CN103546289A - USB (universal serial bus) Key based secure data transmission method and system - Google Patents
USB (universal serial bus) Key based secure data transmission method and system Download PDFInfo
- Publication number
- CN103546289A CN103546289A CN201310453289.8A CN201310453289A CN103546289A CN 103546289 A CN103546289 A CN 103546289A CN 201310453289 A CN201310453289 A CN 201310453289A CN 103546289 A CN103546289 A CN 103546289A
- Authority
- CN
- China
- Prior art keywords
- usbkey
- application process
- session key
- channel number
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a USB (universal serial bus) Key based secure data transmission method and system, and belongs to the field of information security. An existing encryption and decryption key transmitting encrypted data through a USB interface needs to be stored in an application, thereby being easily acquired by hackers, malware and the like. The method includes firstly, initiating an application process of an upper computer, and establishing communication between the application process and a USB key; secondly, applying for a logic channel number through the application process to the USB key, and negotiating a session key of the logic channel number with the USB Key through an asymmetric cryptographic algorithm; and finally, performing data transmission between the application process and the USB key through the logic channel number and the session key. By the method and system, communication between multiple processes and the USB key is performed to enable the temporary and independent session key to be adopted when each process is communicated with the USB key, and safety in data transmission is guaranteed.
Description
Technical field
The invention belongs to information security field, be specifically related to a kind of method and system of the safety-oriented data transfer based on USBKey.
Background technology
Digital certificate is a series of data that indicate communication each side identity information in internet communication, and a kind of mode of verifying your identity on Internet is provided, and its effect is similar to driver's driving license or the identity card in daily life.It is You Yigeyou authoritative institution---CA mechanism, be called again certificate granting center distribution, and people can identify the other side's identity on the net with it.Digital certificate be one through the file that comprises public-key cryptography owner information and public-key cryptography of certificate authorization center digital signature.
USBKey as the carrier of digital certificate at PKI(Public Key Infrastructure PKIX) application in field is more and more general, particularly the application in bank finance operation system is very extensive on the net, can guarantee preferably the user network fail safe of operation such as pay the bill, transfer accounts.Yet the importance just because of USBKey status, in recent years the attack means of USBKey was emerged in an endless stream, hacker is by the illegal intercepting of the rogue programs such as virus, wooden horse being installed on subscriber set at the key messages such as transaction data of USB channel, or the transmission information getting by parsing illegally inserts the means such as instruction to reach attack object.
The environment facing due to USBKey becomes increasingly complex, so fully guarantee that the confidentiality of USB channel information is most important.Therefore, need to take effective encryption method to be encrypted the information of USB channel.Simultaneously in order to guarantee the efficiency of transmission, the cryptographic algorithm adopting is mostly stream cipher arithmetic (claiming again " stream cipher algorithm ") or other symmetric cryptographic algorithm, these cryptographic algorithms all need a privacy key (being encryption and decryption key), and host computer and USBKey must hold identical privacy key.Due to the insecurity of operating system, it is unsafe that privacy key is stored in application software, and hacker, rogue program etc. can get the privacy key being stored in software by means such as decompilings.
Summary of the invention
For the defect existing in prior art, the object of this invention is to provide a kind of method and system of the safety-oriented data transfer based on USBKey.The method and system can adopt the interim consulting session key of asymmetric cryptographic algorithm, and in conjunction with many logic channels technology, realize each logic channel and adopt different session keys, can prevent that hacker and rogue program etc. from obtaining key easily, guarantees the fail safe of a plurality of processes and USBKey communication.
For reaching above object, the technical solution used in the present invention is: a kind of method of the safety-oriented data transfer based on USBKey, comprises the following steps:
(1) start the application process of host computer, the communication of setting up application process and USBKey;
(2) application process is applied for logical channel number to USBKey, and by asymmetric cryptographic algorithm and USBKey, consults the session key of described logical channel number;
(3) between application process and USBKey, by described logical channel number and session key, carry out transfer of data.
Further, the method for a kind of safety-oriented data transfer based on USBKey as above, the method also comprises:
(4), after application process finishes, application process is nullified described logical channel number to USBKey.
Further, the method of a kind of safety-oriented data transfer based on USBKey as above, in step (1), described USBKey is at initial phase, in USBKey, store session key agreement dedicated asymmetric key is to K2, and by unsymmetrical key, the private key of K1 carried out the signature value that obtains after digital signature to the PKI of K2; Unsymmetrical key is stored in host computer middleware the PKI of K1.
Further, the method of a kind of safety-oriented data transfer based on USBKey as above, in step (2), application process is applied for logical channel number to USBKey, and comprises by the concrete steps that asymmetric cryptographic algorithm and USBKey consult the session key of described logical channel number:
1) application process is applied for logical channel number to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value;
2) the session key SK of communication between application process generation and USBKey;
3) use the public key encryption session key SK of unsymmetrical key to K2, obtain SK ciphertext;
4) application process sends to USBKey by logical channel number, process ID, SK ciphertext;
5) the SK ciphertext that USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK.
Further, the method for a kind of safety-oriented data transfer based on USBKey as above, described session key SK is the random number of a preseting length.
Further, the method of a kind of safety-oriented data transfer based on USBKey as above, in step (2), application process and USBKey complete after the negotiation of session key, the session key SK that USBKey arranges corresponding logical channel number has consulted sign, and to application process, return to session key SK and consult successfully sign, application process is cached to the unique identification information UID of logical channel number, USBKey and session key SK in current process.
Further, the method of a kind of safety-oriented data transfer based on USBKey as above, in step 1), when application process is applied for logical channel number to USBKey, first USBKey searches application process according to the process ID of this application process and whether has applied for logical channel number, if application is not returned to the logical channel number of new application sign and new application and is entered step 2), if applied for, return and applied for sign and the logical channel number of having applied for, application process is searched and reads the session key SK being buffered in current process and directly entered step (3) by the unique identification information UID of USBKey.
Further, the method of a kind of safety-oriented data transfer based on USBKey as above, in step 1), application process from USBKey, read unsymmetrical key to the PKI of K2 and described signature value after, first application process reads unsymmetrical key that host computer middleware the preserves PKI to K1, and adopt this PKI to carry out sign test to this signature value, if sign test is by directly entering step 2), if sign test failure is read unsymmetrical key again to the PKI of K2 and described signature value from USBKey.
Further, the method for a kind of safety-oriented data transfer based on USBKey as above in step 4), when application process sends to USBKey by logical channel number, process ID, SK ciphertext, sends to USBKey by check code simultaneously; In step 5), the SK ciphertext that first USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK, whether the check code that secondly checking is received is correct, if being set, the session key SK of corresponding logical channel number consulted sign, and to application process, return to session key SK and consult successfully sign, to application process, return to error flag if not, consult unsuccessfully.
Further again, the method for a kind of safety-oriented data transfer based on USBKey as above, in step (3), the concrete steps of carrying out transfer of data by logical channel number and session key between application process and USBKey comprise:
A) application process sends the request data package of transfer of data as required to USBKey; Described request data package comprises logical channel number and uses the request msg after session key;
B) USBKey receives and resolves described request data package, obtain the request msg after logical channel number and encryption, inquire about the session key SK that described logical channel number is corresponding, use this session key SK to be decrypted the request msg after encrypting, the request msg after being deciphered;
C) USBKey processes according to the request of request msg application processes, the response data after being processed, and use described session key SK to be encrypted this response data, the response data after being encrypted also sends to application process;
D) application process receives the response data after described encryption, uses session key SK to be decrypted the response data after encrypting, the response data after being deciphered.
Further, the method for a kind of safety-oriented data transfer based on USBKey as above, in step (4), the concrete steps that application process is nullified described logical channel number to USBKey comprise:
I) application process sends to USBKey by logical channel number and process ID;
Ii) USBKey judges whether this logical channel number exists, and whether this logical channel number mate with process ID, has consulted sign, and delete session key SK if remove session key, does not deal with if not.
A system for the safety-oriented data transfer of USBKey, comprising:
Module is set up in communication, for starting the application process of host computer, sets up the communication of application process and USBKey;
Session key agreement module, applies for logical channel number for application process to USBKey, and by asymmetric cryptographic algorithm and USBKey, consults the session key of described logical channel number;
Data transmission module, for carrying out transfer of data by described logical channel number and session key between application process and USBKey.
Further, the system of a kind of safety-oriented data transfer based on USBKey as above, described session key agreement module comprises:
Logical channel number application unit, applies for logical channel number for application process to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value; Described unsymmetrical key is the initial phase at USBKey to K2, is stored in the session key agreement dedicated asymmetric key pair in USBKey;
Session key generation unit, for the session key SK of communication between application process generation and USBKey;
Session key unit, for using the public key encryption session key SK of unsymmetrical key to K2, obtains SK ciphertext;
Session key transmission unit, sends to USBKey for application process by logical channel number, process ID, SK ciphertext;
Session key acquiring unit, the SK ciphertext of using unsymmetrical key to receive the private key deciphering of K2 for USBKey obtains session key SK.
Effect of the present invention is: adopt method and system of the present invention, by utilizing many logic channels technology, while being each process and USBKey communication, consult different logical channel numbers, respective logical channels number corresponding process and the interim session key of consulting to be different from other process of USBKey, and the session key of negotiation is placed among buffer memory rather than longer-term storage among application program, thereby can prevent that hacker and rogue program etc. from obtaining key easily, guarantees the fail safe of a plurality of processes and USBKey communication.
Accompanying drawing explanation
Fig. 1 is the structured flowchart of a kind of system of the safety-oriented data transfer based on USBKey in the specific embodiment of the invention;
Fig. 2 is the flow chart of a kind of method of the safety-oriented data transfer based on USBKey in the specific embodiment of the invention.
Embodiment
Below in conjunction with specification drawings and specific embodiments, the invention will be further described.
As shown in Figure 1, structured flowchart for a kind of system of the safety-oriented data transfer based on USBKey in the specific embodiment of the invention, this system mainly comprises following three submodules: module 11, session key agreement module 12 and data transmission module 13 are set up in communication, wherein:
Communication is set up module 11 for starting the application process of host computer, sets up the communication of application process and USBKey.
Session key agreement module 12 is applied for logical channel number for application process to USBKey, and by asymmetric cryptographic algorithm and USBKey, consults the session key of described logical channel number; This module comprises:
Logical channel number application unit, applies for logical channel number for application process to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value;
Session key generation unit, for the session key SK of communication between application process generation and USBKey;
Session key unit, for using the public key encryption session key SK of unsymmetrical key to K2, obtains SK ciphertext;
Session key transmission unit, sends to USBKey for application process by logical channel number, process ID, SK ciphertext;
Session key acquiring unit, the SK ciphertext of using unsymmetrical key to receive the private key deciphering of K2 for USBKey obtains session key SK.
Preferably, the system described in present embodiment also comprises that is nullified a module 14, and after finishing for application process, application process is nullified described logical channel number to USBKey.
Wherein, described USBKey need to generate or by outside unsymmetrical key, generation equipment (as encryption equipment) or instrument be imported to a pair of session key agreement dedicated asymmetric key to K2 at production initial phase, and can not wipe and revise after storage, private key cannot read, and PKI can be employed process in the session key agreement stage and read, preferably, in order to prevent that PKI in K2 from reading in process at this, be replaced (as man-in-the-middle attack, be that application process while reading PKI from USBKey, rogue program has been tackled the PKI that USBKey sends, and the PKI that replaces to forgery is issued application process), need to adopt signature dedicated asymmetric key, to K1, the PKI in K2 is carried out to digital signature, private key in K1 is stored in encryption device or (as encryption equipment) or production encryption software, producing initial phase uses this private key to sign to the PKI in K2, obtain signature value, this signature value and K2 are together write to the dedicated memory space of USBKey, the PKI of K1 is stored in host computer middleware, while reading the PKI of K2 for application process, it is carried out to sign test,
Concrete, the asymmetric arithmetic that unsymmetrical key can adopt K1 and K2 comprises RSA-1024, RSA-2048 and the close SM2 of state etc.
Concrete, when application process is applied for logical channel number to USBKey, first USBKey searches application process according to the process ID of this application process and whether has applied for logical channel number, if not applying for the logical channel number that returns to new application sign and new application goes forward side by side into session key generation unit, if applied for, return and applied for sign and the logical channel number of having applied for, application process is searched and reads the session key SK being buffered in current process and directly entered data transmission module 13 by the unique identification information UID of USBKey;
Wherein, process ID is unique Process identifier PID of system Random assignment, preferably, in order to guarantee that process exception exits rear (now USBKey does not remove original PID), this process PID is redistributed to other process by system, during application, can adopt by this PID and the preferred n=2 of n() identifier that combines of the random number of individual byte, as the ID of this process; In addition, the logical channel number length that USBKey returns is 1 byte.
Application process from USBKey, read unsymmetrical key to the PKI of K2 and signature value after, first application process reads the PKI of the unsymmetrical key of host computer middleware to K1, and adopt this PKI to carry out sign test to this signature value, if sign test is by directly entering session key generation unit, if sign test failure is read unsymmetrical key again to the PKI of K2 and signature value from USBKey.
Session key SK described in session key generation unit is the encryption and decryption key adopting when the information of USB channel is encrypted and is deciphered, application process can be got the random number that random number interface obtains a preseting length by calling software, as the session key SK of stream cipher or other symmetric cryptographic algorithm.The preseting length of this random number can be that 16 bytes can be also other length, as adopted RC4 cryptographic algorithm, can be 1-256 byte.Preferably, can adopt RC4 cryptographic algorithm.
Preferably, in session key transmission unit, when application process sends to USBKey by logical channel number, process ID, SK ciphertext, check code is sent to USBKey simultaneously; In session key confirmation unit, the SK ciphertext that first USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK, whether the check code that secondly checking is received is correct, if being set, the session key SK of corresponding logical channel number consulted sign, and to application process, return to session key agreement and successfully indicate, to application process, return to error flag if not, consult unsuccessfully;
So far, application process and USBKey have completed the negotiation of session key, the session key SK that corresponding logical channel number is set at USBKey has consulted sign, and to application process, return to session key SK and consult successfully sign, application process by the unique identification information UID(of logical channel number, USBKey as unique sequence number) and session key SK(in the mode of plaintext or ciphertext) be cached in current process.Application process and USBKey carry out the transmission of data by described logical channel number and session key.After application process finishes, application process sends to USBKey by logical channel number and process ID; USBKey judges whether this logical channel number exists, and whether this logical channel number mate with process ID, has consulted sign, and delete session key SK if remove session key, does not deal with if not.
As shown in Figure 2, be the flow chart of a kind of method of the safety-oriented data transfer based on USBKey in the specific embodiment of the invention, the method comprises the following steps:
Step S21: start the application process of host computer, the communication of setting up application process and USBKey;
Before carrying out the transmission of data, first start the application process of host computer, the communication of initialization application process and USBKey, in practical operation, application process X, after opening USBKey equipment, has set up both communications.
Wherein, USBKey need to generate or by outside unsymmetrical key, generation equipment (as encryption equipment) or instrument be imported to a pair of session key agreement dedicated asymmetric key to K2 at production initial phase, and can not wipe and revise after storage, private key cannot read, and PKI can be employed process in the session key agreement stage and read.Wherein, the session key agreement dedicated asymmetric key of each USBKey has uniqueness to K2.
Preferably, in order to prevent that PKI in K2 from reading in process at this, be replaced (as man-in-the-middle attack, be that application process while reading PKI from USBKey, rogue program has been tackled the PKI that USBKey sends, and the PKI that replaces to forgery is issued application process), need to adopt signature dedicated asymmetric key, to K1, the PKI in K2 is carried out to digital signature, private key in K1 is stored in encryption device or (as encryption equipment) or production encryption software, producing initial phase uses this private key to sign to the PKI in K2, obtain signature value, this signature value and K2 are together write to the dedicated memory space of USBKey, the PKI of K1 is stored in host computer middleware, while reading the PKI of K2 for application process, it is carried out to sign test,
Concrete, the asymmetric arithmetic that unsymmetrical key can adopt K1 and K2 comprises RSA-1024, RSA-2048 and the close SM2 of state etc.
Step S22: application process is applied for logical channel number to USBKey, and by asymmetric cryptographic algorithm and USBKey, consult the session key of described logical channel number;
This step specifically comprises following five steps:
1) application process is applied for logical channel number to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value;
Concrete, when application process is applied for logical channel number to USBKey, first USBKey searches application process according to the process ID of this application process and whether has applied for logical channel number, if application is not returned to the logical channel number of new application sign and new application and is entered step 2), if applied for, return and applied for sign and the logical channel number of having applied for, application process is searched and reads the session key SK being buffered in current process and directly entered step S23 by the unique identification information UID of USBKey.Due in concrete practical application, likely exist a certain process to open the situation of a plurality of USBKey, the unique identification information UID by USBKey can find corresponding USBKey accurately.
Wherein, process ID is unique Process identifier PID of system Random assignment, preferably, in order to guarantee that process exception exits rear (now USBKey does not remove original PID), this process PID is redistributed to other process by system, during application, can adopt by this PID and the preferred n=2 of n() identifier that combines of the random number of individual byte, as the ID of this process; In addition, the logical channel number length that USBKey returns is 1 byte.
Application process from USBKey, read unsymmetrical key to the PKI of K2 and signature value after, first application process reads the PKI of the unsymmetrical key of host computer middleware to K1, and adopt this PKI to carry out sign test to this signature value, if sign test is by directly entering session key generation unit, if sign test failure is read unsymmetrical key again to the PKI of K2 and signature value from USBKey.
Wherein, a kind of method of sign test is: when USBKey produces, first to unsymmetrical key, to the PKI of K2, adopt hash algorithm to calculate digest value H, and adopt unsymmetrical key to sign to the private key of K1 to this digest value H, signature value and unsymmetrical key are together stored in USBKey to the PKI of K2; Application process adopts unsymmetrical key, to the PKI of K1, this signature value is carried out to sign test, obtain the digest value H1 of unsymmetrical key to the PKI of K2, and unsymmetrical key is adopted to hash algorithm calculating digest value H2 identical when producing to the PKI of K2, relatively whether H1 is identical with H2, if identical, sign test is passed through, if different, sign test failure.
Certainly, also can not calculate unsymmetrical key adopts unsymmetrical key directly unsymmetrical key to be signed to the PKI of K2 to the private key of K1 to the PKI digest value of K2, after sign test, obtain the PKI of unsymmetrical key to K2, this PKI and the unsymmetrical key being stored in USBKey are before compared the PKI of K2, if identical, sign test is passed through, if different, sign test failure.
So, suppose the transmission of man-in-the-middle attack USBKey, replaced PKI and its signature value that USBKey sends, but because go-between does not get the private key of K1, so application process must sign test failure.It should be noted that, this is a kind of existing asymmetric signature sign test method, and object is to take precautions against go-between to replace PKI and its signature value that USBKey sends, and the sign test described in the present invention includes but not limited to the method.
2) the session key SK of communication between application process generation and USBKey;
Concrete, session key SK described in session key generation unit is the encryption and decryption key adopting when the information of USB channel is encrypted and is deciphered, application process can be got the random number that random number interface obtains a preseting length by calling software, as the session key SK of stream cipher or other symmetric cryptographic algorithm.The preseting length of this random number can be that 16 bytes can be also other length, as adopted RC4 cryptographic algorithm, can be 1-256 byte.Preferably, adopt RC4 cryptographic algorithm.
3) use the public key encryption session key SK of unsymmetrical key to K2, obtain SK ciphertext;
4) application process sends to USBKey by logical channel number, process ID, SK ciphertext;
5) the SK ciphertext that USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK.
Preferably, in session key transmission unit, when application process sends to USBKey by logical channel number, process ID, SK ciphertext, check code is sent to USBKey simultaneously; In session key confirmation unit, the SK ciphertext that first USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK, whether the check code that secondly checking is received is correct, if being set, the session key SK of corresponding logical channel number consulted sign, and to application process, return to session key SK and consult successfully sign, to application process, return to error flag if not, consult unsuccessfully;
Wherein, described check code is error-checking code EDC(Error Detection Code), as CRC16 or CRC32, or the digest value of employing hash algorithm, or message authentication code MAC(MessageAuthentication Code), in this embodiment, by logical channel number, process ID and session key SK, expressly participated in calculating; The check code C1 calculating according to these large data, be attached to together transmission in large data, USBKey receives the identical algorithm calculation check code C2 of rear employing, by relatively whether C1 is identical with C2, can detect and in data transmission procedure, whether make a mistake or be tampered, but correcting data miss-code not.This checking procedure is prior art.
So far, application process and USBKey have completed the negotiation of session key, the session key SK that corresponding logical channel number is set at USBKey has consulted sign, application process by the unique identification information UID(of logical channel number, USBKey as unique sequence number) and session key SK(in the mode of plaintext or ciphertext) be cached in current process.
In this embodiment, between application process and USBKey, the process of consulting session key SK is as shown in the table:
Step S23: carry out transfer of data by described logical channel number and session key between application process and USBKey;
This step specifically comprises following four steps:
A) application process sends the request data package of transfer of data as required to USBKey; Described request data package comprises logical channel number and uses the request msg after session key;
Concrete, request data package in present embodiment refers to the data message between application process and USBKey, this data message adopts Application Protocol Data Unit APDU(Application Protocol Data Unit), form is CLA INS P1P2Lc/Le Data, wherein CLA is classes of instructions, and INS is command code, and P1, P2 are parameter, Lc is the length of Data, the data word joint number that Le answers while responding for hope; While transmitting this data message, make CLA partly carry step logical channel number, and use session key SK to be encrypted other data except CLA;
B) USBKey receives and resolves described request data package, obtain the request msg after logical channel number and encryption, inquire about the session key SK that described logical channel number is corresponding, use this session key SK to be decrypted the request msg after encrypting, the request msg after being deciphered;
Concrete, USBKey receives described APDU data, first from CLA, parses logical channel number, then searches the session key SK that this logical channel number is corresponding, then with this session key SK, the data of encryption section is decrypted;
C) USBKey processes according to the request of request msg application processes, for example give chip operating system COS(Chip Operating System) process, response data after being processed, and use described session key SK to be encrypted this response data, the response data after being encrypted also sends to application process;
D) application process receives the response data after described encryption, uses session key SK to be decrypted the response data after encrypting, the response data after being deciphered.
Preferably, the method described in present embodiment also comprises:
Step S24: after application process finishes, application process is nullified described logical channel number to USBKey;
This step specifically comprises following two steps:
I) application process sends to USBKey by logical channel number and process ID;
Ii) USBKey judges whether this logical channel number exists, and whether this logical channel number mate with process ID, has consulted sign, and delete session key SK if remove session key, does not deal with if not.
So,, after this logical channel number is nullified, this logical channel number can be distributed to other process again.
By present embodiment, can find out, adopt method and system of the present invention, by utilizing many logic channels technology, while making each process and USBKey communication, apply for different logical channel numbers, the session key that the process that respective logical channels is number corresponding and USBKey be interim consults to be different from other process is placed among buffer memory, rather than by session key longer-term storage in software, by the session key of having consulted, carry out communication again, final process finishes the logical channel number that rear cancellation has been applied for, prevented that hacker and rogue program etc. from obtaining key easily, guaranteed the fail safe of a plurality of processes and USBKey communication.
It will be understood by those skilled in the art that method of the present invention is not limited to the embodiment described in embodiment, specific descriptions are above just in order to explain object of the present invention, not for limiting the present invention.Those skilled in the art's technical scheme according to the present invention draws other execution mode, belongs to equally technological innovation scope of the present invention, and protection scope of the present invention is limited by claim and equivalent thereof.
Claims (13)
1. a method for the safety-oriented data transfer based on USBKey, comprises the following steps:
(1) start the application process of host computer, the communication of setting up application process and USBKey;
(2) application process is applied for logical channel number to USBKey, and by asymmetric cryptographic algorithm and USBKey, consults the session key of described logical channel number;
(3) between application process and USBKey, by described logical channel number and session key, carry out transfer of data.
2. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 1, is characterized in that, the method also comprises:
(4), after application process finishes, application process is nullified described logical channel number to USBKey.
3. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 1 or 2, it is characterized in that, in step (1), described USBKey is at initial phase, in USBKey, store session key agreement dedicated asymmetric key is to K2, and by unsymmetrical key, the private key of K1 carried out the signature value that obtains after digital signature to the PKI of K2; Unsymmetrical key is stored in host computer middleware the PKI of K1.
4. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 3, it is characterized in that, in step (2), application process is applied for logical channel number to USBKey, and comprises by the concrete steps that asymmetric cryptographic algorithm and USBKey consult the session key of described logical channel number:
1) application process is applied for logical channel number to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value;
2) the session key SK of communication between application process generation and USBKey;
3) use the public key encryption session key SK of unsymmetrical key to K2, obtain SK ciphertext;
4) application process sends to USBKey by logical channel number, process ID, SK ciphertext;
5) the SK ciphertext that USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK.
5. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 4, is characterized in that, described session key SK is the random number of a preseting length.
6. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 4, it is characterized in that, in step (2), application process and USBKey complete after the negotiation of session key, the session key SK that USBKey arranges corresponding logical channel number has consulted sign, and to application process, return to session key SK and consult successfully sign, application process is cached to the unique identification information UID of logical channel number, USBKey and session key SK in current process.
7. as right, want the method for a kind of safety-oriented data transfer based on USBKey as described in 6, it is characterized in that, in step 1), when application process is applied for logical channel number to USBKey, first USBKey searches application process according to the process ID of this application process and whether has applied for logical channel number, if application is not returned to the logical channel number of new application sign and new application and is entered step 2), if applied for, return and applied for sign and the logical channel number of having applied for, application process is searched and reads the session key SK being buffered in current process and directly entered step (3) by the unique identification information UID of USBKey.
8. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 4, it is characterized in that, in step 1), application process from USBKey, read unsymmetrical key to the PKI of K2 and described signature value after, first application process reads unsymmetrical key that host computer middleware the preserves PKI to K1, and adopt this PKI to carry out sign test to this signature value, if sign test is by directly entering step 2), if sign test failure is read unsymmetrical key again to the PKI of K2 and described signature value from USBKey.
9. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 4, is characterized in that, in step 4), when application process sends to USBKey by logical channel number, process ID, SK ciphertext, check code is sent to USBKey simultaneously; In step 5), the SK ciphertext that first USBKey is used unsymmetrical key to receive the private key deciphering of K2 obtains session key SK, whether the check code that secondly checking is received is correct, if being set, the session key SK of corresponding logical channel number consulted sign, and to application process, return to session key SK and consult successfully sign, to application process, return to error flag if not, consult unsuccessfully.
10. the method for a kind of safety-oriented data transfer based on USBKey as claimed in claim 4, is characterized in that, in step (3), the concrete steps of carrying out transfer of data by logical channel number and session key between application process and USBKey comprise:
A) application process sends the request data package of transfer of data as required to USBKey; Described request data package comprises logical channel number and uses the request msg after session key;
B) USBKey receives and resolves described request data package, obtain the request msg after logical channel number and encryption, inquire about the session key SK that described logical channel number is corresponding, use this session key SK to be decrypted the request msg after encrypting, the request msg after being deciphered;
C) USBKey processes according to the request of request msg application processes, the response data after being processed, and use described session key SK to be encrypted this response data, the response data after being encrypted also sends to application process;
D) application process receives the response data after described encryption, uses session key SK to be decrypted the response data after encrypting, the response data after being deciphered.
The method of 11. a kind of safety-oriented data transfers based on USBKey as claimed in claim 6, is characterized in that, in step (4), the concrete steps that application process is nullified described logical channel number to USBKey comprise:
I) application process sends to USBKey by logical channel number and process ID;
Ii) USBKey judges whether this logical channel number exists, and whether this logical channel number mate with process ID, has consulted sign, and delete session key SK if remove session key, does not deal with if not.
The system of 12. 1 kinds of safety-oriented data transfers based on USBKey, comprising:
Module is set up in communication, for starting the application process of host computer, sets up the communication of application process and USBKey;
Session key agreement module, applies for logical channel number for application process to USBKey, and by asymmetric cryptographic algorithm and USBKey, consults the session key of described logical channel number;
Data transmission module, for carrying out transfer of data by described logical channel number and session key between application process and USBKey.
The system of 13. a kind of safety-oriented data transfers based on USBKey as claimed in claim 12, is characterized in that, described session key agreement module comprises:
Logical channel number application unit, applies for logical channel number for application process to USBKey, and from USBKey, reads unsymmetrical key to the PKI of K2 and described signature value; Described unsymmetrical key is the initial phase at USBKey to K2, is stored in the session key agreement dedicated asymmetric key pair in USBKey;
Session key generation unit, for the session key SK of communication between application process generation and USBKey;
Session key unit, for using the public key encryption session key SK of unsymmetrical key to K2, obtains SK ciphertext;
Session key transmission unit, sends to USBKey for application process by logical channel number, process ID, SK ciphertext;
Session key acquiring unit, the SK ciphertext of using unsymmetrical key to receive the private key deciphering of K2 for USBKey obtains session key SK.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310453289.8A CN103546289B (en) | 2013-09-29 | 2013-09-29 | USB (universal serial bus) Key based secure data transmission method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310453289.8A CN103546289B (en) | 2013-09-29 | 2013-09-29 | USB (universal serial bus) Key based secure data transmission method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103546289A true CN103546289A (en) | 2014-01-29 |
| CN103546289B CN103546289B (en) | 2017-01-11 |
Family
ID=49969369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310453289.8A Active CN103546289B (en) | 2013-09-29 | 2013-09-29 | USB (universal serial bus) Key based secure data transmission method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103546289B (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104504322A (en) * | 2014-12-05 | 2015-04-08 | 中国科学院信息工程研究所 | Methods for verifying, reading, encrypting and decrypting USB Key |
| CN104917741A (en) * | 2014-07-19 | 2015-09-16 | 国家电网公司 | Cleartext-document public network safety transmission system based on USBKEY |
| CN105812085A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Error correction method and system of audio USB Key |
| CN106559186A (en) * | 2016-03-21 | 2017-04-05 | 天地融科技股份有限公司 | Data transmission method and system, main communication apparatus and from communication apparatus |
| CN106664206A (en) * | 2014-06-18 | 2017-05-10 | 维萨国际服务协会 | Efficient methods for authenticated communication |
| CN107392066A (en) * | 2017-07-19 | 2017-11-24 | 广东欧珀移动通信有限公司 | Protect method, mobile terminal and the computer-readable recording medium of data safety |
| CN107392035A (en) * | 2017-07-19 | 2017-11-24 | 广东欧珀移动通信有限公司 | Protect method, mobile terminal and the computer-readable recording medium of data safety |
| CN107645488A (en) * | 2017-05-27 | 2018-01-30 | 安徽师范大学 | Web data storage and data transmission method based on U-shield |
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN111356125A (en) * | 2014-05-23 | 2020-06-30 | 苹果公司 | Electronic subscriber identity module configuration |
| CN112448935A (en) * | 2019-09-03 | 2021-03-05 | 华为技术有限公司 | Method for establishing network connection and electronic equipment |
| CN114422242A (en) * | 2022-01-19 | 2022-04-29 | 闪捷信息科技有限公司 | Abnormal traffic identification method, client and server |
| CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
| CN115208677A (en) * | 2022-07-19 | 2022-10-18 | 光大科技有限公司 | Malicious website identification method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030014632A1 (en) * | 2001-07-16 | 2003-01-16 | Vanstone Scott A. | Trusted button |
| CN1968092A (en) * | 2006-09-30 | 2007-05-23 | 北京握奇数据***有限公司 | Method for realizing data interaction between digital signature device and opposite-end device |
| CN101170407A (en) * | 2007-12-03 | 2008-04-30 | 北京深思洛克数据保护中心 | A method for securely generating secret key pair and transmitting public key or certificate application file |
| CN101765105A (en) * | 2009-12-17 | 2010-06-30 | 北京握奇数据***有限公司 | Method for realizing communication encryption as well as system and mobile terminal therefor |
| CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
-
2013
- 2013-09-29 CN CN201310453289.8A patent/CN103546289B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030014632A1 (en) * | 2001-07-16 | 2003-01-16 | Vanstone Scott A. | Trusted button |
| CN1968092A (en) * | 2006-09-30 | 2007-05-23 | 北京握奇数据***有限公司 | Method for realizing data interaction between digital signature device and opposite-end device |
| CN101170407A (en) * | 2007-12-03 | 2008-04-30 | 北京深思洛克数据保护中心 | A method for securely generating secret key pair and transmitting public key or certificate application file |
| CN101765105A (en) * | 2009-12-17 | 2010-06-30 | 北京握奇数据***有限公司 | Method for realizing communication encryption as well as system and mobile terminal therefor |
| CN103001976A (en) * | 2012-12-28 | 2013-03-27 | 中国科学院计算机网络信息中心 | Safe network information transmission method |
Cited By (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111356125B (en) * | 2014-05-23 | 2023-04-04 | 苹果公司 | Electronic subscriber identity module configuration |
| CN111356125A (en) * | 2014-05-23 | 2020-06-30 | 苹果公司 | Electronic subscriber identity module configuration |
| CN111355749A (en) * | 2014-06-18 | 2020-06-30 | 维萨国际服务协会 | Efficient method for authenticated communication |
| US10574633B2 (en) | 2014-06-18 | 2020-02-25 | Visa International Service Association | Efficient methods for authenticated communication |
| CN106664206A (en) * | 2014-06-18 | 2017-05-10 | 维萨国际服务协会 | Efficient methods for authenticated communication |
| US11394697B2 (en) | 2014-06-18 | 2022-07-19 | Visa International Service Association | Efficient methods for authenticated communication |
| CN104917741B (en) * | 2014-07-19 | 2018-10-02 | 国家电网公司 | A kind of plain text document public network secure transmission system based on USBKEY |
| CN104917741A (en) * | 2014-07-19 | 2015-09-16 | 国家电网公司 | Cleartext-document public network safety transmission system based on USBKEY |
| CN104504322A (en) * | 2014-12-05 | 2015-04-08 | 中国科学院信息工程研究所 | Methods for verifying, reading, encrypting and decrypting USB Key |
| CN104504322B (en) * | 2014-12-05 | 2017-12-08 | 中国科学院信息工程研究所 | To USB Key checkings, the method for reading, encrypting, decrypting |
| CN105812085B (en) * | 2014-12-29 | 2019-01-25 | 北京握奇智能科技有限公司 | A kind of error correction method and system of the communication receipt of audio/USB Key |
| CN105812085A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Error correction method and system of audio USB Key |
| CN106559186A (en) * | 2016-03-21 | 2017-04-05 | 天地融科技股份有限公司 | Data transmission method and system, main communication apparatus and from communication apparatus |
| CN107645488A (en) * | 2017-05-27 | 2018-01-30 | 安徽师范大学 | Web data storage and data transmission method based on U-shield |
| CN107392035A (en) * | 2017-07-19 | 2017-11-24 | 广东欧珀移动通信有限公司 | Protect method, mobile terminal and the computer-readable recording medium of data safety |
| CN107392035B (en) * | 2017-07-19 | 2020-08-18 | Oppo广东移动通信有限公司 | Method for protecting data security, mobile terminal and computer readable storage medium |
| CN107392066B (en) * | 2017-07-19 | 2020-12-01 | Oppo广东移动通信有限公司 | Method for protecting data security, mobile terminal and computer readable storage medium |
| CN107392066A (en) * | 2017-07-19 | 2017-11-24 | 广东欧珀移动通信有限公司 | Protect method, mobile terminal and the computer-readable recording medium of data safety |
| CN110474898A (en) * | 2019-08-07 | 2019-11-19 | 北京明朝万达科技股份有限公司 | Data encrypting and deciphering and key location mode, device, equipment and readable storage medium storing program for executing |
| CN112448935A (en) * | 2019-09-03 | 2021-03-05 | 华为技术有限公司 | Method for establishing network connection and electronic equipment |
| CN114554485A (en) * | 2021-12-22 | 2022-05-27 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic device and medium |
| CN114554485B (en) * | 2021-12-22 | 2024-03-12 | 卓望数码技术(深圳)有限公司 | Asynchronous session key negotiation and application method, system, electronic equipment and medium |
| CN114422242A (en) * | 2022-01-19 | 2022-04-29 | 闪捷信息科技有限公司 | Abnormal traffic identification method, client and server |
| CN115208677A (en) * | 2022-07-19 | 2022-10-18 | 光大科技有限公司 | Malicious website identification method and device |
| CN115208677B (en) * | 2022-07-19 | 2024-01-30 | 光大科技有限公司 | Malicious website identification method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103546289B (en) | 2017-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757662B2 (en) | Confidential authentication and provisioning | |
| CN110519260B (en) | Information processing method and information processing device | |
| CN103546289A (en) | USB (universal serial bus) Key based secure data transmission method and system | |
| US10601801B2 (en) | Identity authentication method and apparatus | |
| CN111756533B (en) | System, method and storage medium for secure password generation | |
| CN101828357B (en) | Credential provisioning method and device | |
| CN107358441B (en) | Payment verification method and system, mobile device and security authentication device | |
| CA3164765A1 (en) | Secure communication method and device based on identity authentication | |
| CA2879910C (en) | Terminal identity verification and service authentication method, system and terminal | |
| US8397281B2 (en) | Service assisted secret provisioning | |
| US9165148B2 (en) | Generating secure device secret key | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| WO2021190197A1 (en) | Method and apparatus for authenticating biometric payment device, computer device and storage medium | |
| CN103516524A (en) | Security authentication method and system | |
| CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN105072136A (en) | Method and system for security authentication between devices based on virtual drive | |
| WO2019037422A1 (en) | Key and key handle generation method and system, and smart key security device | |
| CN114697113A (en) | Hardware accelerator card-based multi-party privacy calculation method, device and system | |
| WO2017107642A1 (en) | Text processing method, apparatus and system for secure input method | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN111246480A (en) | Application communication method, system, equipment and storage medium based on SIM card | |
| CN117728976A (en) | Data transmission method, device, equipment and storage medium | |
| CN114125830A (en) | Encrypted transmission method, equipment and medium for APP data | |
| CN114844646A (en) | Authentication method and device between devices and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |