WO2019080109A1 - Terminal random number generation method and system - Google Patents

Terminal random number generation method and system

Info

Publication number
WO2019080109A1
WO2019080109A1 PCT/CN2017/108072 CN2017108072W WO2019080109A1 WO 2019080109 A1 WO2019080109 A1 WO 2019080109A1 CN 2017108072 W CN2017108072 W CN 2017108072W WO 2019080109 A1 WO2019080109 A1 WO 2019080109A1
Authority
WO
WIPO (PCT)
Prior art keywords
random number
terminal
true
generating
generator
Prior art date
Application number
PCT/CN2017/108072
Other languages
French (fr)
Chinese (zh)
Inventor
彭波涛
Original Assignee
福建联迪商用设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 福建联迪商用设备有限公司 filed Critical 福建联迪商用设备有限公司
Priority to CN201780001454.2A priority Critical patent/CN107980135B/en
Priority to PCT/CN2017/108072 priority patent/WO2019080109A1/en
Publication of WO2019080109A1 publication Critical patent/WO2019080109A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the present invention relates to the field of terminal security, and in particular, to a method and system for generating a random number of a terminal.
  • Random numbers such as: 1. For generating a key pair, according to the key management specification, random number generation must be used to ensure that the content of the key is unpredictable and undetectable; The process for encrypting data fills the data, ensuring the same data to be encrypted, and the result of each encryption is different, thereby preventing replay attacks; 3. For the identity authentication system, using the random number as a challenge factor to send to The other party to the communication asks the other party to return the correct response. The role of random numbers is to ensure that the problem with each challenge is "random".
  • Common random number generators include two types: a pseudo random number generator and a hardware random number generator.
  • the pseudo random number generator is implemented by a software-only algorithm. According to the input random number seed, a random number sequence is generated according to a certain generation rule.
  • the algorithm of this random number generator is usually fixed, such as the pseudo-random number function that comes with the standard C library. If the seed is fixed, the generated random number sequence is also fixed.
  • Hardware random number generator (English: hardware random number generator), also known as True Random Number Generator (TRNG) is a device that generates random numbers through physical processes rather than computer programs. Such devices are typically based on microscopic phenomena that produce low-level, statistically random "noise” signals such as thermodynamic noise, photoelectric effects, and quantum phenomena. These physical processes are theoretically completely unpredictable and have been confirmed by experiments. By repeatedly sampling these random signals, a series of random numbers are generated.
  • TRNG True Random Number Generator
  • a pseudo-random number generator since the algorithm and sequence for generating a random number are fixed, so as long as the first random number seed can be obtained, theoretically, all subsequent generations can be derived.
  • the random number sequence so the "unpredictable” nature of the subsequently generated random number cannot be satisfied. And to ensure The "unpredictability" of random seed seeds requires the use of random numbers as seeds, thus forming the paradox of "chicken or egg first.”
  • pseudo-random numbers are usually applied to situations where security requirements are not particularly strict, and a seed is randomly set by software (for example, the system is used as a seed), but the seed can be analyzed. For devices with high security requirements such as financial POS terminals, the requirements cannot be met.
  • the hardware random number generator is not stable enough to ensure that the random number generated each time is sufficiently random, because random signals such as natural noise are not always always random. In order to ensure that a sufficiently stable random signal is collected, it is often necessary to down-convert the CPU to achieve a random number, which will affect the speed of the terminal.
  • the technical problem to be solved by the present invention is to provide a method and system for generating a random number of a terminal to ensure unpredictability and randomness of the generated random number.
  • a method for generating a terminal random number includes:
  • the terminal generates a random number sequence by using a pseudo random number generator with the received true random number as a random number seed.
  • a system for generating a random number of a terminal comprising a hardware random number generator, a secure transmission module, and a final mountain
  • the hardware random number generator is configured to generate a true random number
  • the security transmission module is configured to securely transmit the true random number to the terminal
  • the terminal includes: [0023] a pseudo random number generator, configured to generate a random number sequence by using the received true random number as a random number seed.
  • the present invention has the following advantages:
  • the present invention generates a true random number by an external hardware random number generator, and transmits it to the terminal securely, and the terminal uses the pseudo random number generator as a random number seed to distribute a large number of random numbers. Number, to meet the needs of everyday applications.
  • the terminal uses the above method to generate a random number sequence. For the terminal manufacturer, it is not necessary to have a hardware random number generator in each terminal. In total, only one hardware random number generator can be configured to meet the requirements, thereby greatly reducing the cost of the terminal.
  • Peer using a random number as the random number seed of the terminal, can ensure the unpredictability of the random number seed and the random number sequence generated by the terminal according to this; further, the secure communication technology is used to realize the secure injection of the random number seed, Ensure that the random number seed of each terminal is unpredictable and undetectable, thus significantly improving the security of the random number seed.
  • the invention has high practicability in a terminal system with high safety requirements.
  • FIG. 1 is a schematic flow chart of a method for generating a random number of a terminal according to the present invention
  • FIG. 2 is a general block diagram of a random number generation system of the present invention
  • FIG. 3 is a schematic flow chart of a method according to Embodiment 1 of the present invention.
  • FIG. 4 is a schematic flowchart of a specific implementation of a random number secure transmission according to Embodiment 1 of the present invention
  • FIG. 5 is a schematic flowchart of a specific manner for a terminal to generate a large number of random numbers according to Embodiment 2 of the present invention
  • FIG. 6 is a schematic diagram of interaction between modules of a random number generating system according to Embodiment 4 of the present invention.
  • the most critical idea of the present invention is: generating a true random number by an external hardware random number generator, and arranging it The whole transmission is transmitted to the terminal, and the terminal uses the pseudo random number generator as a random number seed to disperse a large number of random numbers.
  • the invention has the advantages of significantly reducing the terminal cost and ensuring that the random number meets the requirements of unpredictability and randomness.
  • the present invention provides a method for generating a random number of a terminal, including:
  • the terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed
  • the securely transmitting the true random number to the terminal storage is specifically:
  • the terminal downloads and obtains the encrypted true random number
  • the terminal decrypts the encrypted true random number to obtain the true random number.
  • transmission to the terminal by means of encrypted communication ensures the security and unpredictability of the random number seed in the terminal.
  • the securely transmitting the true random number to the terminal is specifically:
  • the corresponding true random number is downloaded to the terminal through the encrypted communication method.
  • the true random number is obtained in a secure controlled environment before the terminal leaves the factory, and the opportunity for stealing illegal molecules is not provided, thereby further ensuring the security and unpredictability of the random number seed.
  • the cost of the built-in hardware random number generator module is required for each terminal, and only one set of hardware random number generators is dedicated to generate random number seeds for all terminals. That is, thus greatly reducing the hardware cost and maintenance cost of the terminal.
  • the true random number is an initial random number seed of the terminal
  • the method further includes:
  • the self-feedback mode is adopted, and a random number is generated in the terminal, and a random number of a preset number of bytes is selected from the first generated random number sequence as a new seed for generating the next random number, so that Constant self-feedback can make the process of generating the entire random number more random and unpredictable.
  • the number of bytes of the random number sequence generated by the terminal according to the true random number is greater than or equal to the preset number of bytes.
  • the preset number of bytes is 8 bytes.
  • the method further includes:
  • the hardware random number generator and the terminal acquire and store the transmission protection key in a secure controlled environment
  • the hardware random number generator uses the transmission protection key to encrypt the generated true random number in the plaintext form to obtain a true random number in the form of a ciphertext.
  • the terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed, which is specifically:
  • the terminal receives the true random number in the form of cipher text
  • the terminal decrypts the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
  • the terminal generates a random number sequence by using a pseudo random number generator with the true random number in the plaintext form as a random number seed.
  • the encrypted communication technology is used to implement the injection of the random number seed security to the terminal, ensuring that the random number seed of each terminal is unpredictable and undetectable, and the security of the random number seed is ensured.
  • the terminal is a financial POS terminal.
  • the present invention has a good application in a financial POS terminal having a high security level requirement.
  • the invention cleverly utilizes a combination of "soft” and “hard” to generate random numbers, which overcomes the disadvantages of the existing pseudo random number generator and the hardware random number generator, and is embodied in: [0071] (1) Since the random number seed is derived from an external hardware random number generator, and the communication process is encrypted, the "unpredictable” characteristic is satisfied, and the seed can be detected in the pseudo random number generator. The problem;
  • a self-feedback mode is employed. After the terminal generates a random number sequence, an 8-byte random number is selected from the newly generated random number sequence (if the newly generated random number sequence is less than 8 bytes, at least an 8-byte random number sequence is generated, and the required part is needed. Provided to the user) as a new seed for the next random number, so that continuous self-feedback can make the whole random number generation process more random and unpredictable.
  • the 128M bit random number sequence generated by the terminal is collected by the terminal, and analyzed and tested by an internationally dedicated random number analysis tool (for example, NIST STS-1.8 tool). The test passed, thus demonstrating the validity of the random number generator.
  • an internationally dedicated random number analysis tool for example, NIST STS-1.8 tool.
  • a system for generating a terminal random number comprising a hardware random number generator, a security transmission module, and a terminal mountain
  • the hardware random number generator is configured to generate a true random number
  • the security transmission module is configured to securely transmit the true random number to the terminal
  • the terminal includes:
  • a pseudo random number generator configured to generate a random number sequence by using the received true random number as a random number seed.
  • the security transmission module includes:
  • an encryption unit located in the hardware random number generator, configured to encrypt the true random number
  • a download unit located in the terminal, configured to download, by the terminal, the encrypted true random number
  • a decryption unit located at the terminal, configured to decrypt the encrypted true random number by the terminal, to obtain the true random number
  • the security transmission module is specifically configured to download a corresponding true random number to the terminal by using an encrypted communication method before the terminal leaves the factory.
  • the number of the terminals is two or more;
  • the hardware random number generator is specifically configured to generate a corresponding number of true random numbers by a hardware random number generator according to the number of terminals, and uniquely correspond to each terminal.
  • the true random number generated by the hardware random number generator is an initial random number seed of the terminal; [0090] the terminal further includes:
  • an intercepting module configured to intercept a random number of a preset number of bytes from the random number sequence as a new random number seed
  • the pseudo random number generator is further configured to generate a new random number sequence according to the new random number seed.
  • the pseudo random number generator is specifically configured to generate a random number sequence whose number of bytes is greater than or equal to the preset number of bytes according to the true random number.
  • the preset number of bytes is 8 bytes.
  • the hardware random number generator is further configured to acquire and store a transmission protection key in a secure controlled environment, and encrypt the generated true random number in a plaintext form by using the transmission protection key. Obtaining a true random number in cipher text form;
  • the terminal is further configured to acquire and store a transmission protection key in a secure controlled environment.
  • the terminal further includes:
  • a receiving module configured to receive a true random number in a cipher text form
  • a decryption module configured to decrypt the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form
  • the pseudo random number generator is specifically configured to generate a random number sequence by using a true random number in the plaintext form as a random number seed.
  • the terminal is a financial POS terminal.
  • this embodiment provides a method for generating a random number of a terminal, which is applicable to security, etc.
  • Terminals with higher requirements such as financial POS terminals, are used to ensure the unpredictability of random numbers generated by terminals.
  • This embodiment uses a terminal as a financial POS terminal as an example for description.
  • the method of this embodiment is implemented based on an external hardware random number generator and a plurality of POS terminals. Specifically, including:
  • S1 A true random number is generated by an external hardware random number generator.
  • the number of corresponding terminals is generated by the hardware random number generator to generate a unique corresponding random number seed for each POS terminal as the initial random number seed.
  • a POS terminal only needs one initial random number seed, and the number is small, and the daytime is also loose. Therefore, the hardware random number generator is preferably down-converted to acquire a sufficiently random signal as the initial random number seed of the POS terminal, thereby ensuring the high randomness of the initial random number seed.
  • the external hardware random number generator generates more than two true random numbers at a time to satisfy the batch.
  • the demand of the POS terminal improves the efficiency of assigning a random number seed to the terminal.
  • S2 Securely transmitting the true random number to the terminal.
  • the true random number generated by the hardware random number generator is transmitted to the POS terminal by using an encrypted communication method to ensure that the initial random number seed of the POS terminal is unpredictable and undetectable, and the security of the initial random number seed is ensured. .
  • S21 The hardware random number generator and the terminal acquire and securely store the transmission protection key in a secure controlled environment.
  • the same transmission protection key Kp conforming to the TDES (Triple Data Encryption Standard) requirement is set between the hardware random number generator and the target POS terminal.
  • the POS of some banks needs to use a parent POS to download the key required for the payment transaction to the target POS (the terminal of this embodiment) in a secure controlled environment. At this time, it can be used to encrypt the initial.
  • the TDES transport protection key Kp of the random number seed is downloaded and downloaded to ensure the high security and reliability of the encrypted random number seed key.
  • S22 The hardware random number generator uses the transmission protection key to encrypt the generated true random number in the plaintext form to obtain a true random number in the ciphertext form.
  • T DES transmission protection key Kp is used, and the TDES encryption algorithm is used, and the true random number in the plaintext form is used.
  • the ciphertext C is securely downloaded, and is stored securely.
  • S3 The terminal generates a random number sequence by using a pseudo random number generator and using the received true random number as a random number seed.
  • the terminal After receiving the encrypted true random number, the terminal obtains a true random number through decryption processing.
  • S31 The terminal decrypts the true random number in the ciphertext form by using the pre-stored transmission protection key to obtain a true random number in a plaintext form.
  • the target POS after receiving the ciphertext C, uses the TDES transmission protection key Kp to decrypt the received ciphertext C by using the TDES decryption algorithm, and obtains the data P1 after decryption.
  • S32 The terminal generates a random number sequence by using a pseudo random number generator to use the true random number in the plaintext form as a random number seed.
  • the data P1 is used as the initial random number seed of the target POS, and a large number of random numbers are generated by a software algorithm to meet the requirements of the application.
  • the embodiment is further extended according to the first embodiment, and a specific manner of generating a large number of random numbers by the terminal is added.
  • step S32 of the first embodiment specifically includes:
  • S321 The terminal uses the true random number as the initial random number seed to generate a random number sequence.
  • the data P1 is used as an initial random number seed, and a corresponding random number sequence is generated by a software algorithm.
  • the total number of bytes of the generated random number sequence is greater than or equal to a preset byte, such as 8 bytes.
  • Preset byte Set the number of bytes required based on the random number seed.
  • S322 intercepting the random number of the preset number of bytes from the random number sequence as a new random number seed
  • S323 The terminal generates a new random number sequence according to the new random number seed by using a pseudo random number generator.
  • the first generated ⁇ uses the seed obtained from the external hardware random number generating device, and subsequently generates ⁇ directly intercepts 8 bytes from the last generated random number sequence as a new seed, and then The software algorithm is used for distributed processing to obtain the required batch random number sequence.
  • the software algorithm is used for distributed processing to obtain the required batch random number sequence.
  • This embodiment corresponds to the first embodiment, and provides a system for generating a random number of a terminal, including a hardware random number generator, a security transmission module, and a plurality of terminals.
  • a description will be given by taking a POS device whose terminal has a higher security level as an example.
  • the hardware random number generator is configured to generate a true random number; the true random number is an initial random number seed of the terminal;
  • the hardware random number generator is specifically configured to generate, according to the number of terminals, a corresponding number of true random numbers by a hardware random number generator to uniquely correspond to each terminal.
  • the hardware random number generator is further configured to acquire and store a transmission protection key in a secure controlled environment, and encrypt the generated true random number in a plaintext form by using the transmission protection key , obtaining a true random number in cipher text form;
  • the security transmission module is configured to securely transmit the true random number to the terminal
  • the security transmission module is specifically configured to download a corresponding true random number to the terminal by using an encrypted communication method before the terminal leaves the factory.
  • the security transmission module specifically includes:
  • an encryption unit located in the hardware random number generator, configured to encrypt the true random number
  • the download unit is located at the terminal, and is used for downloading and obtaining the encrypted true random number by the terminal;
  • the decryption unit is located at the terminal, and is configured to decrypt the encrypted true random number by the terminal, and obtain the true random number.
  • the terminal includes:
  • a pseudo random number generator configured to generate a random number sequence by using the received true random number as a random number seed;
  • the terminal is further configured to acquire and store the transmission in a secure controlled environment. Protection key
  • the terminal further includes:
  • a receiving module configured to receive a true random number in a cipher text form
  • a decryption module configured to decrypt the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form
  • the pseudo random number generator is specifically configured to generate a random number sequence by using a true random number in the plaintext form as a random number seed.
  • the pseudo random number generator is further configured to generate a new random number sequence according to the new random number seed.
  • a sequence of random numbers whose number of bytes is greater than or equal to the preset number of bytes is generated.
  • the preset number of bytes is 8 bytes.
  • the terminal further includes:
  • an intercepting module configured to intercept a random number of a preset number of bytes from the random number sequence as a new random number seed.
  • This embodiment provides a random number system corresponding to the first embodiment and the second embodiment.
  • the system includes an external hardware random number generating device and a plurality of POS terminals 2.
  • the entire random number generation system includes the following modules:
  • the device internally contains:
  • hardware random number generator 1 responsible for generating a random number seed by hardware and then transmitting it to the encryption module;
  • Encryption Module 3 The module is responsible for encrypting the random number seed to obtain an encrypted random number seed. Then transmitted to the communication module A 41 in the communication module 4;
  • Communication module A 41 This module is responsible for transmitting the encrypted random number seed to each POS terminal; [0168] 2. POS terminal
  • the terminal internally contains:
  • communication module B 42 the module is responsible for receiving the encrypted random number seed from the external random number generating device, and then transmitting the encrypted random seed to the POS terminal;
  • decryption module 5 The module is responsible for decrypting the encrypted random number seed obtained from the communication module B, and obtaining a random number seed plaintext;
  • pseudo random number generator 6 responsible for reading the externally written random number seed (first generated, using the seed obtained from the external random number generating device, and subsequently generated ⁇ directly from the last generated random number sequence Intercept 8 bytes as a new seed), and then use software algorithm to perform distributed processing to obtain the required batch random number sequence;
  • the random number sequence uses the module 7: This module is responsible for reading the batch random number sequence ⁇
  • the method and system for generating a random number of a terminal not only greatly reduce the hardware cost and maintenance cost of the random number generated by the terminal; but also ensure the random number seed and the random number generated by the terminal accordingly.
  • the unpredictability of the sequence further, the random number generation process uses the secure communication technology to realize the safe injection of the random number seed, which can ensure that the random number seed of each terminal is unpredictable and undetectable, and significantly improves the random number seed again.
  • Security Further, through the self-feedback mode, the process of generating the entire random number becomes more random and unpredictable, and finally the random number used by the terminal is highly random and unpredictable.
  • the invention has high practicability in a terminal system with high security requirements.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A terminal random number generation method and system. The method comprises: generate a true random number by means of a hardware random number generator; securely transmit the true random number to a terminal; and the terminal uses the received true random number as a random number seed to generate a random number sequence by means of a pseudo-random number generator. According to the method and system, the true random number is generated by an external hardware random number generator and is securely transmitted to the terminal, and the terminal uses the true random number as the random number seed to disperse lots of random numbers by means of the pseudo-random number generator. Therefore, the method significantly reduces terminal costs, and ensures that the random number meets the requirements of unpredictability and randomness.

Description

一种终端随机数发生的方法及系统 技术领域  Method and system for generating terminal random number
[0001] 本发明涉及终端安全领域, 具体说的是一种终端随机数发生的方法及系统。  [0001] The present invention relates to the field of terminal security, and in particular, to a method and system for generating a random number of a terminal.
背景技术  Background technique
[0002] 金融支付终端经常需要用到随机数, 比如: 1.用于生成密钥对, 按照密钥管理 规范必须采用随机数生成, 确保密钥的内容是不可预知和无法探测的; 2.用于加 密数据的过程对数据进行填充, 确保同样的待加密数据, 每次加密出来的结果 都不一样, 从而防止重放攻击; 3.用于身份认证系统, 使用随机数作为挑战因子 发送给通信的另一方, 要求另一方返回正确的应答。 随机数的作用是确保每次 挑战的问题是 "随机 "的。  [0002] Financial payment terminals often need to use random numbers, such as: 1. For generating a key pair, according to the key management specification, random number generation must be used to ensure that the content of the key is unpredictable and undetectable; The process for encrypting data fills the data, ensuring the same data to be encrypted, and the result of each encryption is different, thereby preventing replay attacks; 3. For the identity authentication system, using the random number as a challenge factor to send to The other party to the communication asks the other party to return the correct response. The role of random numbers is to ensure that the problem with each challenge is "random".
[0003] 常见的随机数发生器包含两种: 伪随机数发生器以及硬件随机数发生器。 [0003] Common random number generators include two types: a pseudo random number generator and a hardware random number generator.
[0004] 伪随机数发生器, 是通过一种纯软件的算法来实现的, 根据输入的随机数种子 , 按照一定的生成规则, 来产生随机数序列。 这种随机数发生器的算法通常是 固定的, 比如标准 C库自带的伪随机数函数, 如果种子固定, 则生成的随机数序 列也是固定的。 [0004] The pseudo random number generator is implemented by a software-only algorithm. According to the input random number seed, a random number sequence is generated according to a certain generation rule. The algorithm of this random number generator is usually fixed, such as the pseudo-random number function that comes with the standard C library. If the seed is fixed, the generated random number sequence is also fixed.
[0005] 硬件随机数发生器 (英语: hardware random number generator) , 也叫真随机 数生成器 (英语: True Random Number Generator, TRNG) 是一种通过物理过程 而不是计算机程序来生成随机数字的设备, 这样的设备通常是基于一些能生成 低等级、 统计学随机的 "噪声 "信号的微观现象, 如热力学噪声、 光电效应和量子 现象。 这些物理过程在理论上是完全不可预测的, 并且已经得到了实验的证实 。 通过重复采样这些随机的信号, 一系列的随机数得以生成。  [0005] Hardware random number generator (English: hardware random number generator), also known as True Random Number Generator (TRNG) is a device that generates random numbers through physical processes rather than computer programs. Such devices are typically based on microscopic phenomena that produce low-level, statistically random "noise" signals such as thermodynamic noise, photoelectric effects, and quantum phenomena. These physical processes are theoretically completely unpredictable and have been confirmed by experiments. By repeatedly sampling these random signals, a series of random numbers are generated.
[0006] 对于安全性要求较高的终端, 如金融 POS机来说, 无论采用伪随机数发生器还 是硬件随机数发生器来产生随机数, 都存在一定的缺陷, 体现在:  [0006] For terminals with higher security requirements, such as financial POS machines, whether using a pseudo-random number generator or a hardware random number generator to generate random numbers, there are certain defects, which are reflected in:
[0007] ( 1) 伪随机数发生器, 由于其产生随机数的算法和序列是固定不变的, 因此 只要能够获取到第一次的随机数种子, 则理论上可以推导出后续产生的所有随 机数序列, 因此后续生成的随机数"不可预知"的特性就无法满足了。 而为了确保 随机数种子的 "不可预知性", 则需要使用随机数来作为种子, 这样就形成了 "先 有鸡还是先有蛋"的悖论。 [0007] (1) A pseudo-random number generator, since the algorithm and sequence for generating a random number are fixed, so as long as the first random number seed can be obtained, theoretically, all subsequent generations can be derived. The random number sequence, so the "unpredictable" nature of the subsequently generated random number cannot be satisfied. And to ensure The "unpredictability" of random seed seeds requires the use of random numbers as seeds, thus forming the paradox of "chicken or egg first."
[0008] 因此, 伪随机数通常应用于对安全性要求不是特别严格的场合, 通过软件随意 设置一个种子 (例如将系统吋间作为种子) , 但是这个种子是可以分析出来的 。 对于金融 POS终端等安全性要求较高的设备来说, 则无法满足要求。  [0008] Therefore, pseudo-random numbers are usually applied to situations where security requirements are not particularly strict, and a seed is randomly set by software (for example, the system is used as a seed), but the seed can be analyzed. For devices with high security requirements such as financial POS terminals, the requirements cannot be met.
[0009] (2) 硬件随机数发生器, 存在的缺点在于: [0009] (2) The hardware random number generator has the following disadvantages:
[0010] a.需要有专门的硬件作为支撑, 因此会提高终端设备的硬件成本; [0010] a need to have dedicated hardware as a support, thus increasing the hardware cost of the terminal equipment;
[0011] b.硬件随机数发生器有吋候不够稳定, 不能确保每次产生的随机数都是足够随 机的, 因为自然界的噪声等随机信号并不是一直总是那么随机的。 为了确保采 集到足够稳定的随机信号, 往往需要对 CPU进行降频来实现, 生成随机数吋会影 响终端的运行速度。 [0011] b. The hardware random number generator is not stable enough to ensure that the random number generated each time is sufficiently random, because random signals such as natural noise are not always always random. In order to ensure that a sufficiently stable random signal is collected, it is often necessary to down-convert the CPU to achieve a random number, which will affect the speed of the terminal.
技术问题  technical problem
[0012] 本发明所要解决的技术问题是: 提供一种终端随机数发生的方法及系统, 确保 所生成的随机数的不可预知性和随机性。  [0012] The technical problem to be solved by the present invention is to provide a method and system for generating a random number of a terminal to ensure unpredictability and randomness of the generated random number.
问题的解决方案  Problem solution
技术解决方案  Technical solution
[0013] 为了解决上述技术问题, 本发明采用的技术方案为:  [0013] In order to solve the above technical problem, the technical solution adopted by the present invention is:
[0014] 一种终端随机数发生的方法, 包括: [0014] A method for generating a terminal random number includes:
[0015] 通过硬件随机数发生器产生真随机数; [0015] generating a true random number by a hardware random number generator;
[0016] 安全传输所述真随机数至终端; [0016] securely transmitting the true random number to the terminal;
[0017] 终端通过伪随机数发生器, 以接收到的真随机数为随机数种子产生随机数序列 [0018] 本发明提供的另一个技术方案为:  [0017] The terminal generates a random number sequence by using a pseudo random number generator with the received true random number as a random number seed. [0018] Another technical solution provided by the present invention is:
[0019] 一种终端随机数发生的系统, 包括硬件随机数发生器、 安全传输模块, 以及终 山  [0019] A system for generating a random number of a terminal, comprising a hardware random number generator, a secure transmission module, and a final mountain
[0020] 所述硬件随机数发生器, 用于产生真随机数; [0020] the hardware random number generator is configured to generate a true random number;
[0021] 所述安全传输模块, 用于安全传输所述真随机数至终端;  [0021] the security transmission module is configured to securely transmit the true random number to the terminal;
[0022] 所述终端, 包括: [0023] 伪随机数发生器, 用于以接收到的真随机数为随机数种子产生随机数序列。 发明的有益效果 [0022] The terminal includes: [0023] a pseudo random number generator, configured to generate a random number sequence by using the received true random number as a random number seed. Advantageous effects of the invention
有益效果  Beneficial effect
[0024] 本发明的有益效果在于: 本发明由外部硬件随机数发生器产生真随机数, 并将 其安全传输至终端, 终端以此作为随机数种子通过伪随机数发生器分散出大量 的随机数, 满足日常应用需求。 终端采用上述方式生成随机数序列, 对于终端 厂商而言, 不必再每台终端都内置硬件随机数发生器, 总共只需配置一台硬件 随机数发生器便可满足要求, 从而大大降低终端的成本; 同吋, 以真随机数作 为终端的随机数种子, 能确保随机数种子以及终端据此生成的随机数序列的不 可预知性; 进一步的, 利用安全通信技术实现随机数种子的安全注入, 能确保 每台终端的随机数种子都是不可预知和无法探测的, 从而显著提高随机数种子 的安全性。 本发明在安全性要求较高的终端系统具有较高的实用性。  [0024] The present invention has the following advantages: The present invention generates a true random number by an external hardware random number generator, and transmits it to the terminal securely, and the terminal uses the pseudo random number generator as a random number seed to distribute a large number of random numbers. Number, to meet the needs of everyday applications. The terminal uses the above method to generate a random number sequence. For the terminal manufacturer, it is not necessary to have a hardware random number generator in each terminal. In total, only one hardware random number generator can be configured to meet the requirements, thereby greatly reducing the cost of the terminal. Peer, using a random number as the random number seed of the terminal, can ensure the unpredictability of the random number seed and the random number sequence generated by the terminal according to this; further, the secure communication technology is used to realize the secure injection of the random number seed, Ensure that the random number seed of each terminal is unpredictable and undetectable, thus significantly improving the security of the random number seed. The invention has high practicability in a terminal system with high safety requirements.
对附图的简要说明  Brief description of the drawing
附图说明  DRAWINGS
[0025] 图 1为本发明一种终端随机数发生的方法的流程示意图;  1 is a schematic flow chart of a method for generating a random number of a terminal according to the present invention;
[0026] 图 2为本发明随机数发生系统的总框图; 2 is a general block diagram of a random number generation system of the present invention;
[0027] 图 3为本发明实施例一的方法流程示意图; 3 is a schematic flow chart of a method according to Embodiment 1 of the present invention;
[0028] 图 4为本发明实施例一中随机数安全传输的一具体实施方式的流程示意图; [0029] 图 5为本发明实施例二的终端产生大量随机数的具体方式流程示意图;  4 is a schematic flowchart of a specific implementation of a random number secure transmission according to Embodiment 1 of the present invention; [0029] FIG. 5 is a schematic flowchart of a specific manner for a terminal to generate a large number of random numbers according to Embodiment 2 of the present invention;
[0030] 图 6为本发明实施例四的随机数发生系统的各个模块之间的交互示意图。 6 is a schematic diagram of interaction between modules of a random number generating system according to Embodiment 4 of the present invention.
[0031] 标号说明: [0031] Description of the label:
[0032] 1、 硬件随机数发生器; 2、 POS终端; 3、 加密模块; 4、 通信模块;  [0032] 1, hardware random number generator; 2, POS terminal; 3, encryption module; 4, communication module;
[0033] 41、 通信模块 A; 42、 通信模块 B; [0033] 41, communication module A; 42, communication module B;
[0034] 5、 解密模块; 6、 伪随机数发生器; 7、 随机数序列使用模块。  [0034] 5, the decryption module; 6, pseudo-random number generator; 7, the random number sequence using the module.
具体实施方式 Detailed ways
[0035] 本发明最关键的构思在于: 由外部硬件随机数发生器产生真随机数, 并将其安 全传输至终端, 终端以此作为随机数种子通过伪随机数发生器分散出大量的随 机数。 本发明具有显著降低终端成本, 保证随机数符合不可预知性和随机性的 要求等优点。 [0035] The most critical idea of the present invention is: generating a true random number by an external hardware random number generator, and arranging it The whole transmission is transmitted to the terminal, and the terminal uses the pseudo random number generator as a random number seed to disperse a large number of random numbers. The invention has the advantages of significantly reducing the terminal cost and ensuring that the random number meets the requirements of unpredictability and randomness.
[0036]  [0036]
[0037] 请参照图 1以及图 2, 本发明提供一种终端随机数发生的方法, 包括:  [0037] Referring to FIG. 1 and FIG. 2, the present invention provides a method for generating a random number of a terminal, including:
[0038] 通过硬件随机数发生器产生真随机数; [0038] generating a true random number by a hardware random number generator;
[0039] 安全传输所述真随机数至终端; [0039] securely transmitting the true random number to the terminal;
[0040] 终端通过伪随机数发生器, 以接收到的真随机数为随机数种子产生随机数序列  [0040] the terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed
[0041] 进一步的, 所述安全传输所述真随机数至终端存储, 具体为: [0041] Further, the securely transmitting the true random number to the terminal storage is specifically:
[0042] 加密所述真随机数;  [0042] encrypting the true random number;
[0043] 终端下载获取加密后的真随机数;  [0043] the terminal downloads and obtains the encrypted true random number;
[0044] 终端解密所述加密后的真随机数, 获取所述真随机数。  [0044] The terminal decrypts the encrypted true random number to obtain the true random number.
[0045] 由上述描述可知, 通过加密通信的方式传输到终端, 确保终端中随机数种子的 安全性和不可预知性。  [0045] As can be seen from the above description, transmission to the terminal by means of encrypted communication ensures the security and unpredictability of the random number seed in the terminal.
[0046] 进一步的, 所述安全传输所述真随机数至终端, 具体为: [0046] Further, the securely transmitting the true random number to the terminal is specifically:
[0047] 在终端出厂前, 通过加密通信方式下载对应的真随机数到终端。 [0047] Before the terminal leaves the factory, the corresponding true random number is downloaded to the terminal through the encrypted communication method.
[0048] 由上述描述可知, 在终端出厂前便在安全受控环境下获取真随机数, 不给非法 分子窃取的机会, 进一步保证随机数种子的安全性和不可预知性。 [0048] As can be seen from the above description, the true random number is obtained in a secure controlled environment before the terminal leaves the factory, and the opportunity for stealing illegal molecules is not provided, thereby further ensuring the security and unpredictability of the random number seed.
[0049] 进一步的, 所述通过硬件随机数发生器产生真随机数, 具体为: [0049] Further, the generating a true random number by using a hardware random number generator is specifically:
[0050] 依据终端的个数, 通过硬件随机数发生器产生对应数量的真随机数与每台终端 唯一对应。 [0050] Depending on the number of terminals, a corresponding number of true random numbers are generated by the hardware random number generator and uniquely associated with each terminal.
[0051] 由上述描述可知, 对于终端厂商而言, 省去每台终端都需内置硬件随机数发生 器模块的成本, 只需一套硬件随机数发生器专门用于产生所有终端的随机数种 子即可, 从而大大降低终端的硬件成本和维护成本。  [0051] As can be seen from the above description, for the terminal manufacturer, the cost of the built-in hardware random number generator module is required for each terminal, and only one set of hardware random number generators is dedicated to generate random number seeds for all terminals. That is, thus greatly reducing the hardware cost and maintenance cost of the terminal.
[0052] 进一步的, 所述真随机数为终端的初始随机数种子;  [0052] Further, the true random number is an initial random number seed of the terminal;
[0053] 所述方法还包括:  [0053] The method further includes:
[0054] 从所述随机数序列中截取预设字节数的随机数作为新的随机数种子; [0055] 终端通过伪随机数发生器, 依据所述新的随机数种子产生新的随机数序列。 [0054] intercepting a random number of a preset number of bytes from the random number sequence as a new random number seed; [0055] The terminal generates a new random number sequence according to the new random number seed by using a pseudo random number generator.
[0056] 由上述描述可知, 采用了自反馈模式, 在终端生成随机数吋, 从首次生成的随 机数序列中选取预设字节数的随机数作为产生下一次随机数的新的种子, 这样 不断地自反馈, 可以让整个随机数产生的过程变成更加随机和不可预知。 [0056] It can be seen from the above description that the self-feedback mode is adopted, and a random number is generated in the terminal, and a random number of a preset number of bytes is selected from the first generated random number sequence as a new seed for generating the next random number, so that Constant self-feedback can make the process of generating the entire random number more random and unpredictable.
[0057] 进一步的, 终端依据所述真随机数产生的随机数序列的字节数大于等于所述预 设字节数。 [0057] Further, the number of bytes of the random number sequence generated by the terminal according to the true random number is greater than or equal to the preset number of bytes.
[0058] 进一步的, 所述预设字节数为 8个字节。  [0058] Further, the preset number of bytes is 8 bytes.
[0059] 由上述描述可知, 至少产生预设字节数的随机数序列出来, 即能满足日常应用 [0059] According to the above description, at least a random number sequence of preset bytes is generated, which can satisfy daily applications.
, 又能据此获取新的随机数种子。 And can get new random number seeds accordingly.
[0060] 进一步的, 还包括: [0060] Further, the method further includes:
[0061] 硬件随机数发生器和终端在安全受控环境下获取并存储传输保护密钥;  [0061] the hardware random number generator and the terminal acquire and store the transmission protection key in a secure controlled environment;
[0062] 硬件随机数发生器使用所述传输保护密钥加密所产生的明文形式的真随机数, 得到密文形式的真随机数。 [0062] The hardware random number generator uses the transmission protection key to encrypt the generated true random number in the plaintext form to obtain a true random number in the form of a ciphertext.
[0063] 进一步的, 所述终端通过伪随机数发生器, 以接收到的真随机数为随机数种子 产生随机数序列, 具体为: [0063] Further, the terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed, which is specifically:
[0064] 终端接收密文形式的真随机数; [0064] the terminal receives the true random number in the form of cipher text;
[0065] 终端使用预存储的传输保护密钥对所述密文形式的真随机数进行解密, 得到明 文形式的真随机数;  [0065] the terminal decrypts the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
[0066] 终端通过伪随机数发生器, 以所述明文形式的真随机数为随机数种子产生随机 数序列。  [0066] The terminal generates a random number sequence by using a pseudo random number generator with the true random number in the plaintext form as a random number seed.
[0067] 由上述可知, 利用了加密通信技术, 实现随机数种子安全的注入到终端, 确保 每台终端的随机数种子是不可预知和无法探测的, 保证了随机数种子的安全性  [0067] It can be seen from the above that the encrypted communication technology is used to implement the injection of the random number seed security to the terminal, ensuring that the random number seed of each terminal is unpredictable and undetectable, and the security of the random number seed is ensured.
[0068] 进一步的, 所述终端为金融 POS终端。 [0068] Further, the terminal is a financial POS terminal.
[0069] 由上述可知, 本发明在安全性等级要求较高的金融 POS终端中具有很好的运用 目 IJ景。  As can be seen from the above, the present invention has a good application in a financial POS terminal having a high security level requirement.
[0070] 本发明巧妙的利用了"软"、 "硬"结合的方式来产生随机数, 克服了现有伪随机 数发生器和硬件随机数发生器的弊端, 具体体现在: [0071] (1) 由于随机数种子是来源于外部的硬件随机数发生器, 而且通信过程经过 了加密处理, 因此满足了"不可预知"的特性, 解决了伪随机数发生器中种子可探 测的问题; [0070] The invention cleverly utilizes a combination of "soft" and "hard" to generate random numbers, which overcomes the disadvantages of the existing pseudo random number generator and the hardware random number generator, and is embodied in: [0071] (1) Since the random number seed is derived from an external hardware random number generator, and the communication process is encrypted, the "unpredictable" characteristic is satisfied, and the seed can be detected in the pseudo random number generator. The problem;
[0072] (2) 终端应用过程所需的大量随机数, 主要通过软件算法来实现, 真随机数 只是作为种子, 这样就克服了硬件随机数不稳定的缺点。 对于随机数种子, 由 于每个终端只需要注入一次, 吋间上不是特别严重的委托, 因此完全可以对外 部真随机数发生器进行降频处理, 让其采集到足够随机的信号来作为种子, 从 而进一步提升所产生的真随机数的随机性。  [0072] (2) A large number of random numbers required for the terminal application process are mainly implemented by software algorithms, and the true random number is only used as a seed, thus overcoming the disadvantage of unstable hardware random numbers. For the random number seed, since each terminal only needs to be injected once, and the inter-turn is not particularly serious, it is completely possible to down-convert the external true random number generator, so that it can collect enough random signals as seeds. Thereby further increasing the randomness of the generated true random numbers.
[0073] (3) 采用了自反馈模式。 在终端生成随机数序列吋, 从新生成的随机数序列 中选取 8字节随机数 (如果新生成的随机数序列不足 8字节, 则也至少产生 8字节 随机数序列出来, 将需要的部分提供给使用者) , 作为产生下一次随机数的新 的种子, 这样不断地自反馈, 可以让整个随机数产生的过程变成更加随机和不 可预知。  [0073] (3) A self-feedback mode is employed. After the terminal generates a random number sequence, an 8-byte random number is selected from the newly generated random number sequence (if the newly generated random number sequence is less than 8 bytes, at least an 8-byte random number sequence is generated, and the required part is needed. Provided to the user) as a new seed for the next random number, so that continuous self-feedback can make the whole random number generation process more random and unpredictable.
[0074] (4) 通过本发明的技术, 对终端采集了由其产生的 128M bit的随机数序列, 通 过国际上专用的随机数分析工具 (例如 NIST的 STS-1.8工具) 进行分析测试, 可 以测试通过, 由此证明了该随机数发生器的有效性。  [0074] (4) By using the technology of the present invention, the 128M bit random number sequence generated by the terminal is collected by the terminal, and analyzed and tested by an internationally dedicated random number analysis tool (for example, NIST STS-1.8 tool). The test passed, thus demonstrating the validity of the random number generator.
[0075]  [0075]
[0076] 本发明提供的另一个技术方案为:  [0076] Another technical solution provided by the present invention is:
[0077] 一种终端随机数发生的系统, 包括硬件随机数发生器、 安全传输模块, 以及终 山  [0077] A system for generating a terminal random number, comprising a hardware random number generator, a security transmission module, and a terminal mountain
[0078] 所述硬件随机数发生器, 用于产生真随机数; [0078] the hardware random number generator is configured to generate a true random number;
[0079] 所述安全传输模块, 用于安全传输所述真随机数至终端;  [0079] the security transmission module is configured to securely transmit the true random number to the terminal;
[0080] 所述终端, 包括:  [0080] the terminal includes:
[0081] 伪随机数发生器, 用于以接收到的真随机数为随机数种子产生随机数序列。  [0081] A pseudo random number generator, configured to generate a random number sequence by using the received true random number as a random number seed.
[0082] 进一步的, 所述安全传输模块包括:  [0082] Further, the security transmission module includes:
[0083] 加密单元, 位于硬件随机数发生器, 用于加密所述真随机数;  [0083] an encryption unit, located in the hardware random number generator, configured to encrypt the true random number;
[0084] 下载单元, 位于终端, 用于终端下载获取加密后的真随机数;  [0084] a download unit, located in the terminal, configured to download, by the terminal, the encrypted true random number;
[0085] 解密单元, 位于终端, 用于终端解密所述加密后的真随机数, 获取所述真随机 [0086] 进一步的, 所述安全传输模块, 具体用于在终端出厂前, 通过加密通信方式下 载对应的真随机数到终端。 [0085] a decryption unit, located at the terminal, configured to decrypt the encrypted true random number by the terminal, to obtain the true random number [0086] Further, the security transmission module is specifically configured to download a corresponding true random number to the terminal by using an encrypted communication method before the terminal leaves the factory.
[0087] 进一步的, 所述终端的个数为两台以上; [0087] Further, the number of the terminals is two or more;
[0088] 所述硬件随机数发生器, 具体用于依据终端的个数, 通过硬件随机数发生器产 生对应数量的真随机数与每台终端唯一对应。  [0088] The hardware random number generator is specifically configured to generate a corresponding number of true random numbers by a hardware random number generator according to the number of terminals, and uniquely correspond to each terminal.
[0089] 进一步的, 所述硬件随机数发生器产生的真随机数为终端的初始随机数种子; [0090] 所述终端还包括: [0090] Further, the true random number generated by the hardware random number generator is an initial random number seed of the terminal; [0090] the terminal further includes:
[0091] 截取模块, 用于从所述随机数序列中截取预设字节数的随机数作为新的随机数 种子;  [0091] an intercepting module, configured to intercept a random number of a preset number of bytes from the random number sequence as a new random number seed;
[0092] 所述伪随机数发生器, 还用于依据所述新的随机数种子产生新的随机数序列。  [0092] The pseudo random number generator is further configured to generate a new random number sequence according to the new random number seed.
[0093] 进一步的, 所述伪随机数发生器, 具体用于依据所述真随机数产生字节数大于 等于所述预设字节数的随机数序列。 [0093] Further, the pseudo random number generator is specifically configured to generate a random number sequence whose number of bytes is greater than or equal to the preset number of bytes according to the true random number.
[0094] 进一步的, 所述预设字节数为 8个字节。 [0094] Further, the preset number of bytes is 8 bytes.
[0095] 进一步的, 所述硬件随机数发生器, 还用于在安全受控环境下获取并存储传输 保护密钥, 以及使用所述传输保护密钥加密所产生的明文形式的真随机数, 得 到密文形式的真随机数;  [0095] Further, the hardware random number generator is further configured to acquire and store a transmission protection key in a secure controlled environment, and encrypt the generated true random number in a plaintext form by using the transmission protection key. Obtaining a true random number in cipher text form;
[0096] 所述终端, 还用于在安全受控环境下获取并存储传输保护密钥。  [0096] The terminal is further configured to acquire and store a transmission protection key in a secure controlled environment.
[0097] 进一步的, 所述终端还包括:  [0097] Further, the terminal further includes:
[0098] 接收模块, 用于接收密文形式的真随机数;  [0098] a receiving module, configured to receive a true random number in a cipher text form;
[0099] 解密模块, 用于使用预存储的传输保护密钥对所述密文形式的真随机数进行解 密, 得到明文形式的真随机数;  [0099] a decryption module, configured to decrypt the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
[0100] 所述伪随机数发生器, 具体用于以所述明文形式的真随机数为随机数种子产生 随机数序列。 [0100] The pseudo random number generator is specifically configured to generate a random number sequence by using a true random number in the plaintext form as a random number seed.
[0101] 进一步的, 所述终端为金融 POS终端。  [0101] Further, the terminal is a financial POS terminal.
[0102] [0102]
[0103] 实施例一  Embodiment 1
[0104] 请参照图 3和图 4, 本实施例提供一种终端随机数发生的方法, 适用于安全性等 级要求较高的终端, 如金融 POS终端, 用于保证终端生成的随机数的不可预知性[0104] Please refer to FIG. 3 and FIG. 4, this embodiment provides a method for generating a random number of a terminal, which is applicable to security, etc. Terminals with higher requirements, such as financial POS terminals, are used to ensure the unpredictability of random numbers generated by terminals.
、 随机性以及有效性; 同吋, 又能显著降低终端硬件成本和维护成本。 , randomness and effectiveness; peers can significantly reduce terminal hardware costs and maintenance costs.
[0105] 本实施例以终端为金融 POS终端为例进行说明。  [0105] This embodiment uses a terminal as a financial POS terminal as an example for description.
[0106] 本实施例的方法基于一台外部硬件随机数发生器以及若干台 POS终端实现。 具 体的, 包括:  [0106] The method of this embodiment is implemented based on an external hardware random number generator and a plurality of POS terminals. Specifically, including:
[0107] S1 : 通过外部的硬件随机数发生器产生真随机数。  [0107] S1: A true random number is generated by an external hardware random number generator.
[0108] 具体的, 对应终端的个数, 通过硬件随机数发生器负责为每台 POS终端产生唯 一对应的随机数种子, 作为初始随机数种子。 本实施例中, 一台 POS终端只需一 个初始随机数种子, 数量较少, 吋间也较宽松。 因此, 优选对所述硬件随机数 发生器进行降频处理, 让其采集到足够随机的信号作为 POS终端的初始随机数种 子, 以此保证初始随机数种子的高度随机性。  [0108] Specifically, the number of corresponding terminals is generated by the hardware random number generator to generate a unique corresponding random number seed for each POS terminal as the initial random number seed. In this embodiment, a POS terminal only needs one initial random number seed, and the number is small, and the daytime is also loose. Therefore, the hardware random number generator is preferably down-converted to acquire a sufficiently random signal as the initial random number seed of the POS terminal, thereby ensuring the high randomness of the initial random number seed.
[0109] 优选的, 外部的硬件随机数发生器一次生成两个以上的真随机数, 以满足批量 [0109] Preferably, the external hardware random number generator generates more than two true random numbers at a time to satisfy the batch.
POS终端的需求, 提高为终端分配随机数种子的效率。 The demand of the POS terminal improves the efficiency of assigning a random number seed to the terminal.
[0110] S2: 安全传输所述真随机数至终端。 [0110] S2: Securely transmitting the true random number to the terminal.
[0111] 优选的, 通过加密通信方式将硬件随机数发生器产生的真随机数传输到 POS终 端, 以确保 POS终端的初始随机数种子的不可预知和无法探测, 保证初始随机数 种子的安全性。  [0111] Preferably, the true random number generated by the hardware random number generator is transmitted to the POS terminal by using an encrypted communication method to ensure that the initial random number seed of the POS terminal is unpredictable and undetectable, and the security of the initial random number seed is ensured. .
[0112] 可选的, 可以通过下述方式实现:  [0112] Alternatively, it can be implemented in the following manner:
[0113] S21 : 硬件随机数发生器和终端在安全受控环境下获取并安全存储传输保护密 钥。  [0113] S21: The hardware random number generator and the terminal acquire and securely store the transmission protection key in a secure controlled environment.
[0114] 具体的, 如图 4所示, 在安全受控的环境下, 在硬件随机数发生器和目标 POS 终端之间设置相同的符合 TDES (三重数据加密标准) 要求的传输保护密钥 Kp。 例如有些银行的 POS需要由银行使用一台母 POS在安全受控环境下给目标 POS ( 本实施例的终端) 下载支付交易所需要的密钥, 在这个吋候就可以顺便将用来 加密初始随机数种子的 TDES传输保护密钥 Kp—起下载进去, 以确保加密随机数 种子用密钥的高度安全性和可靠性。  [0114] Specifically, as shown in FIG. 4, in the secure controlled environment, the same transmission protection key Kp conforming to the TDES (Triple Data Encryption Standard) requirement is set between the hardware random number generator and the target POS terminal. . For example, the POS of some banks needs to use a parent POS to download the key required for the payment transaction to the target POS (the terminal of this embodiment) in a secure controlled environment. At this time, it can be used to encrypt the initial. The TDES transport protection key Kp of the random number seed is downloaded and downloaded to ensure the high security and reliability of the encrypted random number seed key.
[0115] S22: 硬件随机数发生器使用所述传输保护密钥加密所产生的明文形式的真随 机数, 得到密文形式的真随机数。 [0116] 具体的, 如图 4所示, 在外部的硬件随机数发生器 (例如母 POS) , 使用上述 T DES传输保护密钥 Kp, 使用 TDES加密算法, 对明文形式的真随机数 (简称明文 P) 进行加密, 将加密后得到的密文形式的真随机数 (简称密文 C) 发送给目标 P OS , 作为目标 POS的初始随机数种子; 其中, C = TDES(Encrypt, Kp, P)。 [0115] S22: The hardware random number generator uses the transmission protection key to encrypt the generated true random number in the plaintext form to obtain a true random number in the ciphertext form. [0116] Specifically, as shown in FIG. 4, in an external hardware random number generator (for example, a parent POS), the T DES transmission protection key Kp is used, and the TDES encryption algorithm is used, and the true random number in the plaintext form is used. The plaintext P) is encrypted, and the encrypted real random number (referred to as ciphertext C) in the form of ciphertext is sent to the target P OS as the initial random number seed of the target POS; wherein, C = TDES (Encrypt, Kp, P ).
[0117] S23: 在终端出厂前, 安全下载对应的加密后的真随机数到终端。 [0117] S23: Before the terminal leaves the factory, securely download the corresponding encrypted true random number to the terminal.
[0118] 可选的, 对应 S21至 S23, 即在目标 POS出厂前, 安全下载密文 C, 并安全存储 [0118] Optionally, corresponding to S21 to S23, that is, before the target POS leaves the factory, the ciphertext C is securely downloaded, and is stored securely.
[0119] S3: 终端通过伪随机数发生器, 以接收到的真随机数为随机数种子产生随机数 序列。 [0119] S3: The terminal generates a random number sequence by using a pseudo random number generator and using the received true random number as a random number seed.
[0120] 优选的, 终端接收到加密后的真随机数后, 通过解密处理, 得到真随机数。  [0120] Preferably, after receiving the encrypted true random number, the terminal obtains a true random number through decryption processing.
[0121] 可选的, 对应 S21至 S23, 可以通过下述方式实现: [0121] Optionally, corresponding to S21 to S23, the following manner can be implemented:
[0122] S31 : 终端使用预存储的传输保护密钥对所述密文形式的真随机数进行解密, 得到明文形式的真随机数。  [0122] S31: The terminal decrypts the true random number in the ciphertext form by using the pre-stored transmission protection key to obtain a true random number in a plaintext form.
[0123] 具体的, 如图 4所示, 目标 POS接收到密文 C后, 使用 TDES传输保护密钥 Kp, 利用 TDES解密算法对收到的密文 C进行解密, 解密后得到数据 P1 (成功解密即 为上述的明文 P) ; 其中, PI = TDES(Decrypt, Kp, C)。 [0123] Specifically, as shown in FIG. 4, after receiving the ciphertext C, the target POS uses the TDES transmission protection key Kp to decrypt the received ciphertext C by using the TDES decryption algorithm, and obtains the data P1 after decryption. Decryption is the plaintext P) above; where PI = TDES(Decrypt, Kp, C).
[0124] S32: 终端通过伪随机数发生器, 以所述明文形式的真随机数为随机数种子产 生随机数序列。 [0124] S32: The terminal generates a random number sequence by using a pseudo random number generator to use the true random number in the plaintext form as a random number seed.
[0125] 具体的, 将数据 P1作为该台目标 POS的初始随机数种子, 通过软件算法产生大 量的随机数, 满足应用的需求。  [0125] Specifically, the data P1 is used as the initial random number seed of the target POS, and a large number of random numbers are generated by a software algorithm to meet the requirements of the application.
[0126]  [0126]
[0127] 实施例二  [0127] Embodiment 2
[0128] 请参照图 5, 本实施例对应实施例一进一步扩展, 增加终端产生大量随机数的 具体方式。  Referring to FIG. 5, the embodiment is further extended according to the first embodiment, and a specific manner of generating a large number of random numbers by the terminal is added.
[0129] 本实施例中, 实施例一的步骤 S32具体包括:  [0129] In this embodiment, step S32 of the first embodiment specifically includes:
[0130] S321 : 终端以真随机数为初始随机数种子, 产生一随机数序列。 [0130] S321: The terminal uses the true random number as the initial random number seed to generate a random number sequence.
[0131] 具体的, 以数据 P1为初始随机数种子, 通过软件算法产生对应的随机数序列。 [0131] Specifically, the data P1 is used as an initial random number seed, and a corresponding random number sequence is generated by a software algorithm.
优选所产生的随机数序列的总字节数大于等于预设字节, 如 8字节。 预设字节的 设置依据随机数种子所需的字节数而定。 Preferably, the total number of bytes of the generated random number sequence is greater than or equal to a preset byte, such as 8 bytes. Preset byte Set the number of bytes required based on the random number seed.
[0132] S322: 从上述随机数序列中截取所述预设字节数的随机数作为新的随机数种子 [0132] S322: intercepting the random number of the preset number of bytes from the random number sequence as a new random number seed
[0133] 若实际运用并不需要用到预设字节数的随机数, 则只提供应用所需要的字节数 的随机数。 [0133] If the actual use does not require a random number of preset bytes, only the random number of the number of bytes required by the application is provided.
[0134] S323: 终端通过伪随机数发生器, 依据上述新的随机数种子产生新的随机数序 列。  [0134] S323: The terminal generates a new random number sequence according to the new random number seed by using a pseudo random number generator.
[0135] 在本实施例中, 即首次产生吋使用的是从外部硬件随机数发生设备得到的种子 , 后续产生吋直接从上次生成的随机数序列中截取 8字节作为新的种子, 然后利 用软件算法进行分散处理, 得到需要的批量随机数序列。 通过这样不断的自反 馈, 可以让整个随机数产生的过程百年的更加随机和不可预知。  [0135] In this embodiment, the first generated 吋 uses the seed obtained from the external hardware random number generating device, and subsequently generates 吋 directly intercepts 8 bytes from the last generated random number sequence as a new seed, and then The software algorithm is used for distributed processing to obtain the required batch random number sequence. Through such continuous self-reflex, the process of generating the entire random number can be more random and unpredictable for a hundred years.
[0136]  [0136]
[0137] 实施例三  [0137] Embodiment 3
[0138] 本实施例对应实施例一, 提供一种终端随机数发生的系统, 包括一台硬件随机 数发生器、 安全传输模块, 以及若干台的终端。 在此, 以终端为安全性等级要 求较高的 POS机为例进行说明。  [0138] This embodiment corresponds to the first embodiment, and provides a system for generating a random number of a terminal, including a hardware random number generator, a security transmission module, and a plurality of terminals. Here, a description will be given by taking a POS device whose terminal has a higher security level as an example.
[0139] 所述硬件随机数发生器, 用于产生真随机数; 该真随机数为终端的初始随机数 种子;  [0139] the hardware random number generator is configured to generate a true random number; the true random number is an initial random number seed of the terminal;
[0140] 优选的, 所述硬件随机数发生器, 具体用于依据终端的个数, 通过硬件随机数 发生器产生对应数量的真随机数与每台终端唯一对应。  [0140] Preferably, the hardware random number generator is specifically configured to generate, according to the number of terminals, a corresponding number of true random numbers by a hardware random number generator to uniquely correspond to each terminal.
[0141] 可选的, 所述硬件随机数发生器, 还用于在安全受控环境下获取并存储传输保 护密钥, 以及使用所述传输保护密钥加密所产生的明文形式的真随机数, 得到 密文形式的真随机数; [0141] Optionally, the hardware random number generator is further configured to acquire and store a transmission protection key in a secure controlled environment, and encrypt the generated true random number in a plaintext form by using the transmission protection key , obtaining a true random number in cipher text form;
[0142] 所述安全传输模块, 用于安全传输所述真随机数至终端;  [0142] the security transmission module is configured to securely transmit the true random number to the terminal;
[0143] 优选的, 所述安全传输模块, 具体用于在终端出厂前, 通过加密通信方式下载 对应的真随机数到终端。  [0143] Preferably, the security transmission module is specifically configured to download a corresponding true random number to the terminal by using an encrypted communication method before the terminal leaves the factory.
[0144] 可选的, 所述安全传输模块, 具体包括: [0144] Optionally, the security transmission module specifically includes:
[0145] 加密单元, 位于硬件随机数发生器, 用于加密所述真随机数; [0146] 下载单元, 位于终端, 用于终端下载获取加密后的真随机数; [0145] an encryption unit, located in the hardware random number generator, configured to encrypt the true random number; [0146] The download unit is located at the terminal, and is used for downloading and obtaining the encrypted true random number by the terminal;
[0147] 解密单元, 位于终端, 用于终端解密所述加密后的真随机数, 获取所述真随机 数。  [0147] The decryption unit is located at the terminal, and is configured to decrypt the encrypted true random number by the terminal, and obtain the true random number.
[0148] 所述终端, 包括:  [0148] the terminal includes:
[0149] 伪随机数发生器, 用于以接收到的真随机数为随机数种子产生随机数序列; [0150] 可选的, 所述终端还用于在安全受控环境下获取并存储传输保护密钥;  [0149] a pseudo random number generator, configured to generate a random number sequence by using the received true random number as a random number seed; [0150] Optionally, the terminal is further configured to acquire and store the transmission in a secure controlled environment. Protection key
[0151] 所述终端还包括: [0151] The terminal further includes:
[0152] 接收模块, 用于接收密文形式的真随机数;  [0152] a receiving module, configured to receive a true random number in a cipher text form;
[0153] 解密模块, 用于使用预存储的传输保护密钥对所述密文形式的真随机数进行解 密, 得到明文形式的真随机数;  [0153] a decryption module, configured to decrypt the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
[0154] 所述伪随机数发生器, 具体用于以所述明文形式的真随机数为随机数种子产生 随机数序列。 [0154] The pseudo random number generator is specifically configured to generate a random number sequence by using a true random number in the plaintext form as a random number seed.
[0155] 可选的, 所述伪随机数发生器, 还用于依据所述新的随机数种子产生新的随机 数序列。 优选产生字节数大于等于所述预设字节数的随机数序列。 进一步优选 所述预设字节数为 8个字节。  [0155] Optionally, the pseudo random number generator is further configured to generate a new random number sequence according to the new random number seed. Preferably, a sequence of random numbers whose number of bytes is greater than or equal to the preset number of bytes is generated. Further preferably, the preset number of bytes is 8 bytes.
[0156] 可选的, 所述终端还包括:  [0156] Optionally, the terminal further includes:
[0157] 截取模块, 用于从所述随机数序列中截取预设字节数的随机数作为新的随机数 种子。  And [0157] an intercepting module, configured to intercept a random number of a preset number of bytes from the random number sequence as a new random number seed.
[0158]  [0158]
[0159] 实施例四  Embodiment 4
[0160] 本实施例对应实施例一和实施例二, 提供一随机数系统。  [0160] This embodiment provides a random number system corresponding to the first embodiment and the second embodiment.
[0161] 所述系统包括一台外部的硬件随机数发生设备和若干台 POS终端 2。  [0161] The system includes an external hardware random number generating device and a plurality of POS terminals 2.
[0162] 如图 6所示, 整个随机数发生系统包含如下几个模块:  [0162] As shown in FIG. 6, the entire random number generation system includes the following modules:
[0163] 1、 外部的硬件随机数发生设备  [0163] 1. External hardware random number generating device
[0164] 该设备内部包含:  [0164] The device internally contains:
[0165] 硬件随机数发生器 1 : 负责通过硬件产生随机数种子, 然后将其传输给加密模 块;  [0165] hardware random number generator 1 : responsible for generating a random number seed by hardware and then transmitting it to the encryption module;
[0166] 加密模块 3: 该模块负责将随机数种子进行加密, 得到加密后的随机数种子, 然后传输给通信模块 4中的通信模块 A 41; [0166] Encryption Module 3: The module is responsible for encrypting the random number seed to obtain an encrypted random number seed. Then transmitted to the communication module A 41 in the communication module 4;
[0167] 通信模块 A 41: 该模块负责将加密后的随机数种子发送给每台 POS终端; [0168] 2、 POS终端 [0167] Communication module A 41: This module is responsible for transmitting the encrypted random number seed to each POS terminal; [0168] 2. POS terminal
[0169] 该终端内部包含: [0169] The terminal internally contains:
[0170] 通信模块 B 42: 该模块负责从外部随机数发生设备接收加密后的随机数种子, 然后传输给 POS终端的解密模块;  [0170] communication module B 42: the module is responsible for receiving the encrypted random number seed from the external random number generating device, and then transmitting the encrypted random seed to the POS terminal;
[0171] 解密模块 5: 该模块负责对从通信模块 B得到的加密后的随机数种子进行解密操 作, 得到随机数种子明文; [0171] decryption module 5: The module is responsible for decrypting the encrypted random number seed obtained from the communication module B, and obtaining a random number seed plaintext;
[0172] 伪随机数发生器 6: 负责读取外部写入的随机数种子 (首次产生吋使用的是从 外部随机数发生设备得到的种子, 后续产生吋直接从上次生成的随机数序列中 截取 8字节作为新的种子) , 然后利用软件算法进行分散处理, 得到需要的批量 随机数序列; [0172] pseudo random number generator 6: responsible for reading the externally written random number seed (first generated, using the seed obtained from the external random number generating device, and subsequently generated 吋 directly from the last generated random number sequence Intercept 8 bytes as a new seed), and then use software algorithm to perform distributed processing to obtain the required batch random number sequence;
[0173] 随机数序列使用模块 7: 该模块负责从软件随机数发生模块读取批量随机数序 歹 |J, 应用于需要的场合。  [0173] The random number sequence uses the module 7: This module is responsible for reading the batch random number sequence 歹 |J from the software random number generation module, and applying it to the occasion.
[0174]  [0174]
[0175] 综上所述, 本发明提供的一种终端随机数发生的方法及系统, 不仅大大降低终 端发生随机数的硬件成本和维护成本; 而且确保随机数种子以及终端据此生成 的随机数序列的不可预知性; 进一步的, 随机数发生过程利用安全通信技术实 现随机数种子的安全注入, 能确保每台终端的随机数种子都是不可预知和无法 探测的, 再次显著提高随机数种子的安全性; 再进一步的, 通过自反馈模式, 让整个随机数产生的过程变成更加随机和不可预知, 最终实现终端所使用随机 数的高度随机和不可预知。 本发明在安全性要求较高的终端系统具有较高的实 用性。  [0175] In summary, the method and system for generating a random number of a terminal provided by the present invention not only greatly reduce the hardware cost and maintenance cost of the random number generated by the terminal; but also ensure the random number seed and the random number generated by the terminal accordingly. The unpredictability of the sequence; further, the random number generation process uses the secure communication technology to realize the safe injection of the random number seed, which can ensure that the random number seed of each terminal is unpredictable and undetectable, and significantly improves the random number seed again. Security; Further, through the self-feedback mode, the process of generating the entire random number becomes more random and unpredictable, and finally the random number used by the terminal is highly random and unpredictable. The invention has high practicability in a terminal system with high security requirements.
[0176]  [0176]

Claims

权利要求书  Claim
[权利要求 1] 一种终端随机数发生的方法, 其特征在于, 包括:  [Claim 1] A method for generating a random number of a terminal, comprising:
通过硬件随机数发生器产生真随机数;  Generating a true random number by a hardware random number generator;
安全传输所述真随机数至终端;  Securely transmitting the true random number to the terminal;
终端通过伪随机数发生器, 以接收到的真随机数为随机数种子产生随 机数序列。  The terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed.
[权利要求 2] 如权利要求 1所述的一种终端随机数发生的方法, 其特征在于, 所述 安全传输所述真随机数至终端存储, 具体为:  [Claim 2] The method for generating a random number of a terminal according to claim 1, wherein the securely transmitting the true random number to the terminal is specifically:
加密所述真随机数;  Encrypting the true random number;
终端下载获取加密后的真随机数;  The terminal downloads the encrypted true random number;
终端解密所述加密后的真随机数, 获取所述真随机数。  The terminal decrypts the encrypted true random number to obtain the true random number.
[权利要求 3] 如权利要求 1所述的一种终端随机数发生的方法, 其特征在于, 所述 安全传输所述真随机数至终端, 具体为: [Claim 3] The method for generating a random number of a terminal according to claim 1, wherein the securely transmitting the true random number to the terminal is specifically:
在终端出厂前, 通过加密通信方式下载对应的真随机数到终端。  Before the terminal leaves the factory, download the corresponding true random number to the terminal through encrypted communication.
[权利要求 4] 如权利要求 1所述的一种终端随机数发生的方法, 其特征在于, 所述 通过硬件随机数发生器产生真随机数, 具体为: 依据终端的个数, 通过硬件随机数发生器产生对应数量的真随机数与 每台终端唯一对应。 [Claim 4] A method for generating a random number of a terminal according to claim 1, wherein the generating a true random number by using a hardware random number generator is specifically: according to the number of terminals, random by hardware The number generator generates a corresponding number of true random numbers that uniquely correspond to each terminal.
[权利要求 5] 如权利要求 1或 4所述的一种终端随机数发生的方法, 其特征在于, 所 述真随机数为终端的初始随机数种子;  [Claim 5] The method for generating a terminal random number according to claim 1 or 4, wherein the true random number is an initial random number seed of the terminal;
所述方法还包括:  The method further includes:
从所述随机数序列中截取预设字节数的随机数作为新的随机数种子; 终端通过伪随机数发生器, 依据所述新的随机数种子产生新的随机数 序列。  And extracting a random number of a preset number of bytes from the random number sequence as a new random number seed; the terminal generates a new random number sequence according to the new random number seed by using a pseudo random number generator.
[权利要求 6] 如权利要求 5所述的一种终端随机数发生的方法, 其特征在于, 终端 依据所述真随机数产生的随机数序列的字节数大于等于所述预设字节 数。  [Claim 6] The method for generating a random number of a terminal according to claim 5, wherein the number of bytes of the random number sequence generated by the terminal according to the true random number is greater than or equal to the preset number of bytes .
[权利要求 7] 如权利要求 5或 6所述的一种终端随机数发生的方法, 其特征在于, 所 述预设字节数为 8个字节。 [Claim 7] A method for generating a terminal random number according to claim 5 or 6, wherein The preset number of bytes is 8 bytes.
如权利要求 1所述的一种终端随机数发生的方法, 其特征在于, 还包 括: The method for generating a random number of a terminal according to claim 1, further comprising:
硬件随机数发生器和终端在安全受控环境下获取并存储传输保护密钥 硬件随机数发生器使用所述传输保护密钥加密所产生的明文形式的真 随机数, 得到密文形式的真随机数。 The hardware random number generator and the terminal acquire and store the transmission protection key in a secure controlled environment. The hardware random number generator uses the transmission protection key to encrypt the true random number generated in the plaintext form to obtain a true random number in the ciphertext form. number.
如权利要求 8所述的一种终端随机数发生的方法, 其特征在于, 所述 终端通过伪随机数发生器, 以接收到的真随机数为随机数种子产生随 机数序列, 具体为: The method for generating a random number of a terminal according to claim 8, wherein the terminal generates a random number sequence by using a pseudo random number generator to receive the true random number as a random number seed, specifically:
终端接收密文形式的真随机数; The terminal receives the true random number in the form of cipher text;
终端使用预存储的传输保护密钥对所述密文形式的真随机数进行解密 , 得到明文形式的真随机数; The terminal decrypts the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
终端通过伪随机数发生器, 以所述明文形式的真随机数为随机数种子 产生随机数序列。 The terminal generates a random number sequence by using a pseudo random number generator to use the true random number in the plaintext form as a random number seed.
如权利要求 1所述的一种终端随机数发生的方法, 其特征在于, 所述 终端为金融 POS终端。 The method for generating a random number of a terminal according to claim 1, wherein the terminal is a financial POS terminal.
一种终端随机数发生的系统, 其特征在于, 包括硬件随机数发生器、 安全传输模块, 以及终端; A system for generating a terminal random number, comprising: a hardware random number generator, a security transmission module, and a terminal;
所述硬件随机数发生器, 用于产生真随机数; The hardware random number generator is configured to generate a true random number;
所述安全传输模块, 用于安全传输所述真随机数至终端; The secure transmission module is configured to securely transmit the true random number to the terminal;
所述终端, 包括: The terminal includes:
伪随机数发生器, 用于以接收到的真随机数为随机数种子产生随机数 序列。 A pseudo random number generator is configured to generate a random number sequence by using the received true random number as a random number seed.
如权利要求 11所述的一种终端随机数发生的系统, 其特征在于, 所述 安全传输模块包括: The system for generating a random number of a terminal according to claim 11, wherein the secure transmission module comprises:
加密单元, 位于硬件随机数发生器, 用于加密所述真随机数; 下载单元, 位于终端, 用于终端下载获取加密后的真随机数; 解密单元, 位于终端, 用于终端解密所述加密后的真随机数, 获取所 述真随机数。 An encryption unit, located in the hardware random number generator, is configured to encrypt the true random number; the download unit is located at the terminal, and is used for downloading and obtaining the encrypted true random number by the terminal; The decryption unit is located at the terminal, and is configured to decrypt the encrypted true random number by the terminal, and obtain the true random number.
[权利要求 13] 如权利要求 11所述的一种终端随机数发生的系统, 其特征在于, 所述 安全传输模块, 具体用于在终端出厂前, 通过加密通信方式下载对应 的真随机数到终端。  [Claim 13] A system for generating a random number of a terminal according to claim 11, wherein the secure transmission module is specifically configured to download a corresponding true random number by using an encrypted communication method before the terminal leaves the factory. terminal.
[权利要求 14] 如权利要求 11所述的一种终端随机数发生的系统, 其特征在于, 所述 终端的个数为两台以上;  [Claim 14] A system for generating a random number of a terminal according to claim 11, wherein the number of the terminals is two or more;
所述硬件随机数发生器, 具体用于依据终端的个数, 通过硬件随机数 发生器产生对应数量的真随机数与每台终端唯一对应。  The hardware random number generator is specifically configured to generate, according to the number of terminals, a corresponding number of true random numbers by a hardware random number generator to uniquely correspond to each terminal.
[权利要求 15] 如权利要求 11或 14所述的一种终端随机数发生的系统, 其特征在于, 所述硬件随机数发生器产生的真随机数为终端的初始随机数种子; 所述终端还包括: [Claim 15] The system for generating a terminal random number according to claim 11 or 14, wherein the true random number generated by the hardware random number generator is an initial random number seed of the terminal; Also includes:
截取模块, 用于从所述随机数序列中截取预设字节数的随机数作为新 的随机数种子;  An intercepting module, configured to intercept a random number of a preset number of bytes from the random number sequence as a new random number seed;
所述伪随机数发生器, 还用于依据所述新的随机数种子产生新的随机 数序列。  The pseudo random number generator is further configured to generate a new random number sequence according to the new random number seed.
[权利要求 16] 如权利要求 15所述的一种终端随机数发生的系统, 其特征在于, 所述 伪随机数发生器, 具体用于依据所述真随机数产生字节数大于等于所 述预设字节数的随机数序列。  [Claim 16] The system for generating a random number of a terminal according to claim 15, wherein the pseudo random number generator is specifically configured to generate, according to the true random number, a number of bytes greater than or equal to A sequence of random numbers with a preset number of bytes.
[权利要求 17] 如权利要求 15或 16所述的一种终端随机数发生的系统, 其特征在于, 所述预设字节数为 8个字节。  [Claim 17] A system for generating a terminal random number according to claim 15 or 16, wherein the preset number of bytes is 8 bytes.
[权利要求 18] 如权利要求 11所述的一种终端随机数发生的系统, 其特征在于, 所述 硬件随机数发生器, 还用于在安全受控环境下获取并存储传输保护密 钥, 以及使用所述传输保护密钥加密所产生的明文形式的真随机数, 得到密文形式的真随机数;  [Claim 18] The system for generating a random number of a terminal according to claim 11, wherein the hardware random number generator is further configured to acquire and store a transmission protection key in a secure controlled environment. And using the transmission protection key to encrypt the true random number in the plaintext form to obtain a true random number in the form of a ciphertext;
所述终端, 还用于在安全受控环境下获取并存储传输保护密钥。  The terminal is further configured to acquire and store a transmission protection key in a secure controlled environment.
[权利要求 19] 如权利要求 18所述的一种终端随机数发生的系统, 其特征在于, 所述 终端还包括: 接收模块, 用于接收密文形式的真随机数; The system of claim 18, wherein the terminal further comprises: a receiving module, configured to receive a true random number in a cipher text form;
解密模块, 用于使用预存储的传输保护密钥对所述密文形式的真随机 数进行解密, 得到明文形式的真随机数;  a decryption module, configured to decrypt the true random number in the ciphertext form by using a pre-stored transmission protection key to obtain a true random number in a plaintext form;
所述伪随机数发生器, 具体用于以所述明文形式的真随机数为随机数 种子产生随机数序列。  The pseudo random number generator is specifically configured to generate a random number sequence by using a true random number in the plaintext form as a random number seed.
[权利要求 20] 如权利要求 11所述的一种终端随机数发生的系统, 其特征在于, 所述 终端为金融 POS终端。  [Claim 20] A system for generating a terminal random number according to claim 11, wherein the terminal is a financial POS terminal.
PCT/CN2017/108072 2017-10-27 2017-10-27 Terminal random number generation method and system WO2019080109A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201780001454.2A CN107980135B (en) 2017-10-27 2017-10-27 Method and system for generating random number of terminal
PCT/CN2017/108072 WO2019080109A1 (en) 2017-10-27 2017-10-27 Terminal random number generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/108072 WO2019080109A1 (en) 2017-10-27 2017-10-27 Terminal random number generation method and system

Publications (1)

Publication Number Publication Date
WO2019080109A1 true WO2019080109A1 (en) 2019-05-02

Family

ID=62006123

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/108072 WO2019080109A1 (en) 2017-10-27 2017-10-27 Terminal random number generation method and system

Country Status (2)

Country Link
CN (1) CN107980135B (en)
WO (1) WO2019080109A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495266B (en) * 2018-12-25 2022-07-22 北京字节跳动网络技术有限公司 Data encryption method and device based on random number
CN111708762B (en) * 2020-06-18 2023-09-01 北京金山云网络技术有限公司 Authority authentication method and device and server device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832396A (en) * 2005-11-07 2006-09-13 北京浦奥得数码技术有限公司 Pseudo-random number generation method
WO2007026287A1 (en) * 2005-08-30 2007-03-08 Koninklijke Philips Electronics N.V. Method and device for generating random number generator seeds
CN105426158A (en) * 2015-12-09 2016-03-23 福州瑞芯微电子股份有限公司 Random number generating method and device
CN105763327A (en) * 2014-12-16 2016-07-13 上海华虹集成电路有限责任公司 Safe random number generation method in intelligent card
CN107133015A (en) * 2017-04-11 2017-09-05 上海汇尔通信息技术有限公司 A kind of random digit generation method and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2008003438A (en) * 2006-06-26 2008-01-10 Sony Corp Random number generator, random number generation control method, memory access control device, and communication device
US8019935B2 (en) * 2007-12-23 2011-09-13 Hitachi Global Storage Technologies Netherlands, B.V. Random number generation for a host system using a hard disk drive
CN102566968A (en) * 2010-12-10 2012-07-11 上海华虹集成电路有限责任公司 Method for generating true random number
CN103220270A (en) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN104636115B (en) * 2013-11-14 2017-12-15 国家电网公司 A kind of true random number after-treatment device and method
CN104317551A (en) * 2014-10-17 2015-01-28 北京德加才科技有限公司 Ultrahigh-safety true random number generation method and ultrahigh-safety true random number generation system
CN105743654A (en) * 2016-02-02 2016-07-06 上海动联信息技术股份有限公司 POS machine secret key remote downloading service system and secret key downloading method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007026287A1 (en) * 2005-08-30 2007-03-08 Koninklijke Philips Electronics N.V. Method and device for generating random number generator seeds
CN1832396A (en) * 2005-11-07 2006-09-13 北京浦奥得数码技术有限公司 Pseudo-random number generation method
CN105763327A (en) * 2014-12-16 2016-07-13 上海华虹集成电路有限责任公司 Safe random number generation method in intelligent card
CN105426158A (en) * 2015-12-09 2016-03-23 福州瑞芯微电子股份有限公司 Random number generating method and device
CN107133015A (en) * 2017-04-11 2017-09-05 上海汇尔通信息技术有限公司 A kind of random digit generation method and system

Also Published As

Publication number Publication date
CN107980135A (en) 2018-05-01
CN107980135B (en) 2021-11-09

Similar Documents

Publication Publication Date Title
US11818262B2 (en) Method and system for one-to-many symmetric cryptography and a network employing the same
KR101324825B1 (en) Message authentication code pre-computation with applications to secure memory
US11770370B2 (en) System and method for transferring data
TWI420339B (en) Software authorization system and method
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
US11012722B2 (en) System and method for securely transferring data
CN112469036B (en) Message encryption and decryption method and device, mobile terminal and storage medium
US10037441B2 (en) Bus protection with improved key entropy
EP2629225A1 (en) System, devices and methods for collaborative execution of a software application comprising at least one encrypted instruction
US9729319B2 (en) Key management for on-the-fly hardware decryption within integrated circuits
TW201523256A (en) System and method to secure on-board bus transactions
WO2019080109A1 (en) Terminal random number generation method and system
CN109194467A (en) A kind of safe transmission method and system of encryption data
CN202043118U (en) High-safety cluster
Zhang et al. Proof-of-randomness protocol for blockchain consensus: the white paper version 1.0
Karanam et al. Performance Evaluation of Cryptographic Security Algorithms on Cloud
Hussain et al. A smart card based security extension for the bitcoin wallets
Du et al. Key management scheme based on micro-certificate for Internet of Things
Shah et al. Implementing Enhanced AES for Cloud based Biometric SaaS on Raspberry Pi as a Remote Authentication Node
CN110555311A (en) Electronic signature system security design method and system based on pure soft cryptographic operation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17929586

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17929586

Country of ref document: EP

Kind code of ref document: A1