobile device according to a first embodiment of the present invention.
如图3所示,本发明第一实施方式的用于移动设备的密码安全系统包括智能手机400和可穿戴设备500。其中,智能手机400中包括TEEI区(Trusted Executive Environment Integration,可信执行环境)410和安卓区420。在第一实施方式中,TEEI区410相当于上述的安全设备、安卓区420相当于上述的第一移动设备、可穿戴设备500相当于上述的第二移动设备。As shown in FIG. 3, the cryptographic security system for a mobile device of the first embodiment of the present invention includes a smart phone 400 and a wearable device 500. The smart phone 400 includes a TEEI area (Trusted Executive Environment Integration) 410 and an Android area 420. In the first embodiment, the TEEI area 410 corresponds to the above-described security device, the Android area 420 corresponds to the above-described first mobile device, and the wearable device 500 corresponds to the above-described second mobile device.
在当前的技术中,TEEI(Trusted Execution Environment Integration,可信执行环境)是为了解决当前移动智能终端存在的安全风险而提出的技术,TEEI构造了一个与移动智能终端操作系统(例如Android、iOS、WindowsPhone)隔 离的安全运行环境。TEEI可以是位于移动智能终端主处理器中的安全区域,能够保证在可信的环境中进行敏感数据的存储、处理和保护。TEEI为授权的安全软件(可信软件)提供了安全的执行环境,通过执行保护、保密、完整和数据访问权限实现了端到端的安全。In the current technology, TEEI (Trusted Execution Environment Integration) is a technology proposed to solve the security risks of current mobile intelligent terminals. TEEI constructs a mobile intelligent terminal operating system (such as Android, iOS, WindowsPhone) A safe operating environment. The TEEI can be a secure area located in the main processor of the mobile intelligent terminal, which ensures the storage, processing and protection of sensitive data in a trusted environment. TEEI provides a secure execution environment for authorized security software (trusted software), enabling end-to-end security by performing protection, confidentiality, integrity and data access.
TEEI区410具备:The TEEI area 410 has:
可信交互界面模块411,用于获取用户输入的原始密码;The trusted interaction interface module 411 is configured to obtain an original password input by the user;
可信存储模块412,用于存储所述原始密码;a trusted storage module 412, configured to store the original password;
加解密模块413,在密码生成阶段用于根据原始密码生成密码密文,在密码验证阶段用于对从二维码生成模块414提取的密码密文进行解密并进行验证;The encryption and decryption module 413 is configured to generate a password ciphertext according to the original password in the password generation phase, and to decrypt and verify the password ciphertext extracted from the two-dimensional code generation module 414 in the password verification phase;
二维码生成模块414,在密码生成阶段用于根据所述密码密文生成二维码,在密码验证阶段用于从来自可穿戴设备500中提取密码密文;The two-dimensional code generating module 414 is configured to generate a two-dimensional code according to the password ciphertext in a password generation phase, and to extract a password ciphertext from the wearable device 500 in a password verification phase;
第一信息接收模块415,用于在TEEI区410和安卓区420之间以及/或者所述TEEI区410和可穿戴设备500之间进行数据交互。The first information receiving module 415 is configured to perform data interaction between the TEEI area 410 and the Android area 420 and/or between the TEEI area 410 and the wearable device 500.
安卓区420具备:The Android area 420 has:
摄像头421,用于读取所述二维码展示模块512所展示的密码密文;The camera 421 is configured to read the password ciphertext displayed by the two-dimensional code display module 512;
第二信息接收模块422,用于在安卓区420和TEEI区410之间以及/或者可穿戴设备500进行数据交互。The second information receiving module 422 is configured to perform data interaction between the Android area 420 and the TEEI area 410 and/or the wearable device 500.
所述可穿戴设备500具备:The wearable device 500 is provided with:
存储模块511,在密码生成阶段用于存储从TEEI区410发送来的密码密文;The storage module 511 is configured to store the password ciphertext sent from the TEEI area 410 in the password generation phase;
二维码展示模块512,在密码验证阶段用于展示由存储模块511存储的密码密文。The two-dimensional code display module 512 is used to display the password ciphertext stored by the storage module 511 in the password verification phase.
其中,TEEI区410和可穿戴设备500之间的数据传送通过非接通信实现,例如NFC或者蓝牙。The data transmission between the TEEI area 410 and the wearable device 500 is implemented by non-contact communication, such as NFC or Bluetooth.
在第一实施方式中,以智能手机中的TEEI区410作为支撑密码处理的安全平台,可保证密码生成过程的安全性,由可穿戴设备500存储密码,避免用户记忆密码的问题。In the first embodiment, the TEEI area 410 in the smart phone is used as a security platform for supporting password processing to ensure the security of the password generation process. The wearable device 500 stores the password to avoid the problem of the user remembering the password.
接着,对于利用该第一实施方式的用于移动设备的密码安全系统实现的密码的安全输入方法的流程进行具体说明。Next, the flow of the secure input method of the password implemented by the password security system for the mobile device of the first embodiment will be specifically described.
该具体的流程可以简单分为密码生成过程(相当于上述的密码生成步骤S100和密码存储步骤S200)和使用过程(相当于上述的密码输入步骤S300和密 码验证步骤S400):The specific flow can be simply divided into a password generation process (corresponding to the above-described password generation step S100 and password storage step S200) and a use process (corresponding to the above-described password input step S300 and confidentiality). Code verification step S400):
密码的生成过程为:The password generation process is:
(1)用户设置密码时,通过TEEI区410提供的可信交互界面模块411获取用户输入的密码,传给加解密模块413;(1) When the user sets the password, the trusted interaction interface module 411 provided by the TEEI area 410 obtains the password input by the user, and transmits it to the encryption and decryption module 413;
(2)加解密模块413使用可信存储模块412存储密码,并使用密钥采用常用的加密方法如3DES、AES等对密码进行加密,生成密码密文,传给二维码模块414;(2) The encryption and decryption module 413 uses the trusted storage module 412 to store the password, and uses the key to encrypt the password using a common encryption method such as 3DES, AES, etc., to generate a password ciphertext, which is transmitted to the two-dimensional code module 414;
(3)二维码模块414基于该密文生成一个二维码,生成后以提示音等方式提示用户,用户通过可穿戴设备500靠近手机,使密码密文即二维码通过NFC传送到可穿戴设备500的存储模块511进行存储。(3) The two-dimensional code module 414 generates a two-dimensional code based on the ciphertext, and prompts the user to generate a prompt sound or the like. The user passes the wearable device 500 to the mobile phone, so that the password ciphertext, that is, the two-dimensional code is transmitted to the NFC through the NFC. The storage module 511 of the wearable device 500 stores.
由上述过程可见,密码从输入到加密口令密文的生成都是处于TEEI的保护下,传输过程中也是密文形式,并不会被恶意程序获取,同时由于以可信存储的方式进行存储,避免了密码被恶意程序进行本地获取并破解的风险。It can be seen from the above process that the generation of the password from the input to the encrypted password is under the protection of TEEI, and the transmission process is also in the form of ciphertext, which is not obtained by the malicious program, and is stored in a trusted storage manner. The risk of passwords being locally acquired and cracked by malicious programs is avoided.
密码使用过程:Password usage process:
(1)当用户要对智能手机上的某部分个人信息,如目录、文件等信息进行加密保护时,加密应用以打开摄像头的方式提示用户输入密码;(1) When the user wants to encrypt and protect some part of the personal information on the smart phone, such as a directory, a file, etc., the encryption application prompts the user to input the password by opening the camera;
(2)用户通过操作可穿戴设备500显示加密码密文二维码,用户摄像头421读入后,由摄像头421把数据传往二维码模块414,二维码模块414进行解析提取密码密文后传送给加解密模块413进行解密及验证,验证通过则通知系统对用户个人信息进行加密。(2) The user displays the encrypted ciphertext two-dimensional code by operating the wearable device 500. After the user camera 421 reads in, the camera 421 transmits the data to the two-dimensional code module 414, and the two-dimensional code module 414 analyzes and extracts the password ciphertext. Then, it is sent to the encryption and decryption module 413 for decryption and verification, and the verification is passed to notify the system to encrypt the user's personal information.
这样,当用户要查看加密的个人信息时,用户打开摄像头421读入可穿戴设备500上的二维码并以上述过程一样提取出密码并验证,由加解密模块413通知系统对个人信息进行解密以供用户查看。在这一过程中,由于是否需要通知系统进行个人信息加解密都是有TEEI下的加解密模块413发出,因而大大降低了个人信息被恶意程序非法加密及解密的风险。Thus, when the user wants to view the encrypted personal information, the user opens the camera 421 to read the two-dimensional code on the wearable device 500 and extracts the password and verifies in the same manner as described above, and the encryption/decryption module 413 notifies the system to decrypt the personal information. For users to view. In this process, whether or not the notification system needs to perform personal information encryption and decryption is issued by the encryption and decryption module 413 under TEEI, thereby greatly reducing the risk of personal information being illegally encrypted and decrypted by malicious programs.
而且,从体验上来说,相比现有的方式,本发明的密码安全输入方式从原有的密码手动输入变成摄像头拍摄即可,操作简单且易用,密码只在设置时输入一次即可,用户也不用记忆该密码,可设置非常复杂的密码组合,提高被破解难度,也大大提升了用户体验。 Moreover, from the experience point of view, compared with the existing method, the password security input method of the present invention can be changed from the original password manual input to the camera shooting, and the operation is simple and easy to use, and the password can be input only once during setting. The user does not need to remember the password, and can set a very complicated combination of passwords, which improves the difficulty of being cracked and greatly improves the user experience.
第二实施方式Second embodiment
图4是本发明第二实施方式的用于移动设备的密码安全系统的构造图。4 is a configuration diagram of a cryptographic security system for a mobile device according to a second embodiment of the present invention.
如图4所示,本发明第二实施方式的用于移动设备的密码安全系统包括智能手机600和可穿戴设备700。其中,智能手机600中包括TEEI区(Trusted Executive Environment Integration,可信执行环境)610和安卓区620。在第一实施方式中,TEEI区610相当于上述的安全设备、安卓区620相当于上述的第一移动设备、可穿戴设备700相当于上述的第二移动设备。As shown in FIG. 4, the cryptographic security system for a mobile device of the second embodiment of the present invention includes a smart phone 600 and a wearable device 700. The smart phone 600 includes a TEEI (Trusted Executive Environment Integration) 610 and an Android area 620. In the first embodiment, the TEEI area 610 corresponds to the above-described security device, the Android area 620 corresponds to the above-described first mobile device, and the wearable device 700 corresponds to the above-described second mobile device.
TEEI区610具备: TEEI District 610 has:
可信交互界面模块611,用于获取用户输入的原始密码;The trusted interaction interface module 611 is configured to obtain an original password input by the user;
可信存储模块612,用于存储所述原始密码;a trusted storage module 612, configured to store the original password;
加解密模块613,在密码生成阶段用于根据原始密码生成密码密文,在密码验证阶段用于对从条形码生成模块414提取的密码密文进行解密并进行验证;The encryption and decryption module 613 is configured to generate a password ciphertext according to the original password in the password generation phase, and to decrypt and verify the password ciphertext extracted from the barcode generation module 414 in the password verification phase;
条形码生成模块614,在密码生成阶段用于根据所述密码密文生成条形码,在密码验证阶段用于从来自可穿戴设备700中提取密码密文;The barcode generating module 614 is configured to generate a barcode according to the password ciphertext in a password generation phase, and to extract a password ciphertext from the wearable device 700 in the password verification phase;
第一信息接收模块615,用于在TEEI区610和安卓区620之间以及/或者所述TEEI区610和可穿戴设备700之间进行数据交互。The first information receiving module 615 is configured to perform data interaction between the TEEI area 610 and the Android area 620 and/or between the TEEI area 610 and the wearable device 700.
安卓区620具备:The Android area 620 has:
摄像头621,用于读取所述条形码展示模块712所展示的密码密文;a camera 621, configured to read a password ciphertext displayed by the barcode display module 712;
第二信息接收模块622,用于在安卓区620和TEEI区610之间以及/或者可穿戴设备700进行数据交互。The second information receiving module 622 is configured to perform data interaction between the Android area 620 and the TEEI area 610 and/or the wearable device 700.
所述可穿戴设备700具备:The wearable device 700 is provided with:
存储模块711,在密码生成阶段用于存储从TEEI区610发送来的密码密文;The storage module 711 is configured to store the password ciphertext sent from the TEEI area 610 in the password generation phase;
条形码展示模块712,在密码验证阶段用于展示由存储模块711存储的密码密文。The barcode display module 712 is configured to display the password ciphertext stored by the storage module 711 in the password verification phase.
其中,TEEI区610和可穿戴设备700之间的数据传送通过非接通信实现,例如NFC或者蓝牙。The data transmission between the TEEI area 610 and the wearable device 700 is implemented by non-contact communication, such as NFC or Bluetooth.
在第二实施方式中,以智能手机中的TEEI区610作为支撑密码处理的安全平台,可保证密码生成过程的安全性,由可穿戴设备700存储密码,能够避免用户记忆密码的问题。In the second embodiment, the TEEI area 610 in the smart phone is used as a security platform for supporting password processing to ensure the security of the password generation process. The wearable device 700 stores the password, which can avoid the problem of the user remembering the password.
该第二实施方式的密码生成过程和使用过程与上述第一实施方式的密码 生成过程和使用过程是相同的。The password generation process and the use process of the second embodiment and the password of the first embodiment described above The build process and the use process are the same.
另外,在第一实施方式中采用了二维码,在第二实施方式中采用了条形码,这里二维码或者条形码只是一种密码密文的展现形式,只要安全设备与第一移动设备之间能约定这个展现形式即可,所以,从这个点上来说,只要是能有代表文字、数字等信息的展现方法都可以,就是直接展现密码密文数字也是可以的。In addition, a two-dimensional code is adopted in the first embodiment, and a barcode is used in the second embodiment, where the two-dimensional code or the barcode is only a form of displaying the ciphertext, as long as the security device and the first mobile device It is ok to agree on this form of presentation. Therefore, from this point of view, as long as it can represent the text, numbers and other information, it is possible to directly display the password ciphertext number.
第三实施方式Third embodiment
由上述第一具体实施方式和第二具体实施方式可知,在本发明中对密码的保护措施改进主要是通过一个额外的移动智能设备来代替人脑进行密码输入的,使密码摆脱了由于人脑与智能设备之间计算能力不匹配所带来的输入样式过于单一、固定的问题。It can be seen from the above first embodiment and the second specific embodiment that the improvement of the password protection measure in the present invention mainly uses an additional mobile smart device to replace the human brain for password input, so that the password is freed from the human brain. The input styles that are not matched with the computing devices are too single and fixed.
在此基础上,发明人进一步发现如果对加密口令进行动态变化,使每次可穿戴设备生成的加密密文都是一次动态生成,可更好地排除被复制的风险。On this basis, the inventor further found that if the encrypted password is dynamically changed, the encrypted ciphertext generated by each wearable device is dynamically generated once, which can better eliminate the risk of being copied.
基于这个变换机制,在本发明的第三实施方式中就是把这样的方案运用在现有的无卡支付的用户登录保护上,能够解决现有无卡支付在用户身份登录时登录密码容易被窃取的问题,提高登录过程安全性的同时,提升用户体验。Based on this transformation mechanism, in the third embodiment of the present invention, such a scheme is applied to the existing user login protection without card payment, which can solve the problem that the existing cardless payment is easily stolen when the user is logged in. The problem is to improve the security of the login process while improving the user experience.
图5是本发明第三实施方式的用于移动设备的密码安全系统的构造图。Fig. 5 is a configuration diagram of a cryptographic security system for a mobile device according to a third embodiment of the present invention.
如图5所示,本发明第三实施方式的用于移动设备的密码安全系统包括:后台系统800、智能手机900、可穿戴设备920。As shown in FIG. 5, the password security system for a mobile device according to the third embodiment of the present invention includes a background system 800, a smart phone 900, and a wearable device 920.
其中,后台系统800具备:The background system 800 has:
第一计数器811,产生计数值并且对计数值比对计数值的次数进行计数;The first counter 811 generates a count value and counts the number of times the count value compares the count value;
公私钥生成单元812,用于生成公钥和私钥;a public and private key generating unit 812, configured to generate a public key and a private key;
加解密模块813,在密码生成阶段用于获取用户密码,并且将用户密码、上述计数器产生的计数值以及上述公私钥生成单元生成的公钥一起加密后生成密码密文发送到智能手机900的密码处理单元912,在密码验证阶段用于从智能手机900的发送来的下述第二密码密文中解析出计数值并且将该解析出的计数值与第一计数器811存储的计数值进行比对,仅在计数值比对通过的情况下才对第二密码密文进行密码验证;The encryption/decryption module 813 is configured to acquire a user password in the password generation phase, and encrypt the user password, the counter value generated by the counter, and the public key generated by the public-private key generating unit to generate a password for transmitting the password ciphertext to the smart phone 900. The processing unit 912 is configured to parse the count value from the second password ciphertext sent by the smart phone 900 in the password verification phase, and compare the parsed count value with the count value stored by the first counter 811. The password verification of the second password ciphertext is performed only when the count value comparison is passed;
第一网络安全通道814,用于在后台系统800和智能手机900之间进行数据传输。 The first network security channel 814 is configured to perform data transmission between the background system 800 and the smart phone 900.
智能手机900具备:The smartphone 900 has:
第二计数器911,存储来自所述后台系统800的计数值;a second counter 911 storing a count value from the background system 800;
密码处理单元912,在密码生成阶段接收从所述后台系统800的加解密模块传输来的第一密码密文并且将第一密码密文和公钥传输给可穿戴设备900,在密码验证阶段,将第二计数器911所存储的计数值发送给可穿戴设备900并且接收从所述可穿戴设备920返回的下述的第二密码密文,将所述第二密码密文(也可以包含用户名一起)发送到后台系统800;The cryptographic processing unit 912 receives the first ciphertext transmitted from the cryptographic module of the background system 800 and transmits the first ciphertext and the public key to the wearable device 900 during the password generation phase. In the password verification phase, Transmitting the count value stored by the second counter 911 to the wearable device 900 and receiving the following second password ciphertext returned from the wearable device 920, and the second password ciphertext (which may also include the username) Together) sent to the background system 800;
第二网络安全通道913,用于在后台系统800和智能手机900之间进行数据传输(实际上第二网络安全通道913和第一网络安全通道814是一条双向的安全传输通道);a second network security channel 913, configured to perform data transmission between the background system 800 and the smart phone 900 (actually, the second network security channel 913 and the first network security channel 814 are a two-way secure transmission channel);
所述可穿戴设备920具备:The wearable device 920 is provided with:
存储模块921,在密码生成阶段用于存储从智能手机900发送来的密码密文和公钥;以及The storage module 921 is configured to store the password ciphertext and the public key sent from the smart phone 900 in the password generation phase;
加解密模块922,在密码验证阶段将从所述智能手机900的密码处理单元912发送来的计数值与所述存储模块921已经存储的密码密文公钥一起生成第二密码密文。The encryption and decryption module 922 generates a second password ciphertext together with the password ciphertext public key that has been stored by the cryptographic processing unit 921 of the smart phone 900 in the password verification phase.
利用该第三实施方式的用于移动设备的密码安全系统实现的安全密码输入方法也与上述实施方式类似,也存在两个过程:密码设置过程和用户登录过程。The secure password input method implemented by the cryptographic security system for a mobile device of the third embodiment is also similar to the above embodiment, and there are also two processes: a password setting process and a user login process.
密码设置流程为:The password setting process is:
(1)当用户使用智能手机900进行注册时,在网站上输入用户名和登录密码后,密码由后台系统800的加解密模块813基于密钥生成第一密码密文,并由后台系统800的第一计数器811随机生成一个计数值,把该计数值、公钥与第一密码密文合成一个数据经过第一网络安全通道814、第二网络安全通道913传送到智能手机900的密码处理单元912;(1) When the user registers with the smartphone 900, after entering the user name and the login password on the website, the password is generated by the encryption/decryption module 813 of the background system 800 based on the key to generate the first password ciphertext, and is determined by the background system 800. a counter 811 randomly generates a count value, the counter value, the public key and the first password ciphertext combined data is transmitted to the cryptographic processing unit 912 of the smart phone 900 via the first network security channel 814 and the second network security channel 913;
(2)密码处理单元912收到数据后,将计数值存储在第二计数器911中,再通过提示音等方式提示用户将可穿戴设备920靠近智能手机900,把从上述后台系统800收到的公钥与第一密码密文经由NFC等非接方式传送给可穿戴设备900的存储模块921加以存储。(2) After receiving the data, the cryptographic processing unit 912 stores the count value in the second counter 911, and prompts the user to bring the wearable device 920 closer to the smart phone 900 by means of a prompt tone or the like, and receives the received data from the background system 800. The public key and the first password ciphertext are transmitted to the storage module 921 of the wearable device 900 via a NFC or the like.
用户登录过程流程为: The user login process flow is:
(1)当用户在智能手机900上进行登录要输入密码时,通过提示音等方式提示用户将可穿戴设备920靠近智能手机900,密码处理单元912将第二计数器911的计数值通过NFC等非接方式发送给可穿戴设备900的加密解密模块912;(1) When the user logs in on the smartphone 900 to input a password, the user is prompted to bring the wearable device 920 closer to the smartphone 900 by a prompt sound or the like, and the password processing unit 912 passes the count value of the second counter 911 through NFC or the like. Connected to the encryption decryption module 912 of the wearable device 900;
(2)可穿戴设备900的加解密模块912基于之前保存的公钥和收到的计数值,生成一个新的密码密文,即第二密码密文,接着,通过NFC等非接方式传送会给智能手机900的密码处理单元912,此时密码处理单元912使得第二计数器911的计数值加1,并以提示音等方式提示密码输入完成;(2) The encryption and decryption module 912 of the wearable device 900 generates a new password ciphertext, that is, the second password ciphertext, based on the previously stored public key and the received count value, and then transmits the message through a non-contact method such as NFC. The password processing unit 912 of the smart phone 900, at this time, the cryptographic processing unit 912 increments the count value of the second counter 911 by 1, and prompts the password input to be completed in a prompt tone or the like;
(3)登录应用通过密码处理单元913获得第二密码密文,并与用户名一起通过第二网络安全通道913和第一网络安全通道814、传输给后台系统800;(3) The login application obtains the second password ciphertext through the cryptographic processing unit 913, and transmits it to the background system 800 through the second network security channel 913 and the first network security channel 814 together with the user name;
(4)后台系统800使用公私钥生成单元812的私钥解析第二密码密文,并将提取出的计数值与后台系统800的第一计数器的计数值进行比对,不管是否比对成功,后台计数器都加1。比对通过后,在对提取出的第二密码密文进行解密以验证密码,密码验证通过,用户身份登录过程完成。(4) The background system 800 parses the second password ciphertext using the private key of the public-private key generation unit 812, and compares the extracted count value with the count value of the first counter of the background system 800, regardless of whether the comparison is successful or not. The background counter is incremented by 1. After the comparison is passed, the extracted second password ciphertext is decrypted to verify the password, the password verification is passed, and the user identity login process is completed.
在这一过程中,用户只需将可穿戴设备920靠近智能手机900,即可完成登录,简单易用。在安全性上,由于可穿戴设备920每次生成的密码密文都是动态生成的,一次有效,无法被复制使用。此外,可穿戴设备920丢失后,由于存储的是密码密文,窃取者也无法获取到实际的密码,同时,窃取者自己的手机也由于缺乏计数值,无法与可穿戴设备920配合后通过后台系统900的身份验证;同理,若用户智能手机900设备丢失,由于缺失可穿戴设备900上的密码密文,也无法完成使后台完成用户的身份验证。此外,加上网络传输过程中都是密文形式,窃取者也无法通过网络监听、破解等方式获取密码,这些方式都大大提升了用户密码的安全性,提高了对用户身份登录的安全保护。当然,由于丢失了设备之后,还想继续用,用户可以其他安全机制与后台交互同步计数器或者重新生成一个密码密文,在此不做详述。In this process, the user only needs to bring the wearable device 920 close to the smart phone 900 to complete the login, which is simple and easy to use. In terms of security, since the password ciphertext generated by the wearable device 920 is dynamically generated every time, it is valid once and cannot be copied and used. In addition, after the wearable device 920 is lost, the stolen person cannot obtain the actual password because the password is stored in the password. At the same time, the stealer's own mobile phone cannot cooperate with the wearable device 920 and pass through the background due to the lack of the count value. The authentication of the system 900; similarly, if the user smartphone 900 device is lost, the identity verification of the user in the background cannot be completed due to the lack of the password ciphertext on the wearable device 900. In addition, in addition to the cipher text form in the network transmission process, the thief can not obtain the password through network monitoring, cracking, etc. These methods greatly improve the security of the user password and improve the security protection of the user identity login. Of course, since the device is lost and still needs to be used, the user can synchronize the counter with the background and regenerate a password ciphertext by other security mechanisms, which will not be described in detail here.
综上所述,本发明的用于移动设备的密码安全系统以及用于移动设备的密码安全输入方法,通过来利用另一个移动设备例如穿戴设备来代替人脑对密码进行存储,不用记忆密码,由此可以设置非常复杂的密码组合,提高了密码被破解的难度,大大提升了用户的体验。而且,在密码的传输中都是采用密码密文形式,能够有效地防止不被恶意窃取,能够提高密码使用的安全性。 In summary, the cryptographic security system for a mobile device and the cryptographic security input method for the mobile device of the present invention use a mobile device such as a wearable device to store a password instead of a human brain, without using a memory password. This makes it possible to set up a very complex combination of passwords, which increases the difficulty of password cracking and greatly enhances the user experience. Moreover, in the transmission of the password, the password ciphertext form is adopted, which can effectively prevent the malicious stealing, and can improve the security of the password use.
上例子主要说明了本发明的用于移动设备的密码安全系统以及用于移动设备的密码安全输入方法。尽管只对其中一些本发明的具体实施方式进行了描述,但是本领域普通技术人员应当了解,本发明可以在不偏离其主旨与范围内以许多其他的形式实施。因此,所展示的例子与实施方式被视为示意性的而非限制性的,在不脱离如所附各权利要求所定义的本发明精神及范围的情况下,本发明可能涵盖各种的修改与替换。 The above example mainly illustrates the cryptographic security system for mobile devices of the present invention and a cryptographic security input method for mobile devices. Although only a few of the specific embodiments of the present invention have been described, it is understood that the invention may be embodied in many other forms without departing from the spirit and scope of the invention. Accordingly, the present invention is to be construed as illustrative and not restrictive, and the invention may cover various modifications without departing from the spirit and scope of the invention as defined by the appended claims With replacement.

Claims (17)

  1. 一种用于移动设备的密码安全系统,其特征在于,具备:A cryptographic security system for a mobile device, characterized by having:
    安全设备,在密码生成阶段用于获取密码并根据该密码生成密码密文后传输给下述的第一移动设备,在密码验证阶段用于验证从下述的第一移动设备发送来的密码密文;The security device is configured to acquire a password according to the password and generate a password ciphertext according to the password, and then transmit the password to the first mobile device, where the password is used to verify the password sent from the first mobile device to be used. Text
    第一移动设备,在密码生成阶段用于从所述安全设备接收生成的密码密文并且传输到下述的第二移动设备,在密码验证阶段用于从下述的第二移动设备读取密码密文并发送到所述安全设备;a first mobile device, in a password generation phase, for receiving a generated password ciphertext from the security device and transmitting to a second mobile device for reading a password from a second mobile device to be described later in a password verification phase Ciphertext and sent to the security device;
    第二移动设备,在密码生成阶段用于存储从所述第一移动设备接收到的密码密文,在密码验证阶段用于向所述第一移动设备提供存储的密码密文。The second mobile device is configured to store a password ciphertext received from the first mobile device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
  2. 如权利要求1所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 1 wherein:
    所述安全设备作为所述第一移动设备的一部分而构成。The security device is constructed as part of the first mobile device.
  3. 如权利要求1所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 1 wherein:
    所述安全设备为云设备或者安全单元。The security device is a cloud device or a security unit.
  4. 如权利要求1~3任意一项所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to any one of claims 1 to 3, characterized in that
    所述第一移动设备为智能手机或平板电脑,所述第二移动设备为穿戴设备。The first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device.
  5. 一种用于移动设备的密码安全系统,其特征在于,具备:A cryptographic security system for a mobile device, characterized by having:
    安全设备,在密码生成阶段用于获取密码并且根据该密码生成密码密文后传输给下述第二移动设备,在密码验证阶段用于验证从下述的第一移动设备发送来的密码密文;The security device is configured to acquire a password in the password generation phase and generate a password ciphertext according to the password, and then transmit the password to the second mobile device, where the password is used to verify the password ciphertext sent from the first mobile device described below. ;
    第一移动设备,在密码验证阶段用于从下述的第二移动设备读取密码密文并发送到所述安全设备;a first mobile device, in the password verification phase, for reading a password ciphertext from the second mobile device described below and transmitting the ciphertext to the security device;
    第二移动设备,在密码生成阶段用于存储从所述安全设备接收到的密码密文,在密码验证阶段用于向所述第一移动设备提供存储的密码密文。The second mobile device is configured to store a password ciphertext received from the security device in a password generation phase, and to provide the stored password ciphertext to the first mobile device in a password verification phase.
  6. 如权利要求5所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 5, wherein
    所述安全设备作为所述第一移动设备中的一部分而构成。 The security device is configured as part of the first mobile device.
  7. 如权利要求6所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 6 wherein:
    所述安全设备具备:The security device has:
    交互界面模块,用于获取用户输入的原始密码;An interface module for obtaining an original password input by a user;
    可信存储模块,用于存储所述原始密码;a trusted storage module, configured to store the original password;
    加解密模块,在密码生成阶段用于根据原始密码生成密码密文,在密码验证阶段用于对从下述密码数据生成模块提取的密码密文进行解密并进行验证;The encryption and decryption module is configured to generate a password ciphertext according to the original password in the password generation phase, and to decrypt and verify the password ciphertext extracted from the following password data generating module in the password verification phase;
    密码数据生成模块,在密码生成阶段用于根据所述密码密文生成密码数据,在密码验证阶段用于从来自下述第二移动设备的密码数据中提取密码密文;a password data generating module, configured to generate password data according to the password ciphertext in a password generation phase, and to extract a password ciphertext from password data from a second mobile device:
    第一信息接收模块,用于在所述安全设备和所述第一移动设备之间以及/或者所述安全设备和所述第二移动设备之间进行数据交互,a first information receiving module, configured to perform data interaction between the security device and the first mobile device, and/or between the security device and the second mobile device,
    所述第二移动设备具备:The second mobile device is provided with:
    存储模块,在密码生成阶段用于存储从安全模块发送来的所述密码数据;a storage module, configured to store the password data sent from the security module in a password generation phase;
    密码数据展示模块,在密码验证阶段用于展示由所述存储模块存储的所述密码数据,a password data display module for displaying the password data stored by the storage module in a password verification phase,
    所述第一移动设备具备:The first mobile device is provided with:
    密码数据读取模块,用于读取所述密码数据展示模块所展示的密码数据;a password data reading module, configured to read password data displayed by the password data display module;
    第二信息接收模块,用于在所述第一移动设备和所述安全设备之间以及/或者所述第一移动设备和所述第二移动设备之间进行数据交互。And a second information receiving module, configured to perform data interaction between the first mobile device and the security device and/or between the first mobile device and the second mobile device.
  8. 如权利要求7所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 7 wherein:
    所述密码数据生成模块是二维码生成模块,The password data generating module is a two-dimensional code generating module.
    所述二维码生成模块在密码生成阶段用于根据所述密码密文生成二维码,在密码验证阶段用于从来自第二移动设备的密码数据中提取二维码,The two-dimensional code generating module is configured to generate a two-dimensional code according to the password ciphertext in a password generation phase, and to extract a two-dimensional code from the password data from the second mobile device in the password verification phase,
    所述密码数据展示模块是二维码展示模块,The password data display module is a two-dimensional code display module.
    所述二维码展示模块在密码验证阶段用于展示作为由所述存储模块存储的密码数据的二维码,The two-dimensional code display module is configured to display a two-dimensional code as password data stored by the storage module in a password verification phase.
    所述密码数据读取模块是摄像头,所述摄像头用于读取所述二维码展示模块展示的二维码。The password data reading module is a camera, and the camera is configured to read a two-dimensional code displayed by the two-dimensional code display module.
  9. 如权利要求7所述的用于移动设备的密码安全系统,其特征在于,所述密码数据生成模块是条形码生成模块, The cryptographic security system for a mobile device according to claim 7, wherein said password data generating module is a barcode generating module.
    所述条形码生成模块在密码生成阶段用于根据所述密码密文生成条形码,在密码验证阶段用于从来自第二移动设备的密码数据中提取条形码,The barcode generation module is configured to generate a barcode according to the password ciphertext in a password generation phase, and to extract a barcode from the password data from the second mobile device in the password verification phase,
    所述密码数据展示模块是条形码展示模块,The password data display module is a barcode display module.
    所述条形码展示模块在密码验证阶段用于展示作为由所述存储模块存储的密码数据的条形码,The barcode display module is configured to display a barcode as password data stored by the storage module in a password verification phase,
    所述密码数据读取模块是摄像头,所述摄像头用于读取所述条形码展示模块展示的条形码。The password data reading module is a camera, and the camera is used to read a barcode displayed by the barcode display module.
  10. 如权利要求5~9任意一项所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to any one of claims 5 to 9, characterized in that
    所述第一移动设备为智能手机或平板电脑,所述第二移动设备是可穿戴设备,The first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device.
    所述安全设备作为所述智能手机的一部分而设置在所述智能手机的TEEI中。The security device is placed in the TEEI of the smartphone as part of the smartphone.
  11. 如权利要求10所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 10, wherein
    所述安全设备与所述第二移动设备之间的数据传送通过非接通信实现。Data transfer between the secure device and the second mobile device is achieved by non-contact communication.
  12. 一种用于移动设备的密码安全输入方法,该方法利用安全设备、第一移动设备以及第二移动设备实现,其特征在于,包括下述步骤:A password security input method for a mobile device, the method being implemented by using a security device, a first mobile device, and a second mobile device, comprising the steps of:
    密码生成步骤,安全设备获取密码并且将该密码加密生成密码密文后通过第一移动设备传输到第二移动设备或者直接传送到第二移动设备;a password generating step, the security device obtains a password and encrypts the password to generate a password ciphertext, and then transmits the data to the second mobile device through the first mobile device or directly to the second mobile device;
    密码存储步骤,第二移动设备存储所述密码密文;a password storage step, the second mobile device stores the password ciphertext;
    密码输入步骤,用户在需要输入密码时,第二移动设备向第一移动设备展示密码密文,由第一移动设备获取密码密文并发送到安全设备;a password input step, when the user needs to input a password, the second mobile device displays the password ciphertext to the first mobile device, and the first mobile device obtains the password ciphertext and sends the password to the security device;
    密码验证步骤,安全设备将从第一移动设备发送来的密码密文解密并验证解密后的密码。In the password verification step, the security device decrypts the encrypted ciphertext sent from the first mobile device and verifies the decrypted password.
  13. 如权利要求12所述的用于移动设备的密码安全输入方法,其特征在于,A cryptographic security input method for a mobile device according to claim 12, wherein
    所述安全设备与所述第二移动设备之间的数据传送通过非接通信实现。Data transfer between the secure device and the second mobile device is achieved by non-contact communication.
  14. 如权利要求12所述的用于移动设备的密码安全输入方法,其特征在于,A cryptographic security input method for a mobile device according to claim 12, wherein
    所述密码密文采用二维码或者条形码。The password ciphertext uses a two-dimensional code or a barcode.
  15. 一种用于移动设备的密码安全系统包括,其特征在于,包括:后台系统、第一移动设备、以及第二移动设备,A cryptographic security system for a mobile device, comprising: a background system, a first mobile device, and a second mobile device,
    其中,后台系统具备: Among them, the background system has:
    第一计数器,用于产生计数值并且对计数值比对次数进行计数;a first counter for generating a count value and counting the count value comparison times;
    公私钥生成单元,用于生成公钥和私钥;a public-private key generating unit for generating a public key and a private key;
    加解密模块,在密码生成阶段,用于获取用户密码,并且将用户密码、上述第一计数器产生的计数值以及上述公私钥生成单元生成的公钥一起加密后生成密码密文发送到第一移动设备,在密码验证阶段,用于从第一移动设备发送来的下述第二密码密文中解析出计数值并且将该解析出的计数值与所述第一计数器存储的计数值进行比对,仅在计数值比对通过的情况下才对第二密码密文进行密码验证;The encryption and decryption module is configured to acquire a user password in the password generation phase, and encrypt the user password, the count value generated by the first counter, and the public key generated by the public-private key generating unit, and generate a password ciphertext to be sent to the first mobile The device, in the password verification phase, is configured to parse the count value from the second password ciphertext sent by the first mobile device, and compare the parsed count value with the count value stored by the first counter, The password verification of the second password ciphertext is performed only when the count value comparison is passed;
    第一网络安全通道,用于在后台系统和第一移动设备之间进行数据传输,a first network security channel for transmitting data between the background system and the first mobile device,
    第一移动设备具备:The first mobile device has:
    第二计数器,存储来自后台系统的计数值;a second counter that stores the count value from the background system;
    密码处理单元,在密码生成阶段,接收从所述后台系统传输来的第一密码密文并且将第一密码密文和公钥传输给第二移动设备,在密码验证阶段,将所述第二计数器所存储的计数值发送给第二移动设备并且接收从所述第二移动设备返回的下述的第二密码密文,将所述第二密码密文发送到后台系统;a cryptographic processing unit, in a password generation phase, receiving a first ciphertext transmitted from the background system and transmitting the first ciphertext and the public key to the second mobile device, and in the password verification phase, the second The counter value stored by the counter is sent to the second mobile device and receives the following second password ciphertext returned from the second mobile device, and the second password ciphertext is sent to the background system;
    第二网络安全通道,用于在后台系统和第一移动设备之间进行数据传输;a second network security channel, configured to perform data transmission between the background system and the first mobile device;
    所述第二移动设备具备:The second mobile device is provided with:
    存储模块,在密码生成阶段用于存储从第一移动设备发送来的密码密文和公钥;以及a storage module for storing a password ciphertext and a public key sent from the first mobile device during the password generation phase;
    加解密模块,在密码验证阶段将从所述第一移动设备发送来的计数值与所述存储模块已经存储的密码密文公钥一起生成第二密码密文。The encryption and decryption module generates a second password ciphertext together with the password ciphertext public key that has been stored by the first mobile device during the password verification phase.
  16. 如权利要求15所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 15 wherein:
    所述第一移动设备为智能手机或者平板电脑,所述第二移动设备是可穿戴设备。The first mobile device is a smart phone or a tablet, and the second mobile device is a wearable device.
  17. 如权利要求16所述的用于移动设备的密码安全系统,其特征在于,A cryptographic security system for a mobile device according to claim 16 wherein:
    所述第一移动设备和所述第二移动设备之间通过非接方式进行通讯。 The first mobile device and the second mobile device communicate in a non-connected manner.
PCT/CN2016/098824 2015-09-24 2016-09-13 Password security system adopted by mobile apparatus and secure password entering method thereof WO2017050152A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510616410.3 2015-09-24
CN201510616410.3A CN105592056A (en) 2015-09-24 2015-09-24 Password safety system for mobile device and password safety input method thereof

Publications (1)

Publication Number Publication Date
WO2017050152A1 true WO2017050152A1 (en) 2017-03-30

Family

ID=55931273

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/098824 WO2017050152A1 (en) 2015-09-24 2016-09-13 Password security system adopted by mobile apparatus and secure password entering method thereof

Country Status (2)

Country Link
CN (1) CN105592056A (en)
WO (1) WO2017050152A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592056A (en) * 2015-09-24 2016-05-18 中国银联股份有限公司 Password safety system for mobile device and password safety input method thereof
CN106066965B (en) * 2016-05-30 2020-03-17 宇龙计算机通信科技(深圳)有限公司 Encryption method, encryption device and encryption system
CN108062467A (en) * 2017-12-16 2018-05-22 深圳市飞马国际供应链股份有限公司 Quick verification method, equipment and system based on bluetooth
CN111159696A (en) * 2019-12-31 2020-05-15 中国银行股份有限公司 Password storage and checking method, system and password management system
CN113792276A (en) * 2021-11-11 2021-12-14 麒麟软件有限公司 Operating system user identity authentication method and system based on dual-architecture

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997678A (en) * 2010-11-18 2011-03-30 东莞宇龙通信科技有限公司 Password acquisition method and terminal
CN103237305A (en) * 2013-03-27 2013-08-07 公安部第三研究所 Password protection method for smart card on mobile terminals
CN104092550A (en) * 2014-07-23 2014-10-08 三星电子(中国)研发中心 Password protection method, system and device
CN204046622U (en) * 2014-06-09 2014-12-24 北京石盾科技有限公司 A kind of cipher key storage device
CN105592056A (en) * 2015-09-24 2016-05-18 中国银联股份有限公司 Password safety system for mobile device and password safety input method thereof

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102054146A (en) * 2009-11-06 2011-05-11 深圳市研祥通讯终端技术有限公司 Power on password protection method and device
CN103049686A (en) * 2011-10-11 2013-04-17 镇江精英软件科技有限公司 Method for verifying information of database and user through universal serial bus (Usb) key
CN104484596B (en) * 2015-01-07 2018-02-13 宇龙计算机通信科技(深圳)有限公司 The method and terminal of password are created in multiple operating system
CN104834863A (en) * 2015-03-31 2015-08-12 努比亚技术有限公司 Wi-Fi password storage method and apparatus
CN104883686A (en) * 2015-05-28 2015-09-02 中国工商银行股份有限公司 Mobile terminal safety certificate method, device, system and wearable equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997678A (en) * 2010-11-18 2011-03-30 东莞宇龙通信科技有限公司 Password acquisition method and terminal
CN103237305A (en) * 2013-03-27 2013-08-07 公安部第三研究所 Password protection method for smart card on mobile terminals
CN204046622U (en) * 2014-06-09 2014-12-24 北京石盾科技有限公司 A kind of cipher key storage device
CN104092550A (en) * 2014-07-23 2014-10-08 三星电子(中国)研发中心 Password protection method, system and device
CN105592056A (en) * 2015-09-24 2016-05-18 中国银联股份有限公司 Password safety system for mobile device and password safety input method thereof

Also Published As

Publication number Publication date
CN105592056A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
US8930700B2 (en) Remote device secure data file storage system and method
JP6399382B2 (en) Authentication system
US9800562B2 (en) Credential recovery
US20180082050A1 (en) Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device
US10848304B2 (en) Public-private key pair protected password manager
CN106878245B (en) Graphic code information providing and obtaining method, device and terminal
US11544365B2 (en) Authentication system using a visual representation of an authentication challenge
US9887993B2 (en) Methods and systems for securing proofs of knowledge for privacy
WO2017050152A1 (en) Password security system adopted by mobile apparatus and secure password entering method thereof
JP2016502377A (en) How to provide safety using safety calculations
US9621344B2 (en) Method and system for recovering a security credential
WO2015133990A1 (en) Methods and apparatus for migrating keys
WO2015188424A1 (en) Key storage device and method for using same
US10867056B2 (en) Method and system for data protection
KR20170124953A (en) Method and system for automating user authentication with decrypting encrypted OTP using fingerprint in mobile phone
CN105187382A (en) Multi-factor identity authentication method for preventing library collision attacks
JP2011505034A (en) Disposable virtual secret information authentication system and authentication method
JP2017530636A (en) Authentication stick
WO2017107642A1 (en) Text processing method, apparatus and system for secure input method
KR101834522B1 (en) Apparatus for confirming data and method for confirming data using the same
JP6165044B2 (en) User authentication apparatus, system, method and program
JP2004320229A (en) Mutual authentication method
TWI746504B (en) Method and device for realizing synchronization of session identification
CN112052469A (en) Encryption method, decryption method, storage medium and terminal equipment
CN117834242A (en) Verification method, device, apparatus, storage medium, and program product

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16848034

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16848034

Country of ref document: EP

Kind code of ref document: A1