CN113014393B - Password safe box system based on hardware encryption and application method - Google Patents

Password safe box system based on hardware encryption and application method Download PDF

Info

Publication number
CN113014393B
CN113014393B CN202110193077.5A CN202110193077A CN113014393B CN 113014393 B CN113014393 B CN 113014393B CN 202110193077 A CN202110193077 A CN 202110193077A CN 113014393 B CN113014393 B CN 113014393B
Authority
CN
China
Prior art keywords
password
key
ukey
security chip
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110193077.5A
Other languages
Chinese (zh)
Other versions
CN113014393A (en
Inventor
刘俊
刘睿
荆鸿远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongyitong Technology Co ltd
Original Assignee
Zhongyitong Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongyitong Technology Co ltd filed Critical Zhongyitong Technology Co ltd
Priority to CN202110193077.5A priority Critical patent/CN113014393B/en
Publication of CN113014393A publication Critical patent/CN113014393A/en
Application granted granted Critical
Publication of CN113014393B publication Critical patent/CN113014393B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a password safe box system based on hardware encryption and an application method thereof, wherein the system comprises a mobile terminal, a security chip and a service system, wherein: the mobile terminal comprises a program end installed on the mobile terminal; the UKey device is connected with the mobile terminal through a USB-HID; the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for supporting a back-end system for UKey production and daily management; the key management system is deployed at the rear end of the server and needs to be supported by a cipher machine to provide services for the UKey production management system. The beneficial effects of the invention are as follows: the user password is transmitted in an encrypted manner, stored in a security chip, extracted and automatically input into a target password frame, and the secret key can be protected from being acquired or leaked.

Description

Password safe box system based on hardware encryption and application method
Technical Field
The invention relates to the technical field of information and data security, in particular to a password safe box system based on hardware encryption and an application method.
Background
With the rapid development of the internet and the mobile internet, more mobile application software is available, and almost every type of application software needs the password of the user as protection, which also brings the trouble of remembering a plurality of passwords to the user. Passwords are important and extremely sensitive private information for users, so users need helper software to remember more passwords
The existing similar password assistant software in the market has obvious potential safety hazards and defects, and the main performance of the similar password assistant software is as follows:
the software directly encrypts and stores the cipher text input by the user by adopting a fixed key only in a soft encryption mode, and the encrypted and decrypted key is fixed on the software or in a system storage device, so that the software is very easy to be intercepted by hijacking software or a host horse and the decryption key is extracted through decompilation processing of the software, and the cipher text is externally decrypted, thereby causing cipher leakage.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to carry out secure communication by combining a secure chip integrated on the UKey with a software APP, a password transmission, storage and HID keyboard input based on hardware encryption are constructed by utilizing a national encryption algorithm through hardware encryption, a symmetric protection key and a transmission public and private key of the password are randomly generated during initialization and setting, and a production management system only manages the management key of the UKey. Finally, the method can achieve the purposes that the user password is transmitted in an encrypted mode, is stored in a safety chip of the UKey, is extracted safely and is input to a target password frame safely and automatically, and the protection key cannot be obtained or leaked by a software developer. The method is realized by the following technical scheme.
The invention provides a mobile intelligent password safe system based on hardware encryption protection, which comprises a UKey of an integrated security chip, a password safe APP, a key management system, a hardware password machine and a UKey production management system. The key management system needs a hardware cipher machine as a UKey and the storage calculation of a management key of the system, and initializes the unique management key of the UKey, including symmetric and asymmetric keys, through the interaction of the UKey production management system and a secret management system, and initializes the UKey security chip. The UKey is provided with a USB interface supporting the mobile phone type and can be connected with the mobile phone end, a user sets a password which needs to be protected after setting a security password or a user identity confirmation mode such as fingerprint and the like on the UKey through a password safe box APP, and the security chip which is transmitted to the UKey device is protected through a random asymmetric public key mode in the UKey security chip and is stored after being encrypted by a symmetric key. When the user needs to extract the appointed password, the password extraction can be completed by inputting the target frame through the HID keyboard input mode after the user identity is required to be confirmed to be correct and the decryption can be performed inside the security chip.
The utility model provides a password safe box system based on hardware encryption, includes mobile terminal, security chip and service system, wherein:
the mobile terminal comprises a program end installed on the mobile terminal, wherein the program end is used for initializing and managing the functions of a user safety password and a UKey device, and simultaneously binding a service monitoring process and a floating window when the mobile terminal inserts the UKey;
the UKey device is used for installing a security chip and is connected with the mobile terminal through a USB-HID;
the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for supporting a back-end system for UKey production and daily management;
the key management system is deployed at the rear end of the server and needs to be supported by a cipher machine to provide services for the UKey production management system.
The key produced by the UKey device comprises a working key and a management key, wherein the working key is used for transmitting a password set by a user and an internal encryption stored password by the UKey device, the working key is internally produced by a security chip and cannot be derived, and the management key is used for authenticating the legitimacy of the UKey device, maintaining the UKey device and maintaining the security password.
Preferably, the working key comprises an asymmetric key for password transmission, a symmetric key for password protection and a UKey public key list, wherein:
the asymmetric key is used for transmitting a password set by a user, a private key of the asymmetric key is controlled by the inside of the security chip, a public key part of the asymmetric key can be derived, a disposable temporary public-private key pair is produced by the asymmetric key, and the asymmetric key is lost when the UKey device is powered off or reset;
the secret key stored in the secret code of the symmetric key is encrypted by the private key of the asymmetric key and then stored after being decrypted by the symmetric key, and the symmetric key is generated during initialization and is permanently stored in the security chip until the UKey device is destroyed.
Preferably, the management key includes: the asymmetric public and private key of identity authentication, the symmetric key maintained by the UKey device and the symmetric key maintained by the security password, wherein:
the asymmetric public and private keys of the identity authentication are generated by the UKey device during production, registered into a production management system and established with corresponding relations for subsequent legal authentication;
the UKey device maintenance symmetric key is a derivative and rewritten UKey device according to the UKey device serial number, and is used for protecting a security password to maintain the symmetric key when updating or writing;
the security password maintenance symmetric key is a key for encrypting and protecting the password when a user updates the security password or sets the security password, and the key management system derives and rewrites the UKey device according to the serial number of the UKey device.
Preferably, the UKey public key list is a corresponding relation table of public keys registered and put in storage with issued UKey and serial numbers.
An application method of a password safe box system, the application method comprising a method for setting a password, comprising the steps of:
step 1, after a security chip is connected with a mobile terminal, a program end prompts: inputting a password;
step 2, the security chip verifies the identity, if the identity passes through, the step 3 is entered, and if the identity does not pass through, the process is ended;
step 3, after the verification is passed, the security chip randomly generates a temporary asymmetric public and private key and responds to public key data;
step 4, prompting by a program end: inputting a password identification, password description information and a password, encrypting the information by using a public key responded by the security chip and sending the information to the security chip;
step 5, decrypting the encrypted information by using the temporary asymmetric public and private key in the security chip, checking the validity of the data format, entering step 6 if the data format is passed, and ending the flow if the data format is not passed;
step 6, after passing, the security chip extracts the encrypted information, and the encrypted information is stored in a cold way after being encrypted by a password protection symmetric key;
step 7, the security chip generates hash sha1 data by using a password and responds with a password identifier;
and step 8, after the program end receives the corresponding data, checking the hash sha1 data and the password identification, prompting the user according to the result, and ending the flow.
Preferably, the application method further comprises a method for extracting a password for inputting a password of the target application, and the method comprises the following steps:
step 1, when a mobile terminal is accessed to a security chip, a program section starts a bound floating window, and the floating window prompts the input of a security code or a fingerprint code;
step 2, if the security chip passes verification, opening a right identifier of the identity verification;
step 3, displaying and reading a password identification list in the security chip through the floating window and displaying the password identification list;
step 4, organizing and extracting the password data of the password identifier by the floating window according to the selection of the user;
step 5, after the security chip passes the checking authority, decrypting the corresponding 'password' data internally;
and 6, starting a USB-HID input data mode by the security chip, receiving password input by the mobile terminal, finishing password input and confirmation verification of the target application, and ending the process.
The beneficial effects of the invention are as follows: the symmetric key for internally storing and encrypting and decrypting the user's password is randomly generated by combining a security chip, a password machine and other hardware password equipment through a national password symmetry algorithm and an asymmetric algorithm, and the transmission is carried out by adopting an asymmetric public key encryption when the password is set, and the public key and the private key are temporarily disposable, so the password is not known in advance by a software developer. The data communication process adopts asymmetric algorithm encryption, so that man-in-the-middle attack and replay attack can be prevented, confidentiality, integrity and repudiation resistance of communication are guaranteed, and safe transmission of passwords is solved. When the user extracts the password, the user only needs to insert the UKey, the floating window pops up automatically, the USB-HID is used for inputting the password after the user identity is checked, and the user does not need to input the password manually.
Drawings
Fig. 1 is a block diagram of a safe system in accordance with an embodiment of the present invention.
Fig. 2 is a diagram of the key and relationship required for a safe according to an embodiment of the present invention.
Fig. 3 is a functional diagram of a production process of a security chip of the uky device in the uky production system according to an embodiment of the present invention.
Fig. 4 is a basic management function diagram of a program end-to-UKey device according to an embodiment of the present invention.
Fig. 5 is a flow chart of initializing the UKey device by the program end according to an embodiment of the present invention.
Fig. 6 is a flowchart of a procedure end and UKey device setting password to be protected according to an embodiment of the present invention.
Fig. 7 is a flowchart of an application method for extracting a UKey device password by a user according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the embodiment of the invention, the following steps are included:
UKey device: the hardware for carrying the security chip is provided with a USB interface of the mobile phone.
HID: the abbreviation, abbreviated as USB-UID, universal Serial Bus-Human Interface Device, is a device that directly interacts with humans, such as a keyboard, mouse, joystick, etc.
Program end: generally refers to APP application software on a mobile phone, and in the embodiment of the invention refers to password safe application APP.
Fig. 1 is a block diagram showing the overall structure of a mobile intelligent password safe system based on hardware encryption protection.
The main components of the whole mobile password box system are composed of four parts, namely mobile terminals (namely mobile phones); program end, namely "password safe case APP", UKey device (including secure encryption chip), UKey production management system and key management system installed in mobile terminal.
Program end, namely password safe APP: the method is used for initializing and managing the safety password of the user and the functions of the UKey device, and simultaneously binding the service monitoring processing and the floating window when the mobile phone inserts the UKey device with a specific model. When in initialization, a user needs to initialize a 'security password' or a 'fingerprint password', wherein the security password is a mode for confirming the identity of the user, and fingerprint password substitution (determined according to the hardware condition of the UKey device) can also be used. After the user completes identity confirmation, the functions of 'password' and addition, deletion, check, modification and the like of the user can be set to the safety chip of the UKey device through the program end. When the UKey device of a specific model is accessed, a floating window of the opener end is monitored through the service, the floating window is arranged on other applications and is used for prompting a user to input a password or touch a fingerprint and subsequently displaying a password identification list for the user to select interactive functions.
UKey device: the USB interface is a carrier of a security chip, is provided with a USB interface which is adapted to a mobile phone, and can simulate USB-HID function service according to scene requirements. Other verification function modules such as a fingerprint sensor, a touch switch and the like are integrated according to the actual model, and the device has the capability of an independent processing internal operating system. And receiving an instruction from a program end (password safe APP) on the mobile terminal through the USB interface to perform corresponding processing and respond to the result.
UKey production management system: the system provides functions of initializing a security maintenance key, registering a serial number, managing a state and the like for a security chip of the UKey device for supporting a back-end system for UKey production and daily management.
Key management system: the safety cloth is arranged at the rear end of the server and needs hardware cipher machine support. The method does not directly open services to the outside, but only provides services such as initializing, updating, destroying, calculating and the like of the key for an internal system, namely, the UKey production management system.
As shown in fig. 2, the key and relationship structure diagram required by the mobile intelligent password safe system based on hardware encryption protection is shown in fig. 2:
secure chip key structure of UKey device: the method is divided into a working key and a management key, wherein the working key is used for transmitting a password set by a user and storing the password by internal encryption by the UKey device. The "working key" is a very sensitive and important key, so the invention puts the generation of the "working key" all inside the security chip and has no interface or mode to derive. The "management key" is used for legal authentication of the uky device, maintenance of the uky device, and maintenance of a secure password.
Cryptographic transfer asymmetric key: the invention defines the mode of transmitting the password set by the user as an asymmetric public key, the private key is controlled by the internal support, only the public key which can be disclosed is derived, and the public key is a disposable temporary public-private key pair, and the UKey device is lost when power is lost or reset.
Cryptographically protecting symmetric keys: the invention defines the stored secret key in the password as the symmetric secret key, the secret key is encrypted by the transmitted private key and then stored after being converted into the symmetric secret key, the secret key is generated during initialization and is permanently stored in the security chip until the UKey device is destroyed.
Identity authentication asymmetric public and private key: the legal authentication uses an 'identity authentication asymmetric public and private key', which is generated by the UKey device during production, only the public key is led out, registered into a production management system and a corresponding relation is established for subsequent legal authentication.
The UKey maintains a key symmetric key: the key management system is used for deriving and rewriting the UKey device according to the sequence number of the UKey device during production and protecting the security password to maintain the symmetric key during updating or writing.
The secure password maintains a symmetric key: when the user updates the security password or sets the security password, the key of the security password is encrypted and protected, and the UKey device is rewritten by the key management system according to the derivative of the serial number of the UKey device.
Key management system key structure: this part is generated internally by the hardware crypto-engine and does not allow external exporting.
The UKey maintains a symmetric key master key: a subkey for deriving a function corresponding to the UKey device sequence number;
the secure password maintains a symmetric key: a subkey for deriving a function corresponding to the UKey device sequence number;
UKey public key list: the invention relates to a relation table of public keys and serial numbers registered and put in a warehouse by issued UKey, wherein the public keys belong to public data, so that the invention adopts a common relation database.
Note): it is emphasized again that the invention generates the working key inside the security chip to ensure the security, and the management key is regularly generated by the system to be rewritten into the security chip to ensure the controllability.
Fig. 3 shows the production process function of the safety chip of the UKey in the UKey production system, the production of the UKey is completed before the user holds the safety chip, and the user does not need to participate in the production process function.
(1) The method comprises the following steps When the UKey device is produced, an 'identity authentication asymmetric public and private key pair' is randomly generated in the UKey device, the inside of a security chip is saved, only a public key is exported, and the public key and a serial number are reported to a UKey production management system;
(2) the method comprises the following steps The UKey production management system stores the reported UKey device serial number and public key data to establish a corresponding relation table;
(3) the method comprises the following steps The UKey production management system derives a corresponding 'UKey maintenance key subkey' by using the serial number of the UKey device, encrypts and protects the corresponding 'UKey maintenance key' by using a default maintenance key of the UKey device and then issues the corresponding 'UKey maintenance key subkey';
(4) the method comprises the following steps The UKey maintenance Key subKey replaces the UKey device default maintenance Key.
(5) The method comprises the following steps The UKey production management system derives a corresponding 'safe password maintenance key subkey' by using the UKey device serial number, and transmits the 'safe password maintenance key subkey' derived in the last step after encryption protection by using the 'UKey maintenance key subkey';
(6) the method comprises the following steps And replacing the default security password maintenance key of the UKey device with the security password maintenance key subkey.
As shown in fig. 4, the basic management functions of the program end (the password safe APP) on the UKey device include:
the basic function of a program end (password safe box APP) on the UKey device is daily management of the UKey device and passwords, and the UKey device and the passwords can be used after the production stage is completed.
User authentication: the method for verifying the user reserves various modes, such as a preset safe password or fingerprint password, a touch switch and the like.
Modify "security password" or fingerprint password: the set 'security password' or 'spinning password' is modified, and the function needs to be used after the user completes verification.
Modify "set password": the user's password' which is already set is modified, the function needs the user to finish verification to display the existing 'password identification' list, and the user selects the 'password identification' which needs to be modified to modify.
Check "set password": the user 'password' which is set is checked, the function can display the existing 'password identification' list only after the user finishes verification, and the selected identification displays information such as set date, time, use and the like.
Deleting the "set password": the user's password' already set is deleted, the user is required to finish verification, the user can display the existing password identification list, and the identification is selected for deletion.
And (3) completely destroying: the set password of the UKey is completely destroyed, and data such as a secret key, a working key and the like are not influenced.
As shown in fig. 5, the initialization process of the u key by the cryptographic safe APP is a process of configuring and registering the basic information of the u key when the user holds the u key for the first time.
Step (1): after the UKey device is accessed into the mobile phone for the first time, the program end reads the serial number of the UKey device, acquires data signed by an 'identity authentication asymmetric public and private key' inside a security chip of the UKey device and a user-set 'security password', and sends the data to the UKey production management system;
step (2): the UKey production management system acquires corresponding public key data according to the sequence number of the UKey device to verify the validity of the UKey;
step (3): the UKey production management system requests the key management system to derive a subkey of the 'UKey safety password maintenance key' according to the UKey device serial number and encrypts a 'safety password' response;
step (4): after receiving the response, the program end initiates the UKey to internally decrypt the data of the 'safe password', and after the format is correct, the 'safe password' or the fingerprint password is set;
step (5): the internal security chip of the UKey device randomly generates a password protection symmetric key and stores the password protection symmetric key in an internal storage.
Fig. 6 is a flowchart of the password process for setting the password to be protected in the password safe APP and the UKey, and the detailed process of setting the user's "password" after the user has initialized the UKey and has set the "security password" or the "fingerprint password".
S1: the user accesses the UKey device to the mobile terminal;
s2: the program end prompts the user to input a 'safe password' or a 'fingerprint password';
s3: the UKey device safety chip verifies the user identity internally, responds to error information and codes to enter S4 to finish the process when the user identity does not pass, and enters S5 when the user identity passes the identity verification;
s4: the program end prompts the user that the identity verification is not passed and the operation authority is not satisfied;
s5: the UKey device passes the identity verification, randomly generates a temporary asymmetric public and private key, and responds to public key data;
s6: the program end prompts the user to input a password identifier, password description information and password, encrypts the information by using a public key responded by the UKey device and sends the information to the UKey device;
s7: decrypting by using a 'temporary asymmetric public private key' private key randomly generated in the S5 in the UKey device safety chip, checking the validity of a data format, responding to error information and code entering an S8 ending process when the data format is incorrect, and entering an S9 process when the data format is passed;
s8: the program end prompts illegal error information of user data;
s9: the data format is correct, the UKey device extracts the user to input the password identification, the password description information and the password in S6, and the password protection symmetric key is used for encrypting and then storing the encrypted password;
s10: after the UKey device completes cold storage, hash sha1 data is generated by using a password, and the hash sha1 data and the password identification respond together;
s11: after the program end receives the response, the hash sha1 data and the password identification are checked, and the user is prompted to finish the flow according to the result.
As shown in fig. 7, the user extracts the uky device password flowchart, and after the user has set the "password" for the uky device, the user extracts the "password" for the password input detailed procedure of the target application.
S21: the user opens the target application and moves the cursor to the place where the password is required to be input;
s22: accessing a UKey device;
s23: the system of the mobile terminal triggers a bound floating window which is contained in the program end;
s24: the floating window display at the program end prompts the user to input a 'safe password' or a 'fingerprint password';
s25: if the UKey device identity verification is not passed, entering an S26 flow, and if the UKey device identity verification is passed, entering an S27 flow;
s26: the floating window prompts the user that the identity verification is not passed, the operation authority is not met, and the process is ended;
s27: the UKey device passes the authentication, and opens the authority identification of the authentication;
s28: the floating window (generated by the password safe APP) reads and displays a list of 'password identifications' in the UKey device;
s29: the user selects a required password identifier, and the password data of the password identifier is extracted by a floating window (password safe APP) organization;
s30: after the UKey device checks that the authority passes, the corresponding 'password' data is decrypted internally;
s31: the UKey device starts a USB-HID input data mode, and after input is completed, a confirmation key of 'carriage return' is added;
s32: the mobile terminal receives the password input by the USB-HID service, completes the password input and confirmation verification of the target application, and ends the process.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (5)

1. The utility model provides a password safe box system based on hardware encryption which is characterized in that, including mobile terminal, security chip and service system, wherein:
the mobile terminal comprises a program end installed on the mobile terminal, wherein the program end is used for initializing and managing the functions of a user safety password and a UKey device, and simultaneously binding a service monitoring process and a floating window when the mobile terminal inserts the UKey;
the UKey device is used for installing a security chip and is connected with the mobile terminal through a USB-HID;
the service system comprises a cipher machine, a key management system and a UKey production management system, wherein the UKey production management system is used for supporting a back-end system for UKey production and daily management;
the key management system is deployed at the rear end of the server and needs to be supported by a cipher machine to provide service for the UKey production management system;
the key produced by the UKey device comprises a working key and a management key, wherein the working key is used for transmitting a password set by a user and a working key for internally encrypting and storing the password, the working key is produced by the inside of the security chip and cannot be derived, and the management key is used for legality authentication of the UKey device, maintenance of the UKey device and maintenance of the security password; the working key comprises an asymmetric key for password transmission, a symmetric key for password protection and a UKey public key list, wherein: the asymmetric key is used for transmitting a password set by a user, a private key of the asymmetric key is controlled by the inside of the security chip, a public key part of the asymmetric key can be derived, a disposable temporary public-private key pair is produced by the asymmetric key, and the asymmetric key is lost when the UKey device is powered off or reset; the symmetric key is a key stored in the password, is encrypted by the symmetric key and then stored after being decrypted by the private key of the asymmetric key, is generated during initialization, and is permanently stored in the security chip until the UKey device is destroyed.
2. The cryptographic safe system of claim 1, wherein the management key comprises: the asymmetric public and private key of identity authentication, the symmetric key maintained by the UKey device and the symmetric key maintained by the security password, wherein:
the asymmetric public and private keys of the identity authentication are generated by the UKey device during production, registered into a production management system and established with corresponding relations for subsequent legal authentication;
the UKey device maintenance symmetric key is a derivative and rewritten UKey device according to the UKey device serial number, and is used for protecting a security password to maintain the symmetric key when updating or writing;
the security password maintenance symmetric key is a key for encrypting and protecting the password when a user updates the security password or sets the security password, and the key management system derives and rewrites the UKey device according to the serial number of the UKey device.
3. The cryptographic safe system of claim 1, wherein the list of UKey public keys is a table of correspondence between public keys registered for entry of published UKey and serial numbers.
4. A method of using a password safe, wherein the method of using acts on the password safe system of any one of claims 1 to 3, the method of using comprising a method of setting a password, comprising the steps of:
step 1, after a security chip is connected with a mobile terminal, a program end prompts: inputting a password;
step 2, the security chip verifies the identity, if the identity passes through, the step 3 is entered, and if the identity does not pass through, the process is ended;
step 3, after the verification is passed, the security chip randomly generates a temporary asymmetric public and private key and responds to public key data;
step 4, prompting by a program end: inputting a password identification, password description information and a password, encrypting the information by using a public key responded by the security chip and sending the information to the security chip;
step 5, decrypting the encrypted information by using the temporary asymmetric public and private key in the security chip, checking the validity of the data format, entering step 6 if the data format is passed, and ending the flow if the data format is not passed;
step 6, after passing, the security chip extracts the encrypted information, and the encrypted information is stored in a cold way after being encrypted by a password protection symmetric key;
step 7, the security chip generates hash sha1 data by using a password and responds with a password identifier;
and step 8, after the program end receives the response, checking the hash sha1 data and the password identification, prompting the user according to the result, and ending the flow.
5. A method of using a password safe, wherein the method of using acts on a password safe system as claimed in any one of claims 1 to 3, including a method of extracting a "password" for password entry for a target application, comprising the steps of:
step 1, when a mobile terminal is accessed to a security chip, a program end sends out a bound floating window, and the floating window prompts to input a security code or a fingerprint code;
step 2, if the security chip passes verification, opening a right mark passing the authentication;
step 3, displaying and reading a password identification list in the security chip through the floating window and displaying the password identification list;
step 4, organizing and extracting the password data of the password identifier by the floating window according to the selection of the user;
step 5, after the security chip passes the checking authority, decrypting the corresponding 'password' data internally;
and 6, starting a USB-HID input data mode by the security chip, receiving password input by the mobile terminal, finishing password input and confirmation verification of the target application, and ending the process.
CN202110193077.5A 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method Active CN113014393B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110193077.5A CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110193077.5A CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Publications (2)

Publication Number Publication Date
CN113014393A CN113014393A (en) 2021-06-22
CN113014393B true CN113014393B (en) 2023-04-28

Family

ID=76404321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110193077.5A Active CN113014393B (en) 2021-02-20 2021-02-20 Password safe box system based on hardware encryption and application method

Country Status (1)

Country Link
CN (1) CN113014393B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472793B (en) * 2021-07-01 2023-04-28 中易通科技股份有限公司 Personal data protection system based on hardware password equipment
CN113668961A (en) * 2021-08-17 2021-11-19 苏州双项信息科技有限公司 Key distribution device convenient to operate and method thereof

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105553662B (en) * 2014-10-29 2019-01-08 航天信息股份有限公司 Dynamic digital copyright protection method and system based on id password
CN104639534B (en) * 2014-12-30 2019-02-12 北京奇虎科技有限公司 The loading method and browser device of web portal security information
CN111901304B (en) * 2020-06-28 2022-08-26 北京可信华泰信息技术有限公司 Registration method and device of mobile security equipment, storage medium and electronic device
CN112383914B (en) * 2020-11-13 2022-02-01 广东工业大学 Password management method based on secure hardware

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey

Also Published As

Publication number Publication date
CN113014393A (en) 2021-06-22

Similar Documents

Publication Publication Date Title
CN102624699B (en) Method and system for protecting data
JP5380604B2 (en) Information recording device
CN111404682B (en) Android environment key segmentation processing method and device
JP2004295271A (en) Card and pass code generator
CN113014393B (en) Password safe box system based on hardware encryption and application method
WO2013182154A1 (en) Method, system and terminal for encrypting/decrypting application program on communication terminal
CN102449631A (en) System and method for performing a management operation
CN111162911B (en) PLC firmware upgrading system and method
US8156548B2 (en) Identification and authentication system and method
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN103746801A (en) Method for protecting dynamic password seed key on smart phone or tablet personal computer
KR20120080283A (en) Otp certification device
CN106789024A (en) A kind of remote de-locking method, device and system
CN106056017A (en) Intelligent card COS encrypting and downloading system
CN111614698A (en) Method and device for erasing terminal data
KR20170124953A (en) Method and system for automating user authentication with decrypting encrypted OTP using fingerprint in mobile phone
JP5781678B1 (en) Electronic data utilization system, portable terminal device, and method in electronic data utilization system
CN113722741A (en) Data encryption method and device and data decryption method and device
JP4587688B2 (en) Encryption key management server, encryption key management program, encryption key acquisition terminal, encryption key acquisition program, encryption key management system, and encryption key management method
US9977907B2 (en) Encryption processing method and device for application, and terminal
CN110287725A (en) A kind of equipment and its authority control method, computer readable storage medium
CN112054890B (en) Screen configuration file export and import method and device and broadcasting control equipment
CN108235807B (en) Software encryption terminal, payment terminal, software package encryption and decryption method and system
CN105046174A (en) Disk data protection method and system
CN104636655A (en) Credibility verifying method of hot plug device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant