CN100561913C - A kind of method of access code equipment - Google Patents
A kind of method of access code equipment Download PDFInfo
- Publication number
- CN100561913C CN100561913C CNB200410103115XA CN200410103115A CN100561913C CN 100561913 C CN100561913 C CN 100561913C CN B200410103115X A CNB200410103115X A CN B200410103115XA CN 200410103115 A CN200410103115 A CN 200410103115A CN 100561913 C CN100561913 C CN 100561913C
- Authority
- CN
- China
- Prior art keywords
- key
- access key
- information
- authentication code
- encryption device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a kind of method of access code equipment, its key is: be that the key of being created is provided with key authorization information when key is created, the information that in the key use, transmits between transmit leg and the recipient, all use key authorization information and calculate authentication code for it, and then information that will be to be transmitted and the authentication code that calculated send the other side to, the recipient is then according to the integrality of authentication code verifying message, whether reliable with the authentication information source, and transmit in the way and whether distorted, after being proved to be successful, carry out subsequent operation again.Use the present invention, encryption device both can also can be at this accessing by remote access, and can make a plurality of users use the long-range host access encryption device that does not possess encryption device, and security feature that still can guarantee information.Because the present invention adopts the cipher mode of one-time pad, the person's that resists the network monitoring effectively replay attack.
Description
Technical field
The present invention relates to the access code apparatus technology, be meant a kind of method of access code equipment especially.
Background technology
Current society enters the information age, and computer network is applied to social every field gradually, is accompanied by the rise of network new business such as the propelling of IT application in the national economy process and ecommerce, and society is more and more higher to the degree of dependence of computer network.Information age hail message safety is the common method that protected data is avoided unauthorized access and data are encrypted.
At present, utilize hardware, as encrypted card etc., carry out that key generates and the operation of encryption and decryption to have speed fast, advantage such as be difficult for distorting, obtained application widely.
At this; to have encrypted card, or have the hardware of similar encrypted card function, and the driving of this hardware and applied database are called encryption device altogether; this encryption device generally is stored in self with key information, reaches the purpose that key is protected by the limiting access authority.Under this mechanism, if the user has the access rights of this encryption device, then have the rights of using of key, can utilize this encryption device to carry out key and generate operations such as encryption and decryption data; If the user does not have the access rights of this encryption device, then can not use this encryption device.That is to say that above-mentioned key protection mechanism is based on to be realized the control of the access rights of encryption device.
During concrete the application, the management interface of encryption device provides one group of function interface with the form of dynamic link library usually, promptly constitute the interface of encryption device by encryption device management function storehouse, the process of execution Password Operations must be called this encryption device management function storehouse in this locality and just can have access to encryption device, drives the encryption device executable operations.According to existing access mechanism, the remote access encryption device is very dangerous, and existing encryption device does not provide remote access interface at all yet.
There is following defective in the method for above-mentioned access code equipment:
1) encryption device can not be by remote access.Because remote access is very dangerous, and existing encryption device is not supported remote access.
2) each encryption device can only be used by a few users, if the access rights of same encryption device are shared by a plurality of users, its secret information is no longer safe.
3) producing operations such as key, encryption and decryption can only carry out on the main frame with the driving of encryption device and encryption device, promptly can only carry out in this locality, can't carry out on other equipment.
4) the encryption device finite storage space has determined that the number of its key that can deposit is limited.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of method of access code equipment, not only can realize this accessing, can also realize remote access, safety that simultaneously can guarantee information.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method of access code equipment, the cryptographic service that is provided for the far call encryption device on the visit main frame provides module, being provided for receiving remote on accessed main frame calls, and the cipher core service module of driving encryption device executable operations, be that the key of being created is provided with key authorization information when creating each key, this method is further comprising the steps of:
A, cryptographic service provide module to receive from after the instruction of the Password Operations of application program, use key authorization information to the described Password Operations command calculations first request message authentication code, afterwards, will comprise the first request message authentication code and described Password Operations the instruction the Password Operations request send to encryption device by the cipher core service module;
B, encryption device are according to the Password Operations instruction that receives, utilize the acquired key authorization information calculations second request message authentication code, and judge whether the second request message authentication code that calculates is identical with the first request message authentication code that receives, if it is identical, execution in step c then, otherwise return error message, process ends;
C, encryption device are carried out indicated operation in the Password Operations request, and use key authorization information execution result is calculated the first execution result authentication code, then, the information that will comprise the first execution result authentication code and execution result sends to the cipher core service module, by the cipher core service module with the information analysis that receives for after cryptographic service provides the information that module can discern, send to cryptographic service again module be provided;
D, cryptographic service provide the module application key authorization execution result that information butt joint is received to calculate the second execution result authentication code, and judge whether the second execution result authentication code that calculates is identical with the first execution result authentication code that receives, if it is identical, then return execution result information, process ends to application program; Otherwise, return error message to application program, process ends.
Preferably, the Password Operations request from application program that the described cryptographic service of step a provides module to receive is the instruction that generates access key, comprise the access key authorization message that the promising access key that is about to generate is provided with in this instruction, and the algorithm information of access key; The method of the described calculating first request message authentication code is: obtain current sign, use sign now that has obtained described access key authorization message is encrypted, the algorithm information of the access authorization key information after encrypting, access key, sign now that has obtained are calculated the first request message authentication code with the father's key authorization information from application program;
The method of the described calculating second request message authentication code of step b is: encryption device is used sign now that the access key that receives generates instruction and obtained, calculates the second request message authentication code with father's key authorization information of appointment;
The process that the described encryption device of step c is carried out operation indicated in the Password Operations request is: use current sign and decrypt the access key authorization message, carry out the key constructive process, generate access key, father's key of using appointment then is the access key that generates and the authorization message packaging ciphering of this access key, with the result after encrypting as the object information that returns; The method of the described calculating first execution result authentication code is: the object information and the current sign one that return are reinstated father's key authorization information calculations first execution result authentication code of appointment;
The method of the described calculating second execution result authentication code of steps d is: cryptographic service provides module according to the information that receives, and application execution result, sign now that has obtained calculate the second execution result authentication code with the access key authorization message.
Preferably, if the visit main frame is to carry out first to generate the access key instruction, then described father's key authorization information is predefined root key authorization message;
Generate the access key instruction if visit main frame right and wrong are carried out first, and preestablished father's key that root key is this access key that will soon generate, then described father's key authorization information is predefined root key authorization message;
If carrying out first, visit main frame right and wrong generate the access key instruction, and specified certain already present access key A to be about to father's key of the access key of generation for this, then before or after the Password Operations request from application program that cryptographic service provides module to receive is the instruction of generation access key, further comprise: encryption device obtains the access key A and the access key A authorization message of visit host application, and described father's key authorization information is the access key authorization message that is designated as the access key A of father's key.
Preferably, the Password Operations request from application program that the described cryptographic service of step a provides module to receive is the encryption and decryption operational order, comprise applied access key, access key authorization message in this instruction and treat encryption and decryption data, the method of the described calculating first request message authentication code is: cryptographic service provides the encryption and decryption operational order that module application receives, sign now that has obtained, with calculating the first request message authentication code from the access key authorization message of application program;
The described encryption device of step b provides before or after module receives encryption and decryption operational order from application program in cryptographic service, provides module to obtain access key and access key authorization message that this cryptographic service provides module place visit host application from cryptographic service; The method of the described calculating second request message authentication code is: the encryption and decryption operational order that the encryption device application receives, sign now that has obtained calculate the second request message authentication code with the applied access key authorization message of having obtained of this visit main frame;
The process that the described encryption device of step c is carried out operation indicated in the Password Operations request is: utilize the applied access key of this visit main frame to treat encryption and decryption data and carry out encryption and decryption and operate, with the result after the encryption and decryption as the object information that returns; The method of the described calculating first execution result authentication code is: encryption device calculates the first execution result authentication code with the execution result information of self, sign now that has obtained with the access key authorization message;
The method of the described calculating second execution result authentication code of steps d is: cryptographic service provides module according to the information that receives, and application execution result information, sign now that has obtained calculate the second execution result authentication code with the access key authorization message.
Preferably, described encryption device obtains the visit access key of host application and the method for access key authorization message is:
Encryption device loads the access key that provides this cryptographic service of module that visit host application in module place is provided from cryptographic service is provided, and obtains the plaintext of applied access key plaintext of this visit main frame and access key authorization message with father's secret key decryption access key of access key.
Preferably, the described process of returning error message of step b is: encryption device returns error message for the cipher core service module, and this information provides module to return to application program through cryptographic service.
Preferably, be masked as described now: encryption device answers cryptographic service that the module serial data that the request in this is mutual generates is provided.
Preferably, be masked as described now: by the serial data and the serial data of forming jointly from receiving party's serial data of the current generation of information sender self, and described information sender is an encryption device, the receiving party is a Cryptographic Service Provider, perhaps, described information sender is a Cryptographic Service Provider, and the receiving party is an encryption device.
From technique scheme as can be seen, key of the present invention is: be that the key of being created is provided with key authorization information when key is created, the information that in the key use, transmits between transmit leg and the recipient, all use key authorization information and calculate authentication code for it, and then information that will be to be transmitted and the authentication code that calculated send the other side to, the recipient is then according to the integrality of authentication code verifying message, whether reliable with the authentication information source, and transmit in the way and whether distorted, after being proved to be successful, carry out subsequent operation again.Use the present invention, transfer key protection mechanism the control of to key rights of using by the device access control of authority, like this, local operation no longer is necessary, thereby encryption device both can be by remote access, also can be at this accessing.Simultaneously; owing to the invention provides discriminating, the integrity checking of information; solved the defective that encryption device is only used in this locality by a user under original key protection mechanism; make a plurality of users can use the long-range host access encryption device that does not possess encryption device, and security feature that still can guarantee information.Because the present invention adopts the cipher mode of one-time pad, thereby the person's that can resist the network monitoring effectively replay attack.In addition, because the required key of access code equipment is stored in outside the encryption device, therefore, the number of stored key can increase greatly, and theoretically, stored number can be unlimited.
Description of drawings
Figure 1 shows that the schematic flow sheet of the generation access key of using one embodiment of the invention;
Figure 2 shows that the driving encryption device of using one embodiment of the invention carries out the schematic flow sheet of encryption and decryption operation.
Embodiment
Below in conjunction with accompanying drawing, the present invention is done detailed description further again.
In the present invention, as previously mentioned, encryption device management function storehouse, encryption device driving and encryption device itself are called " encryption device " altogether, being provided for receiving remote on encryption device management function storehouse calls, and the module of driving encryption device executable operations, and claiming this module to be " cipher core service module ", this encryption device and cipher core service module all are arranged in the main frame that accessed main frame is the encryption device place; Simultaneously, on the visit main frame, be provided for carrying out the module of far call encryption device, and claim this module to be " cryptographic service provides module ".In actual applications, visit main frame and accessed main frame can be same main frames, also can be different main frames, like this, both can realize that this locality called encryption device, can realize that again the strange land is the far call encryption device.
As everyone knows, the key information of arbitrary unsymmetrical key comprises algorithm information, private key data and public key information at least, comprises algorithm sign, cryptographic algorithm, signature algorithm, key length in the algorithm information wherein, and some other necessary parameter information etc.
The present invention creates a root key in advance in encryption device, this root key leaves encryption device never.Above-mentioned root key possesses the most basic key information that arbitrary unsymmetrical key all comprises, and, when creating above-mentioned root key,, and it is referred to as the root key authorization message for this root key is provided with key authorization information.Whether so-called key authorization information is to be used to check the key user to have authority to use the information of this key, it typically is a serial data, is set when creating key by the founder of key.If the application program in the visit main frame needs applied cryptography equipment to carry out Password Operations, it must obtain earlier and be used to drive the key that encryption device is operated, and set the key authorization information of this key, because encryption device is whether to hold correct key authorization information according to the user to determine whether the indicated operation of executing instruction.At this, be called access key with driving the key that encryption device carries out Password Operations, the key authorization information of access key is called the access key authorization message.
Specify below and generate access key and access key authorization message, and application access key drives the process that encryption device is carried out the encryption and decryption operation.
Figure 1 shows that the schematic flow sheet of the generation access key of using one embodiment of the invention.
Step 101, the application program in the visit main frame is sent the instruction that generates access key.The father's key that comprises the promising access key appointment that be about to generate in this instruction, father's key authorization information, the access key authorization message that is provided with for the access key that is about to generate, and the information such as algorithm of access key.
Step 102, after the cryptographic service in the visit main frame provided module to receive above-mentioned instruction, the cipher core service module in accessed main frame sent current sign request, to obtain current sign.This now sign actual be at random a serial data, be used for later encryption and decryption operation, to guarantee the fail safe of communication process.
After step 103, the cipher core service module in the accessed main frame are converted to the language that encryption device can discern with the solicited message that receives, send current sign request to encryption device.
Step 104~step 105, encryption device in the accessed main frame generates a serial data and preserves this serial data and is current sign, afterwards this serial data is returned to the cipher core service module as indicating now, should indicate that by the cipher core service module cryptographic service that returns in the visit main frame provides module now.
Step 106~step 107, sign now that cryptographic service provides module application to obtain from accessed main frame is encrypted the access key authorization message, afterwards, the algorithm information of the access authorization key information after encrypting, access key, the now of having obtained are indicated with calculating the first request message authentication code H1 from father's key authorization information of application program, then, will comprise the key that generates the access key instruction and the first request message authentication code H1 and generate the cipher core service module of asking to send in the accessed main frame.
Step 108, cipher core service module send this Password Operations solicited message to encryption device after the solicited message that receives is converted to the language that encryption device can discern.
Step 109, encryption device are used sign now that the access key that receives generates instruction and self preserved, calculate the second request message authentication code H2 with the authorization message of the father's key that has loaded.Afterwards, encryption device judges whether the first request message authentication code H1 is identical with the second request message authentication code H2, if it is identical, show that then the sender holds correct father's key authorization information, and this Password Operations solicited message in the process that network transmits without distorting, otherwise, show that the sender does not have correct father's key authorization information, perhaps, this Password Operations solicited message is distorted in the process that network transmits.
In the present embodiment, suppose that H1 is identical with H2, then encryption device is used current sign and the access key authorization message of having encrypted is decrypted execution key constructive process, generation access key.Afterwards, the PKI that encryption device is used above-mentioned father's key is the access key that generates and the authorization message packaging ciphering of this access key, with the result after encrypting as the object information that returns.And then, encryption device is reinstated father's key authorization information calculations first execution result authentication code G1 with object information and current sign one, and execution in step 110 then.
If H1 is different with H2, then encryption device returns error message for the cipher core service module, and this information provides module to return to application program through cryptographic service, afterwards process ends.
Step 110~step 111, encryption device send execution result information for the cipher core service module, by the cipher core service module with the information analysis that receives for after cryptographic service provides the information that module can discern, send to cryptographic service again module be provided.Comprise the execution result and the first execution result authentication code G1 in this information.
Step 112, cryptographic service provide module according to the information that receives, and application execution result and current sign calculate the second execution result authentication code G2 with father's key authorization information.Afterwards, cryptographic service provides module to judge whether the first execution result authentication code G1 is identical with the second execution result authentication code G2, if it is identical, show that then this execution result that returns is from encryption device, and this execution result in the process that network transmits without distorting, otherwise, show that this execution result that returns not is from encryption device, perhaps this execution result is distorted in the process that network transmits.In the present embodiment, suppose that G1 is identical with G2, execution in step 113.
If G1 is different with G2, then cryptographic service provides module to return error message to application program, process ends.
Step 113, cryptographic service provide module to application program return results information, and this object information is the PKI of the using father's key information after to access key and access key authorization message packaging ciphering.That is to say that the access key that encryption device generated only could be used after the private key deciphering by father's key in encryption device, for this end of visit main frame, it has the access key information after the encryption.
So far, the visit main frame has obtained access key.Because access key is stored in outside the encryption device, promptly be stored in the visit main frame, therefore, the number of stored key can increase greatly, and theoretically, stored number can be unlimited.
For flow process shown in Figure 1, if the visit main frame is to carry out the instruction of generation access key first promptly to create access key first, the father's key authorization information in the then above-mentioned flow process is predefined root key authorization message; If visit main frame right and wrong are carried out first and generated the access key instruction is the non-access key of creating first, and the designated root key is this father's key that is about to the access key of establishment when creating, and the father's key authorization information in the then above-mentioned flow process still is meant predefined root key authorization message; If visit main frame right and wrong are carried out first and generated the access key instruction is the non-access key of creating first, and specify certain access key A that has created to be this father's key that is about to the access key of establishment when creating, then above-mentioned father's key authorization information is the access key authorization message that is designated as the access key A of father's key.Certainly, under in the end a kind of situation, the visit main frame should be before or after application program be sent the instruction that generates access key, the information that is designated as the access key A of father's key is sent to encryption device, encryption device is decrypted the information of this access key A, obtains the plaintext of the key authorization information of the plaintext of this access key and this access key.
Figure 2 shows that the driving encryption device of using one embodiment of the invention carries out the schematic flow sheet of encryption and decryption operation.
Step 201, the application program in the visit main frame is sent the instruction of carrying out the encryption and decryption operation.Include indication in this instruction and use information, the key authorization information of this access key and the data for the treatment of encryption and decryption of which access key.Usually, use the key handle and indicate the information that needs which access key.
Step 202, after cryptographic service in the visit main frame provides module to receive above-mentioned instruction, the access key behind the PKI packaging ciphering of application father key and the authorization message of this access key are sent to encryption device by the cipher core service module, encryption device is used the private key of father's key and is deciphered the information that receives, thereby obtain applied access key of this visit main frame and access key authorization message, the cryptographic service in the visit main frame provides module execution in step 203 after the success response that obtains encryption device.
When specific implementation, this step also can be carried out before step 201, before promptly the application program in the visit main frame is sent the instruction of carrying out the encryption and decryption operation, cryptographic service provides module that applied access key of this visit main frame and access key authorization message are sent to encryption device by the cipher core module, encryption device is used the private key of father's key and is deciphered the information that receives, and obtains applied access key of this visit main frame and access key authorization message.
Step 203, the cryptographic service in the visit main frame provide the cipher core service module of module in accessed main frame to send current sign request, to obtain current sign.This now sign actual be at random a serial data, be used for later encryption and decryption operation, to guarantee the fail safe of communication process.
After step 204, the cipher core service module in the accessed main frame are converted to the language that encryption device can discern with the solicited message that receives, send current sign request to encryption device.
Step 205~step 206, encryption device in the accessed main frame generates a serial data and preserves this serial data and is current sign, afterwards this serial data is returned to the cipher core service module as indicating now, should indicate that by the cipher core service module cryptographic service that returns in the visit main frame provides module now.
Step 207~step 208, cryptographic service provides module that encryption and decryption operational order that receives and the now of obtaining from accessed main frame are indicated, with calculate the first request message authentication code H1 from the access key authorization message of application program, then, the encryption and decryption operation requests that will comprise the encryption and decryption operational order and the first request message authentication code H1 sends to the cipher core service module in the accessed main frame.
Step 209, cipher core service module send this Password Operations solicited message to encryption device after the solicited message that receives is converted to the language that encryption device can discern.
Sign now that step 210, encryption device are used the encryption and decryption operational order in the encryption and decryption solicited message and preserved calculates the second request message authentication code H2 with acquired access key authorization message.Afterwards, encryption device judges whether the first request message authentication code H1 is identical with the second request message authentication code H2, if it is identical, show that then the sender holds correct access key authorization message, and this encryption and decryption operation requests in the process that network transmits without distorting, otherwise, show that the sender does not have correct access key authorization message, perhaps, this encryption and decryption operation requests information is distorted in the process that network transmits.In the present embodiment, suppose that H1 is identical with H2, then the encryption device application access key is carried out the encryption and decryption operation to the data message in the operational order, then, with the data message after the encryption and decryption is execution result and current sign, calculate the first execution result authentication code G1 with the access key authorization message, execution in step 211 then.
If H1 is different with H2, then encryption device returns error message for the cipher core service module, and this information provides module to return to application program through cryptographic service, afterwards process ends.
Step 211~step 212, encryption device send execution result information for the cipher core service module, by the cipher core service module with the information analysis that receives for after cryptographic service provides the information that module can discern, send to cryptographic service again module be provided.Comprise the execution result and the first execution result authentication code G1 in this information.
Step 213, cryptographic service provide module according to the information that receives, and application execution result and current sign calculate the second execution result authentication code G2 with the access key authorization message.Afterwards, cryptographic service provides module to judge whether the first execution result authentication code G1 is identical with the second execution result authentication code G2, if it is identical, show that then this execution result that returns is from encryption device, and this execution result in the process that network transmits without distorting, otherwise, show that this execution result that returns not is from encryption device, perhaps this execution result is distorted in the process that network transmits.In the present embodiment, suppose that G1 is identical with G2, execution in step 214.
If G1 is different with G2, then cryptographic service provides module to return error message to application program, process ends.
Step 214, cryptographic service provide module to return execution result information to application program, promptly return data message after the encryption and decryption to application program.
At above-mentioned two flow processs, when specific implementation, application program and cryptographic service provide between the module by the transmission of function call realization information, also be by the transmission of function call realization information between cipher core service module and the encryption device, cryptographic service provides between module and the cipher core service module by the transmission of far call realization information.
Like this, the user both can be at local access code equipment, also can be at the remote access encryption device, and also same encryption device can be visited simultaneously by a plurality of users.Because each user uses access key separately, therefore guaranteed the safety of information.
The above only is a specific embodiment, and other implementation can certainly be arranged.Such as, can be by the serial data of the current generation of information sender self and the serial data of forming jointly from receiving party's serial data as indicating current now, to ensure information security better.Wherein, described information sender is an encryption device, and the receiving party is a Cryptographic Service Provider, and perhaps, described information sender is a Cryptographic Service Provider, and the receiving party is an encryption device.
Based on above-mentioned execution mode, in step 106~step 107 and step 207~step 208, the cryptographic service of visit in the main frame provides module to receive now from encryption device behind the sign, self produce a serial data L1 again, with serial data L1 that self produces and sign now that indicates and be used as the current calculating first message authentication code H1 from the now that encryption device receives, afterwards, the operation requests that will comprise the serial data L1 that the Password Operations request and the first request message authentication code H1 and self produce sends to the cipher core service module in the accessed main frame.Correspondingly, in step 109 and step 210, encryption device obtains the serial data L1 that operational order and cryptographic service provide module to generate from solicited message, afterwards, self is generated now sign and this serial data L1 altogether as sign now of the current calculating second request message authentication code H2, then, carry out subsequent operation again.After encryption device generates execution result information, encryption device produces a serial data L2 once more, with this serial data L2 and acquired serial data L1 altogether as sign now of the current calculating first execution result authentication code G1, afterwards, the execution result information that will comprise execution result, the first execution result authentication code G1 and serial data L2 sends to cryptographic service provides module.Correspondingly, in step 112 and step 213, cryptographic service provides module according to the information that receives, obtain the serial data L2 that encryption device generates once more, with this serial data L2 and the serial data L1 that self generated altogether as sign now of the current calculating second execution result authentication code G2, then, carry out subsequent operation again.Like this, can resist anti-replay attack better.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1, a kind of method of access code equipment, it is characterized in that, the cryptographic service that is provided for the far call encryption device on the visit main frame provides module, being provided for receiving remote on accessed main frame calls, and the cipher core service module of driving encryption device executable operations, be that the key of being created is provided with key authorization information when creating each key, this method is further comprising the steps of:
A, cryptographic service provide module to receive from after the instruction of the Password Operations of application program, use key authorization information to the described Password Operations command calculations first request message authentication code, afterwards, will comprise the first request message authentication code and described Password Operations the instruction the Password Operations request send to encryption device by the cipher core service module;
B, encryption device are according to the Password Operations instruction that receives, utilize the acquired key authorization information calculations second request message authentication code, and judge whether the second request message authentication code that calculates is identical with the first request message authentication code that receives, if it is identical, execution in step c then, otherwise return error message, process ends;
C, encryption device are carried out indicated operation in the Password Operations request, and use key authorization information execution result is calculated the first execution result authentication code, then, the information that will comprise the first execution result authentication code and execution result sends to the cipher core service module, by the cipher core service module with the information analysis that receives for after cryptographic service provides the information that module can discern, send to cryptographic service again module be provided;
D, cryptographic service provide the module application key authorization execution result that information butt joint is received to calculate the second execution result authentication code, and judge whether the second execution result authentication code that calculates is identical with the first execution result authentication code that receives, if it is identical, then return execution result information, process ends to application program; Otherwise, return error message to application program, process ends.
2, method according to claim 1 is characterized in that,
The Password Operations instruction from application program that the described cryptographic service of step a provides module to receive is the instruction that generates access key, comprise the access key authorization message that the promising access key that is about to generate is provided with in this instruction, and the algorithm information of access key; The method of the described calculating first request message authentication code is: obtain current sign, use sign now that has obtained described access key authorization message is encrypted, the algorithm information of the access key authorization message after encrypting, access key, sign now that has obtained are calculated the first request message authentication code with the father's key authorization information from application program;
The method of the described calculating second request message authentication code of step b is: encryption device is used sign now that the access key that receives generates instruction and obtained, calculates the second request message authentication code with father's key authorization information of appointment;
The process that the described encryption device of step c is carried out operation indicated in the Password Operations request is: use current sign and decrypt the access key authorization message, carry out the key constructive process, generate access key, father's key of using appointment then is the access key that generates and the authorization message packaging ciphering of this access key, with the result after encrypting as the object information that returns; The method of the described calculating first execution result authentication code is: the object information and the current sign one that return are reinstated father's key authorization information calculations first execution result authentication code of appointment;
The method of the described calculating second execution result authentication code of steps d is: cryptographic service provides module according to the information that receives, and application execution result, sign now that has obtained calculate the second execution result authentication code with the access key authorization message.
3, method according to claim 2 is characterized in that,
If the visit main frame is to carry out first to generate the access key instruction, then described father's key authorization information is predefined root key authorization message;
Generate the access key instruction if visit main frame right and wrong are carried out first, and preestablished father's key that root key is this access key that will soon generate, then described father's key authorization information is predefined root key authorization message;
If carrying out first, visit main frame right and wrong generate the access key instruction, and specified certain already present access key A to be about to father's key of the access key of generation for this, then before or after the Password Operations request from application program that cryptographic service provides module to receive is the instruction of generation access key, further comprise: encryption device obtains the access key A and the access key A authorization message of visit host application, and described father's key authorization information is the access key authorization message that is designated as the access key A of father's key.
4, method according to claim 1 is characterized in that,
The Password Operations request from application program that the described cryptographic service of step a provides module to receive is the encryption and decryption operational order, comprise applied access key, access key authorization message in this instruction and treat encryption and decryption data, the method of the described calculating first request message authentication code is: cryptographic service provides the encryption and decryption operational order that module application receives, sign now that has obtained, with calculating the first request message authentication code from the access key authorization message of application program;
The described encryption device of step b provides before or after module receives encryption and decryption operational order from application program in cryptographic service, provides module to obtain access key and access key authorization message that this cryptographic service provides module place visit host application from cryptographic service; The method of the described calculating second request message authentication code is: the encryption and decryption operational order that the encryption device application receives, sign now that has obtained calculate the second request message authentication code with the applied access key authorization message of having obtained of this visit main frame;
The process that the described encryption device of step c is carried out operation indicated in the Password Operations request is: utilize the applied access key of this visit main frame to treat encryption and decryption data and carry out encryption and decryption and operate, with the result after the encryption and decryption as the object information that returns; The method of the described calculating first execution result authentication code is: encryption device calculates the first execution result authentication code with the execution result information of self, sign now that has obtained with the access key authorization message;
The method of the described calculating second execution result authentication code of steps d is: cryptographic service provides module according to the information that receives, and application execution result information, sign now that has obtained calculate the second execution result authentication code with the access key authorization message.
According to claim 3 or 4 described methods, it is characterized in that 5, described encryption device obtains the access key of visit host application and the method for access key authorization message is:
Encryption device loads the access key that provides this cryptographic service of module that visit host application in module place is provided from cryptographic service is provided, and obtains the plaintext of applied access key plaintext of this visit main frame and access key authorization message with father's secret key decryption access key of access key.
6, method according to claim 1 is characterized in that, the described process of returning error message of step b is: encryption device returns error message for the cipher core service module, and this information provides module to return to application program through cryptographic service.
7, according to claim 2 or 4 described methods, it is characterized in that be masked as described now: encryption device answers cryptographic service that the module serial data that the request in this is mutual generates is provided.
8, according to claim 2 or 4 described methods, it is characterized in that, be masked as described now: by the serial data and the serial data of forming jointly from receiving party's serial data of the current generation of information sender self, and described information sender is an encryption device, the receiving party is a Cryptographic Service Provider, perhaps, described information sender is a Cryptographic Service Provider, and the receiving party is an encryption device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410103115XA CN100561913C (en) | 2004-12-31 | 2004-12-31 | A kind of method of access code equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410103115XA CN100561913C (en) | 2004-12-31 | 2004-12-31 | A kind of method of access code equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1801699A CN1801699A (en) | 2006-07-12 |
CN100561913C true CN100561913C (en) | 2009-11-18 |
Family
ID=36811485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB200410103115XA Expired - Fee Related CN100561913C (en) | 2004-12-31 | 2004-12-31 | A kind of method of access code equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100561913C (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101043648B (en) * | 2007-03-09 | 2010-09-15 | 中国移动通信集团福建有限公司 | Business service switching system |
JP5098487B2 (en) * | 2007-07-26 | 2012-12-12 | 富士ゼロックス株式会社 | Authentication information processing apparatus and program |
CN102843237B (en) * | 2012-09-13 | 2016-02-17 | 天地融科技股份有限公司 | Authorization token, tokens, dynamic password token remote-authorization method and system |
WO2015018292A1 (en) * | 2013-08-08 | 2015-02-12 | 天地融科技股份有限公司 | Method and system for information monitoring |
CN104753661A (en) * | 2013-12-30 | 2015-07-01 | 上海格尔软件股份有限公司 | Secret key description file for commercial code equipment |
CN104168116B (en) * | 2014-08-19 | 2019-06-04 | 天地(常州)自动化股份有限公司 | A kind of database auth method and system |
CN104486072A (en) * | 2014-12-31 | 2015-04-01 | 宁波保税区攀峒信息科技有限公司 | Secret communication system |
CN108965284A (en) * | 2018-07-06 | 2018-12-07 | 佛山市灏金赢科技有限公司 | A kind of information processing method and device by cryptographic acess |
CN109492384B (en) * | 2018-09-26 | 2021-07-20 | 成都卫士通信息产业股份有限公司 | Method for receiving entity access and accessing password device, password device and entity |
-
2004
- 2004-12-31 CN CNB200410103115XA patent/CN100561913C/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN1801699A (en) | 2006-07-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1708942B (en) | Secure implementation and utilization of device-specific security data | |
CN103138939B (en) | Based on the key access times management method of credible platform module under cloud memory module | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
CN107359998B (en) | A kind of foundation and operating method of portable intelligent password management system | |
US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
KR101982237B1 (en) | Method and system for data sharing using attribute-based encryption in cloud computing | |
RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
CN101771699A (en) | Method and system for improving SaaS application security | |
US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
CN105553951A (en) | Data transmission method and data transmission device | |
CN105103488A (en) | Policy enforcement with associated data | |
CN109543434B (en) | Block chain information encryption method, decryption method, storage method and device | |
CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
CN1985466A (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution CD | |
CN108809936B (en) | Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof | |
CN106506479B (en) | Method, system and the client of cipher authentication, server and smart machine | |
CN103560892A (en) | Secret key generation method and secret key generation device | |
CN110474908A (en) | Transaction monitoring and managing method and device, storage medium and computer equipment | |
US20050033963A1 (en) | Method and system for authentication, data communication, storage and retrieval in a distributed key cryptography system | |
CN101019368A (en) | Method of delivering direct proof private keys to devices using a distribution CD | |
CN100561913C (en) | A kind of method of access code equipment | |
CN116244750A (en) | Secret-related information maintenance method, device, equipment and storage medium | |
CN112507296A (en) | User login verification method and system based on block chain | |
CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091118 Termination date: 20201231 |
|
CF01 | Termination of patent right due to non-payment of annual fee |