CN101848088A - System for submitting personal identification codes by using cipher algorithm - Google Patents
System for submitting personal identification codes by using cipher algorithm Download PDFInfo
- Publication number
- CN101848088A CN101848088A CN200910312394A CN200910312394A CN101848088A CN 101848088 A CN101848088 A CN 101848088A CN 200910312394 A CN200910312394 A CN 200910312394A CN 200910312394 A CN200910312394 A CN 200910312394A CN 101848088 A CN101848088 A CN 101848088A
- Authority
- CN
- China
- Prior art keywords
- key
- user side
- user
- module
- working key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a system for submitting personal identification codes by using a cipher algorithm, which comprises a client and an acceptor, wherein the client is used for aiming at the personal identification codes of users to acquire and upload corresponding submit codes; and the acceptor is used for generating corresponding submit codes by utilizing the personal identification codes of the users, comparing the submit codes with the submit codes uploaded by the client, and performing authorization after the comparison result shows the submit codes are consistent with the submit codes uploaded by the client. When the system operates, the submit codes of the personal identification codes transmitted on an open line every time are different, a third party performing line wiretap cannot acquire cleartexts of the personal identification codes nor perform the effective replay attack; and thus the incidents of identity theft are prevented from occurring effectively, and the safety of the system is improved greatly.
Description
Technical field
The present invention relates to network information security technology, particularly a kind of system with the cryptographic algorithm submitting personal identification codes.
Background technology
PIN claims user password or PIN code again, is the alphanumeric notation sequence that shows user identity.PIN generally uses in fields such as security terminal, ecommerce, E-Government, Web bank and online games.PIN cooperates user name to use together, shows that the user logins application system with legal identity.In the system based on user identity, the secret of PIN is the basis of the normal operation of system.And then the submission process values of PIN gets especially and pays close attention to.
Usually, PIN is unsafe at the channel that arrives security terminal equipment or application system, and the information that is loaded with PIN may be eavesdropped.Because user name is disclosed usually, the third party of malice can falsely use user identity after utilizing technological means eavesdropping PIN, brings great risk for the safety of user's data and information.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of system of the submitting personal identification codes based on cryptographic algorithm, be used for PIN being submitted to security terminal or application system in safer mode.
Embodiments of the invention provide a kind of system of the submitting personal identification codes based on cryptographic algorithm, comprising:
User side is used for PIN at the user and obtains corresponding submission sign indicating number and upload;
Accept end, be used to utilize described user's PIN to generate corresponding submission sign indicating number, and compare, authorize after the comparison unanimity with the submission sign indicating number that user side is uploaded.
During based on system of the present invention operation, the submission sign indicating number of uploading the PIN that send at open circuit all is different each time, the third party who carries out wiretapping can't obtain the plaintext of PIN, also can't carry out effective Replay Attack, and then effectively stoped identity to falsely use the generation of incident, improved the fail safe of system greatly.
Description of drawings
A kind of submitting personal identification codes system that Fig. 1 provides for the embodiment of the invention based on cryptographic algorithm.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Figure 1 shows that a kind of submitting personal identification codes system that the embodiment of the invention provides, comprising based on cryptographic algorithm:
At user side,
User side input module 11 is used for the user and imports PIN.The user carries out the input of PIN by the user side input module, and the user side input module can be provided with the cancellation button and be used for deleting the character of last input, is provided with to confirm that button is used for the PIN of submitting to the user to import.
User side display module 12 links to each other with the user side input module, is used for the number of the PIN of echo user input.Confirm the PIN imported for ease of the user, the alphanumeric number that the user side display module can be imported with " * " sign character sequence echo.
User side working key administration module 13 is used to generate working key.
User side sequence code module 14 is used to generate the sequence code of user side.
User side encrypting module 15 is used to receive the PIN that the user side input module sends, and utilizes working key, this user's user side sequence code and random number, based on corresponding cryptographic algorithm, calculates user side at PIN and submits sign indicating number to.
Accepting end,
Randomizer 21, the random number that is used for generating send to the user side encrypting module and accept the end encrypting module.The channel that this random number is sent to user side can be an overt channel.Randomizer is arranged at accepts end, be positioned at server, the password card of the inside of safety chip of security terminal equipment or application system, the inside of cipher machine, so the visit of random number can only be undertaken by the access interface of safety chip, server, password card or cipher machine.The random number access interface that above-mentioned safety chip, server, password card, cipher machine provide only provides the read access function, and the rewriting access function is not provided, and can avoid the malice of random number is rewritten.Can not rewrite random number, intercept any one group of random number and submit to the third party of sign indicating number can't implement based on this group random number and the Replay Attack of submitting sign indicating number to.
Accept end working key administration module 22, be used to generate working key.
Accept terminal sequence sign indicating number module 23, be used to generate the sequence code of accepting end.
Memory module 24 is used to preserve all users' PIN.
Accept end encrypting module 25, what be used to utilize working key, this user accepts terminal sequence sign indicating number and random number, and based on corresponding cryptographic algorithm, the PIN of preserving in memory module at this user calculates to be accepted end and submit sign indicating number to.
Accept end comparing module 26, in order to receive the user side encrypting module and to accept the submission sign indicating number of holding the encrypting module transmission and compare, the consistent authorized user message that sends afterwards of comparison.
Accept end authorization module 27, be used to receive authorized user message, the application permission to this user is allocated in the opening of notice application system in advance.
In the submission process of a PIN, the random number of randomizer output is sent into and is accepted end encrypting module and user side encrypting module.The cycle request of random number is greater than 100,000 times, and the length of random number is no less than 4 bytes.The cryptographic algorithm that present embodiment adopts is the SM1 algorithm, and the use working key is to this random number and sequence code is encrypted or key disperses, and the result of this encryption or key dispersion process is as the required session key of the submission process of PIN.The user side encrypting module uses above-mentioned session key that the PIN of user side is encrypted, and the result of encryption is exactly the submission sign indicating number that obtains user side; Accepting the end encrypting module uses the algorithm identical with user side and key that identical random number and sequence code are encrypted to obtain identical session key, above-mentioned session key is encrypted the PIN of the storage of accepting end, and the result of encryption is exactly the submission sign indicating number that obtains accepting end.
In the system distribution stage, finish in advance user side sequence code and the setting of accepting the terminal sequence sign indicating number.Same user's user side sequence code is identical sequence of values with accepting the terminal sequence sign indicating number.User side sequence code module links to each other with the encrypting module of user side, accepts terminal sequence sign indicating number module and links to each other with the encrypting module of accepting end.Sequence code can be the sequence number of hardware device, also can be the application sequence number in the application system.The length requirement of sequence code is not less than 8 bytes.Because the existence of above-mentioned sequence code, even obtained identical random number at two different user sides, native system can guarantee that still the session key that obtains with this understanding is an inequality.
For same user, user side working key administration module is identical with the working key of holding the working key administration module to provide is is provided, and this working key can set in advance in system initialisation phase and finish and preserve at the working key administration module.
For same user, the method for another agreement working key is used the key generation of SM2 algorithm and the agreement that the key agreement function is carried out key, realizes the one-time pad of working key use.It is right to obtain the SM2 key by SM2 algorithm secret key systematic function, and a SM2 key is to comprising a SM2 private key and a SM2 PKI corresponding with this SM2 private key.In system initialisation phase, it is right that user side working key administration module generates the SM2 key, comprises user side SM2 PKI and user side SM2 private key; It is right to accept end working key administration module generation SM2 key, comprises and accepts end SM2 PKI and accept end SM2 private key.In operation stage, for carrying out the agreement of working key, it is right to generate interim SM2 key in user side working key administration module, comprises interim SM2 PKI of user side and the interim SM2 private key of user side; Accepting end working key administration module, also will to generate interim SM2 key right, comprises and accept the interim SM2 PKI of end and accept the interim SM2 private key of end.User side working key administration module is issued one's own side's SM2 PKI, one's own side's interim SM2 PKI, one's own side's user ID and is accepted end working key administration module.Accept end working key administration module one's own side's SM2 PKI, one's own side's interim SM2 PKI, one's own side's the end system sign of accepting is issued user side working key administration module.In this process, user side working key administration module and accept in the end working key administration module any one all can be used as the initiator of SM2 key agreement protocol, this moment, an other working key administration module was just as reciever.The transmission of above-mentioned public-key cryptography and sign can be carried out in overt channel.When user side during as the initiator, user side working key administration module uses one's own side SM2 private key, the interim SM2 private key of one's own side, one's own side's user ID, accept end SM2 PKI, accept the interim SM2 PKI of end, accept the end system sign carries out the working key that obtains that initiator SM2 key agreement calculates; Accepting end working key administration module uses one's own side SM2 private key, the interim SM2 private key of one's own side, one's own side's system banner, user side SM2 PKI, the interim SM2 PKI of user side, user side user ID to carry out the working key that obtains of recipient SM2 key agreement calculating.When accepting end, accept end working key administration module and use one's own side SM2 private key, the interim SM2 private key of one's own side, one's own side's system banner, user side SM2 PKI, the interim SM2 PKI of user side, user side user ID to carry out the working key that obtains of initiator SM2 key agreement calculating as the initiator; User side working key administration module uses one's own side SM2 private key, the interim SM2 private key of one's own side, one's own side's user ID, accepts end SM2 PKI, accepts the interim SM2 PKI of end, accepts the working key that obtains that the end system sign is carried out the calculating of recipient SM2 key agreement.
The input of accepting the end comparing module is to accept the submission sign indicating number of end and the submission sign indicating number of user side, and wherein the submission sign indicating number of user side can arrive by overt channel and accept the end comparing module.Accepting the end comparing module submits to sign indicating number to compare to above-mentioned two, if the two unanimity then send authorization message to authorization module, open system is allocated the application permission to the user in advance, and notifies the user side PIN to submit to successfully, and this notice shows on the user side display module; Do not send any information if the two is inconsistent, after being delayed to the not a half time in second, notify user side that the incident of PIN comparison failure has taken place to authorization module.Accept and hold comparing module to set in advance the maximum attempts of each user's PIN submission at distribution phase, when the number of times of continuous submission sign indicating number comparison turkey reached this maximum attempts, locking was arranged in the PIN of accepting the end memory module.
The algorithm that obtains session key that present embodiment uses is the SM1 grouping algorithm.The algorithm to be selected that obtains session key in other the implementation also comprises grouping algorithms such as SSF33 and AES.It is identical to accept the employed algorithm that obtains session key of end encrypting module and user side encrypting module.When using grouping algorithm to obtain session key, random number is filled into the block length of grouping algorithm.
In embodiments of the present invention, when the form of accepting end was security terminal equipment, this security terminal equipment used USB interface, SD or TF interface or ISO/IEC7816 interface to be connected with user side; When the form of accepting end was application system, the connected mode of this application system and user side was used ICP/IP protocol, and the mode by cable network or wireless network connects.
In addition, user side is submitted to sign indicating number to arrive with clear-text way by network and is accepted end; The mode with ciphertext of also can be in the VPN system encrypting once again then arrives accepts end, accepts this ciphertext of end deciphering and obtains user side and submit sign indicating number to.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (10)
1. the system with the cryptographic algorithm submitting personal identification codes is characterized in that, comprising:
User side is used for PIN at the user and obtains corresponding submission sign indicating number and upload;
Accept end, be used to utilize described user's PIN to generate corresponding submission sign indicating number, and compare, authorize after the comparison unanimity with the submission sign indicating number that user side is uploaded.
2. system according to claim 1 is characterized in that, the described end of accepting further comprises:
Randomizer, the random number that is used for generating sends to user side, also described random number is offered to accept the inner use of end.
3. system according to claim 2 is characterized in that, described user side comprises:
The user side input module is used for the user and imports PIN;
The user side display module links to each other with described user side input module, is used for the number of the PIN of echo user input;
User side working key administration module is used to generate the working key of user side;
User side sequence code module is used to generate the sequence code of user side;
The user side encrypting module is used to receive the PIN that the user side input module sends, and utilizes described working key, this user's user side sequence code and random number, based on corresponding cryptographic algorithm, calculates user side at this PIN and submits sign indicating number to.
4. system according to claim 3 is characterized in that, the described end of accepting comprises:
Accept end working key administration module, be used to generate the working key of accepting end;
Accept terminal sequence sign indicating number module, be used to generate the sequence code of accepting end;
Memory module is used to preserve all users' PIN;
Accept the end encrypting module, what be used to utilize the described working key of accepting end, this user accepts terminal sequence sign indicating number and random number, and based on corresponding cryptographic algorithm, the PIN of preserving in described memory module at this user calculates to be accepted end and submit sign indicating number to;
Accept the end comparing module, be used to receive user side and submit sign indicating number to and accept end submission sign indicating number and compare, send authorized user message after the comparison unanimity;
Accept the end authorization module, be used to receive described authorized user message, the application permission to this user is allocated in the opening of notice application system in advance.
5. according to claim 2 or 3 described systems, it is characterized in that the cycle of the random number that described randomizer generates, the length of random number was no less than 4 bytes greater than 100,000 times.
6. according to claim 3 or 4 described systems, it is characterized in that a described cryptographic algorithm of using working key to calculate the employing of submission sign indicating number is the SM1 algorithm, specifically comprises:
The use working key is to random number and sequence code is encrypted or key disperses, the result of this encryption or key dispersion process is as the required session key of the submission process of PIN, encrypting module uses described session key that PIN is encrypted, and the result of encryption obtains submitting to sign indicating number exactly.
7. according to claim 3 or 4 described systems, it is characterized in that the generating mode of described sequence code comprises:
In the system distribution stage, finish in advance user side sequence code and the setting of accepting the terminal sequence sign indicating number, same user's user side sequence code is identical sequence of values with accepting the terminal sequence sign indicating number, sequence code is the sequence number of hardware device, or the application sequence in the application system number, the length requirement of sequence code is not less than 8 bytes.
8. system according to claim 4, it is characterized in that described for same user, the working key of user side is identical with the working key of accepting end, this working key sets in advance in system initialisation phase and finishes, and preserves at the working key administration module.
9. system according to claim 4 is characterized in that, the working key of described user side is decided to be approximately with the working key of accepting end: use the key generation of SM2 algorithm and the agreement that the key agreement function is carried out key.
10. system according to claim 9 is characterized in that, described key generates and key agreement specifically comprises:
In system initialisation phase, it is right that user side working key administration module generates the SM2 key, comprises user side SM2 PKI and user side SM2 private key; It is right to accept end working key administration module generation SM2 key, comprises and accepts end SM2 PKI and accept end SM2 private key;
In system operation stage, for carrying out the agreement of working key, it is right to generate interim SM2 key in user side working key administration module, comprises interim SM2 PKI of user side and the interim SM2 private key of user side; Accepting end working key administration module, also to generate interim SM2 key right, comprises and accept the interim SM2 PKI of end and accept the interim SM2 private key of end;
Carrying out working key approximately regularly, user side working key administration module is issued one's own side's SM2 PKI, one's own side's interim SM2 PKI, one's own side's user ID and is accepted end working key administration module; Accept end working key administration module one's own side's SM2 PKI, one's own side's interim SM2 PKI, one's own side's the end system sign of accepting is issued user side working key administration module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910312394A CN101848088A (en) | 2009-12-28 | 2009-12-28 | System for submitting personal identification codes by using cipher algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910312394A CN101848088A (en) | 2009-12-28 | 2009-12-28 | System for submitting personal identification codes by using cipher algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101848088A true CN101848088A (en) | 2010-09-29 |
Family
ID=42772555
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910312394A Pending CN101848088A (en) | 2009-12-28 | 2009-12-28 | System for submitting personal identification codes by using cipher algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101848088A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752112A (en) * | 2011-04-22 | 2012-10-24 | 航天信息股份有限公司 | Authority control method and device based on signed message 1 (SM1)/SM2 algorithm |
| CN104270251A (en) * | 2014-09-29 | 2015-01-07 | 北京海泰方圆科技有限公司 | Password sharing method for compound type intelligent password equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1516388A (en) * | 2003-08-26 | 2004-07-28 | 胡祥义 | Network accreditation method based no symmetric cryptosystem |
| CN101064610A (en) * | 2007-05-25 | 2007-10-31 | 四川长虹电器股份有限公司 | Identity authentication process |
| CN101393628A (en) * | 2008-11-12 | 2009-03-25 | 北京飞天诚信科技有限公司 | Novel network safe transaction system and method |
-
2009
- 2009-12-28 CN CN200910312394A patent/CN101848088A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1516388A (en) * | 2003-08-26 | 2004-07-28 | 胡祥义 | Network accreditation method based no symmetric cryptosystem |
| CN101064610A (en) * | 2007-05-25 | 2007-10-31 | 四川长虹电器股份有限公司 | Identity authentication process |
| CN101393628A (en) * | 2008-11-12 | 2009-03-25 | 北京飞天诚信科技有限公司 | Novel network safe transaction system and method |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752112A (en) * | 2011-04-22 | 2012-10-24 | 航天信息股份有限公司 | Authority control method and device based on signed message 1 (SM1)/SM2 algorithm |
| CN104270251A (en) * | 2014-09-29 | 2015-01-07 | 北京海泰方圆科技有限公司 | Password sharing method for compound type intelligent password equipment |
| CN104270251B (en) * | 2014-09-29 | 2018-04-06 | 北京海泰方圆科技股份有限公司 | A kind of method that combined intelligent encryption device shares password |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213044B (en) | Quantum-computation-resistant HTTPS signcryption communication method and system based on multiple asymmetric key pools | |
| CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
| EP3318043A1 (en) | Mutual authentication of confidential communication | |
| CN103124269A (en) | Bidirectional identity authentication method based on dynamic password and biologic features under cloud environment | |
| CN103763631A (en) | Authentication method, server and television | |
| JP2009296190A (en) | Confidential communication method | |
| JP2011125020A (en) | System and method for designing secure client-server communication based on certificateless public key infrastructure | |
| CN106850207B (en) | Identity identifying method and system without CA | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN111277412B (en) | Data security sharing system and method based on block chain key distribution | |
| CN106130716A (en) | Cipher key exchange system based on authentication information and method | |
| CN105528695A (en) | Tag-based mobile payment method and mobile payment system | |
| CN111526007B (en) | Random number generation method and system | |
| KR20160029640A (en) | System and method for key exchange based on authtication information | |
| CN110020524A (en) | A kind of mutual authentication method based on smart card | |
| US11722466B2 (en) | Methods for communicating data utilizing sessionless dynamic encryption | |
| CN104243494A (en) | Data processing method | |
| CN107104795A (en) | Method for implanting, framework and the system of RSA key pair and certificate | |
| CN107483388A (en) | A kind of safety communicating method and its terminal and high in the clouds | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
| CN103905388A (en) | Authentication method, authentication device, smart card, and server | |
| KR102219086B1 (en) | HMAC-based source authentication and secret key sharing method and system for Unnamed Aerial vehicle systems | |
| Luring et al. | Analysis of security features in DLMS/COSEM: Vulnerabilities and countermeasures | |
| CN108496336A (en) | A kind of method and POS terminal of transmission key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100929 |