Background technology
Extensive use along with Internet development and the Internet bank, ecommerce, E-Government is applied to industry-by-industry and area widely based on PKIX (PKI:Public Key Infrastructure) digital certificate technique, smart card techniques and electron key (USBKey).Increasing the Internet user accepts and uses the equipment of USBKey as authentication and digital signature.
The PKI digital certificate technique is a kind of new safe practice, and it is by public-key cipher technology, digital certificate, certificate issuing authority (CA) and form jointly about the bases such as security strategy of public-key cryptography.PKI utilizes public-key technology to realize a kind of system of e-commerce security, is a kind of infrastructure, and it is safe that network communication, online transaction utilize it to guarantee.Say that in a sense PKI has comprised security certification system, promptly security certification system-CA/RA system is the obligato part of PKI.
Along with the development of computer communication technology and network security technology, the PKI network security system when especially relating to the Internet bank, e-commerce and e-government application safety system, has obtained using widely in network application.The construction of PKI system makes the application of smart card and this digital signature device of USBKey be able to large-scale expansion.
Smart card is owing to standard with international standard and ripe applied environment, so people are comparatively familiar to the use of smart card under the PKI secure network environment.And the emerging in recent years hardware device of USBKey conduct, it is portable, and the characteristics that USB hot plug etc. is better than smart card and card reader are adopted by industry-by-industry gradually.
USBKey is similar in shape, but varies in the difference of its design of internal condition, also the phase gap is big for cost and price, and this just the user distinguish in appearance! USBKey generally is divided into: USB softdog Key, internal memory USBKey, and smart card USBKey.And its function of smart card USBKey and a sheet smart card+one a USB card reader is duplicate on function, and its cost and price but has advantage with respect to card and card reader.
The central role of USBKey is safe protection user's private cipher key and the digital signature of carrying out network trading.The intelligent card chip that embeds among this and the USBKey, the generation of smart card COS, especially private cipher key, storage and use have confidential relation.
Though the digital signature device of present various USBKey has used widely in every field; fully effective protection the safety and the use of the user PKI private cipher key in the PKI technological frame; but in concrete environment for use; especially the continuous upgrading of network hacker software program; the environment for use of USBKey digital signature device is attacked and permeated; attempt to obtain the PIN password of the legal use of user USBKey digital signature device, and network trading is carried out hostile signature.Therefore, need a kind of novel USB digital signature device that expands fail safe on the market.
The analysis of application environment to prior USB Key digital signature device shows that the main application of USBKey digital signature device in the market is the storage digital certificate, carries out digital signature, and existing USBKey works like this:
The user inserts computer to the USBKey digital signature device, carry out user's authentication, need this moment the user in computer, to import personal authentication's number (PIN:Personal IdentificationNumber) password of user, i.e. user's user cipher, this password is a static password.
Whether USBKey digital signature device checking PIN code is correct.If correct, then authorized user can carry out that the website is landed, operations such as escape way attachment security jacket layer (SSL) and digital signature.
If the PIN check is not passed through, then after the trial for several times, the USBKey digital signature device can lock.
Because the user is the PIN password of input user on the keyboard of computer, in case and the PIN password passed through the verification of USBKey, the USBKey digital signature device just can carry out associative operation, this operation all is considered to legal operation.The user can't carry out effective security monitoring to the follow-up operation of USBKey.At this moment, having occurred can be by hacker and the utilizable weakness of unprincipled fellow, for example:
When the user inputed correct PIN password, the trojan horse or the hook program that are hidden in the computer might be obtained this password, and send to the hacker.
The hacker is behind the PIN password of the USBKey digital signature device that obtains the user, and by the hacker software of Long-distance Control, the control user's computer is operated.
If user's USBKey digital signature device is inserted on the computer for a long time, and user self no longer (open state) before the computer, the hacker can control subscriber computer, and use user's USBKey digital signature device and the PIN password that illegally obtains to carry out illegal network trading, the user is caused damage.
If when user oneself used the USBKey digital signature device to sign, Hacker Program may be invaded subscriber computer, forge the information of digital signature, illegally use the transaction of signing of user's USBKey digital signature device.The user can not discover and cause damage.
Because digital signature relates to problems such as digital signature, contract, transaction, bank capital in actual applications, so it uses environment safely and the anti-aggressiveness of self has great significance in whole the Internet PKI uses.Therefore press for the higher USBKey digital signature device of rank that to take precautions against and to protect user's legitimate rights and interests on the market.
The utility model content
The utility model provides a kind of digital signature device and system that supports the PKIX function, in order to prevent the assault in the network application.
One of the purpose of this utility model is: a kind of digital signature device of supporting the PKIX function is provided, and this device comprises: CPU, communication interface, and described communication interface is connected with CPU; Also comprise: the dynamic password generation unit, this dynamic password generation unit and described CPU link, and are used to generate dynamic password; The mixed cipher authentication unit, this mixed cipher authentication unit and described CPU link, and are used to verify mixed cipher; Display unit, this display unit and CPU link, and are used to show mixed cipher and digital signature output information.
The digital signature device of described support PKIX function also comprises key to generation unit, and this key links to generation unit and said CPU, and it is right to be used to generate key; Described communication interface is accepted the outside mixed cipher that transmits, and described mixed cipher is sent to described mixed cipher authentication unit under the control of CPU; Described mixed cipher authentication unit judges whether mixed cipher is correct, if not, then returns the password authentification false command, and the prompting mixed cipher is wrong; If, then return mixed cipher checking right instructions, authorize use the key that generates to the right of carrying out digital signature.
Described mixed cipher comprises static password and dynamic password.
The digital signature device of described support PKIX function also comprises storage device, and this storage device and said CPU link, and are used to store described static password; When importing mixed cipher, static password partly remains unchanged at every turn, and dynamic password produces at random according to the algorithm in the CPU.
Described display unit is a LCD display; Described communication interface is a USB interface.
Another purpose of the present utility model is, a kind of digital signature system of supporting the PKIX function is provided, and comprising: computer, electron key digital signature device; Described electron key digital signature device has: CPU and communication interface, and described communication interface is connected with CPU; The dynamic password generation unit, this dynamic password generation unit and described CPU link, and are used to generate dynamic password; The mixed cipher authentication unit, this mixed cipher authentication unit and described CPU link, and are used to verify mixed cipher; Display unit, this display unit and described CPU link, and are used to show mixed cipher and digital signature output information; Described computer links by the communication interface of self and the communication interface of described electron key digital signature device.
The electron key digital signature device also comprises key to generation unit, and this key links to generation unit and said CPU, and it is right to be used to generate key; Described computer is accepted the mixed cipher of outside input, and sends this mixed cipher to described electron key digital signature device; Described mixed cipher authentication unit judges whether mixed cipher is correct, if not, then returns the password authentification false command, and the prompting mixed cipher is wrong; If, then return mixed cipher checking right instructions, authorize use the key that generates to the right of carrying out digital signature.
Described computer is meant the background server computer, and described background server computer has the mixed cipher authentication unit; Described background server computer is accepted the dynamic password of outside input, and sends this dynamic password to self dynamic password authentification unit; Whether the password authentification unit judges dynamic password of background server computer is correct, if not, then returns the password authentification false command, and the prompting dynamic password is wrong; If, then return mixed cipher checking right instructions, authorize use key that the electron key digital signature device generates to the right of carrying out digital signature; The display unit of the display screen of computer self and described electron key digital signature device all has information to show.
The beneficial effects of the utility model are, a display screen and mixed cipher (static password and dynamic password) mechanism is provided.Owing to used mixed cipher, the i.e. mixed cipher of forming by static password and dynamic password, so the hacker can only obtain the user employed mixed cipher when once signing, this password is the meeting change at random when using next time, therefore prevents that effectively the hacker from illegally using user's digital signature device.
Owing to used display screen, dynamic password in the mixed cipher is dynamically to be presented on the screen at each use digital signature device, the mixed cipher that the user need import the dynamic password composition of a static password of oneself setting and screen display carries out authentication, guarantees the legal authorization of digital signature.
In order to prevent hostile signature, the information that the user need sign can be presented on the screen of digital signature device, and whether the user can compare on the screen of signing messages on the computer screen and digital signature device signing messages consistent, to confirm the correctness of signature.
Embodiment
Below in conjunction with description of drawings embodiment of the present utility model.Core of the present utility model provides a kind of safer, the electron key that can prevent hacker attacks (USBKey) digital signature device, this USBKey digital signature device provide a display screen and mixed cipher (static password and dynamic password) mechanism.Owing to used mixed cipher, the i.e. mixed cipher of forming by static password and dynamic password, so the hacker can only obtain the user employed mixed cipher when once signing, this password is the meeting change at random when using next time, therefore prevents that effectively the hacker from illegally using user's USBKey digital signature device.
Owing to used display screen, dynamic password in the mixed cipher is dynamically to be presented on the screen at each use USBKey digital signature device, the mixed cipher that the user need import the dynamic password composition of a static password of oneself setting and screen display carries out authentication, guarantees the legal authorization of digital signature.
In order to prevent hostile signature, the information that the user need sign can be presented on the screen of USBKey digital signature device, whether the user can compare on the screen of signing messages on the computer screen and USBKey digital signature device signing messages consistent, to confirm the correctness of signing messages.The utility model is solved by following embodiment:
Embodiment 1
As shown in Figure 1, be a kind of digital signature device of supporting the PKIX function, comprise: CPU, communication interface, described communication interface is connected with CPU; Also comprise: the dynamic password generation unit, this dynamic password generation unit and described CPU link, and are used to generate dynamic password; The mixed cipher authentication unit, this mixed cipher authentication unit and described CPU link, and are used to verify mixed cipher; Display unit, this display unit and described CPU link, and are used to show mixed cipher and digital signature output information.Storage device, this storage device and said CPU link, and are used to store described static password.
The digital signature device of described support PKIX function is a kind of USBKey digital signature device, this USBKey has the CPU intelligent card chip of USB communication interface, this chip wherein embedded smart card operating system can realize generating RSA key to, generate dynamic password, verify mixed cipher, carry out functions such as digital signature.
The USBKey digital signature device has a LCD liquid crystal display systems, can show the information that the CPU intelligent card chip is exported in the USBKey digital signature device, comprises digital signature information, dynamic password and user prompt information etc.
The USBKey digital signature device has a communication module.This communication module is responsible for having the CPU intelligent card chip of USB communication interface and the data communication between the LCD liquid crystal display systems.
The USBKey digital signature device uses a kind of mixed cipher mechanism of static password+dynamic password.Wherein dynamic password partly may be displayed on the LCD LCD screen.
The USBKey digital signature device uses a kind of security mechanism of anti-hostile signature, and the relevant information that the user need sign may be displayed on the LCD LCD.
Use the performing step following (as shown in Figure 4) of USBKey digital signature device in PKI uses of display screen and mixed cipher (static password+dynamic password):
In PKI authentication and digital signature applications system, the user uses the USBKey digital signature device that has display screen and mixed cipher (static password+dynamic password) to carry out authentication and digital signature.
Described digital signature device comprises a CPU intelligent card chip that has the USB communication interface, and it is right to generate RSA key, the storage digital certificate, and generate dynamic password, verify mixed cipher, carry out function such as digital signature.This has the USB interface of the CPU intelligent card chip of USB communication interface by the direct connection device of circuit, can carry out communication with computer.
Described dynamic password generates by the particular algorithm that is embedded in the smart card operating system in the CPU intelligent card chip, and can be presented on the screen of digital signature device itself according to user's use.
Described mixed cipher is made of jointly the dynamic password that a user-defined static password and CPU intelligent card chip generate.
Described mixed cipher is to be input in the computer by keyboard when carrying out authentication by the user, and when importing mixed cipher, static password partly remains unchanged at every turn, and dynamic password produces at random according to the algorithm in the CPU intelligent card chip.Wherein the static password safety encipher is stored in the CPU intelligent card chip.Static password needs user security to maintain secrecy.And being the user, on the screen of digital signature device itself, reads dynamic password.
The checking of described mixed cipher is to verify in having the CPU intelligent card chip of USB communication interface.
When the user carried out digital signature, the information via that need sign was presented on the screen of digital signature device itself after having the CPU intelligent card chip processing of USB communication interface, reads and verification for the user.
Shown in Fig. 2 a and Fig. 2 b, be the hardware composition diagram of the USBKey digital signature device that has display screen and mixed cipher (static password+dynamic password).This USBKey digital signature device that has display screen and mixed cipher (static password+dynamic password) is made of following components: the CPU intelligent card chip, LCD Panel, LCD liquid crystal display systems, communication system, a small amount of peripheral component, LED lamp, standard USB joint, PCB circuit board, the shell that have the USB communication interface.
Fig. 3 concerns connection layout for each hardware component of the USBKey digital signature device that has display screen and mixed cipher (static password+dynamic password).Wherein,
1) for having the CPU intelligent card chip of USB communication interface, this chip is the CPU intelligent card chip of a standard, also has the USB communication interface of a standard, can carry out communication by USB joint and computer.Embedded smart card operating system in this chip, can realize the PKI application of IC cards of standard, comprised generating the smart card file structure, generate RSA key to, store digital certificate, generate dynamic password, verify mixed cipher, carry out function such as digital signature.This chips welding is connected with the USB joint by simple circuit on the PCB circuit board, and chip is connected with the LCD liquid crystal display systems by communication module simultaneously, is used to export information such as dynamic password, signed data and user prompt.
2) be LCD Panel, this LCD Panel is a LCD Panel that can show numeral, letter, Chinese character and image, and this screen is subjected to the control of LCD liquid crystal display systems, shows information such as dynamic password, signed data and user prompt.This LCD Panel is connected on the LCD liquid crystal display systems.
3) be the LCD liquid crystal display systems, this LCD liquid crystal display systems is one can control and drive the circuit module that LCD Panel shows.This LCD liquid crystal display systems is connected on the PCB circuit board.
4) be communication system, this communication system is one and is responsible for having the CPU intelligent card chip of USB communication interface and the circuit module of the data communication between the LCD liquid crystal display systems.This communication system is connected on the PCB circuit board.
5) be a small amount of peripheral component, contain a small amount of peripheral component in the entire equipment, be used for functions such as the voltage stabilizing of circuit and filtering.These components and parts are welded on the PCB circuit board.
6) be the LED lamp, contain a LED lamp in the entire equipment, be used to show the communication state between USBKey digital signature device and the computer.This LED lamp is welded on the PCB circuit board.
7) be standard USB joint.
When Fig. 4 has the USBKey digital signature device of display screen and mixed cipher (static password+dynamic password) for using, authentication process and digital signature procedure applicating flow chart.Wherein, the checking of mixed cipher is finished by the CPU intelligent card chip that has the USB communication interface.
Step 1, the USBKey digital signature device that will have display screen and a mixed cipher (static password+dynamic password) are connected on the computer.
After step 2, device powered on, the user landed, and carried out the operation of authentication.
Range request checking user's identity is crossed in step 3, authentication, this moment, log-in interface required the user to import mixed cipher, for the user mixed cipher be input as two independently password input processes, at first require the user to import the static password of user oneself definition.
Step 4, at this moment, the CPU intelligent card chip that has the USB communication interface generates a dynamic password by algorithm, shows on LCD screen by LCD Panel chip for driving and drive circuit.At this moment, log-in interface requirement client imports the dynamic password on the screen that is presented at digital signature device itself.
Step 5, log-in interface pass back to static password and dynamic password in the CPU intelligent card chip that has the USB communication interface by USB interface, are verified by this chip.
Do not pass through if step 6 has the CPU intelligent card chip checking mixed cipher of USB communication interface, then chip can return the password authentification false command, requires log-in interface to return the wrong page, and prompting user mixed cipher is wrong.
Pass through if step 7 has the CPU intelligent card chip checking mixed cipher of USB communication interface, then chip can return the password authentification right instructions, authorizes the right that the client uses key in the chip.Notify log-in interface to return correct page simultaneously, the expression user lands success.
After step 8, authenticating user identification process are passed through, the digital signature procedure of online transaction can be carried out, after the user fills in the information of transaction on the net, the operation of digital signature can be carried out.
Step 9, complete digital signature applications flow process of user may comprise a plurality of authentication processes, and each authentication process all needs to verify again mixed cipher.In each authentication process in an application flow, the dynamic password in the mixed cipher that at every turn needs to import is all inequality.
Step 10, when the user carries out signature operation, the data message of signing can import the CPU intelligent card chip that has the USB communication interface into, chip shows on LCD screen by LCD Panel chip for driving and drive circuit after the information that will sign is handled.The information that the user shows on information and the computer screen oneself input on need the LCD screen to the USBKey digital signature device compares, confirm that signing messages is errorless after, confirm transaction, Transaction Success.Application flow finishes.
As seen the USBKey digital signature device in the utility model provides a display screen and mixed cipher (static password and dynamic password) mechanism; effectively protect the safety of user cipher, the USBKey digital signature device provides an anti-hostile signature mechanism simultaneously.This method has not only strengthened E-Security, has also improved the availability and the ease for use of verification process.
Embodiment 2
As shown in Figure 6, be a kind of digital signature system of supporting the PKIX function, comprise: computer, electron key digital signature device; Described electron key digital signature device has: CPU and communication interface, and described communication interface is connected with CPU; The dynamic password generation unit, this dynamic password generation unit and described CPU link, and are used to generate dynamic password; The mixed cipher authentication unit, this mixed cipher authentication unit and described CPU link, and are used to verify mixed cipher; Display unit, this display unit and described CPU link, and are used to show mixed cipher and digital signature output information; Described computer links by the communication interface of self and the communication interface of described electron key digital signature device.Described computer is the background server computer.This background server computer has a dynamic password verification unit.
As shown in Figure 5, when having the USBKey digital signature device of display screen and mixed cipher (static password+dynamic password) for use, authentication process and digital signature procedure applicating flow chart.Wherein, the static password in the mixed cipher is finished by the CPU intelligent card chip that has the USB communication interface.The checking of the dynamic password in the mixed cipher is finished by background server (computer).Wherein,
Step 1 ', the USBKey digital signature device that will have display screen and a mixed cipher (static password+dynamic password) is connected on the computer.
Step 2 ', after device powers on, the user lands, and carries out the operation of authentication.
Step 3 ', authentication crosses range request checking user's identity, this moment, log-in interface required the user to import mixed cipher, for the user mixed cipher be input as two independently password input processes, at first require the user to import the static password of user oneself definition.
Step 4 ', at this moment, the CPU intelligent card chip that has a USB communication interface generates a dynamic password by algorithm, shows on LCD screen by LCD Panel chip for driving and drive circuit.At this moment, log-in interface requirement client imports the dynamic password on the screen that is presented at digital signature device itself.
Step 5 ', log-in interface passes back to static password in the CPU intelligent card chip that has the USB communication interface by USB interface, verify by this chip.Log-in interface passes back to dynamic password in the background authentication server by USB interface, contain in this background server one with the CPU intelligent card chip that has the USB communication interface in generate the consistent algorithm of algorithm of dynamic password.The proof procedure of dynamic password is verified by background server.
If the CPU intelligent card chip of step 6 ' have USB communication interface checking static password not by or background server checking dynamic password do not pass through, then chip or background server can return the password authentification false command, require log-in interface to return the wrong page, prompting user's static password or dynamic password are wrong.
If the CPU intelligent card chip of step 7 ' have USB communication interface checking static password passes through, the dynamic password of background server checking simultaneously passes through, then chip and background server can return the password authentification right instructions, authorize the right that the client uses key in the chip.Notify log-in interface to return correct page simultaneously, the expression user lands success.
Step 8 ', after the authenticating user identification process passes through, the digital signature procedure that can carry out online transaction after the user fills in the information of transaction on the net, can be carried out the operation of digital signature.
Step 9 ', complete digital signature applications flow process of user, may comprise a plurality of authentication processes, each authentication process all needs to verify again mixed cipher.In each authentication process in an application flow, the dynamic password in the mixed cipher that at every turn needs to import is all inequality.
Step 10 ', when the user carries out signature operation, the data message of signing can import the CPU intelligent card chip that has the USB communication interface into, chip shows on LCD screen by LCD Panel chip for driving and drive circuit after the information that will sign is handled.The information that the user shows on information and the computer screen oneself input on need the LCD screen to the USBKey digital signature device compares, confirm that signing messages is errorless after, confirm transaction, Transaction Success.Application flow finishes.
As seen the USBKey digital signature device in the utility model provides a display screen and mixed cipher (static password and dynamic password) mechanism; effectively protect the safety of user cipher, the USBKey digital signature device provides an anti-hostile signature mechanism simultaneously.This method has not only strengthened E-Security, has also improved the availability and the ease for use of verification process.
Above embodiment only is used to illustrate the utility model, but not is used to limit the utility model.