Nothing Special   »   [go: up one dir, main page]

CN102801730A - Information protection method and device for communication and portable devices - Google Patents

Information protection method and device for communication and portable devices Download PDF

Info

Publication number
CN102801730A
CN102801730A CN2012102908657A CN201210290865A CN102801730A CN 102801730 A CN102801730 A CN 102801730A CN 2012102908657 A CN2012102908657 A CN 2012102908657A CN 201210290865 A CN201210290865 A CN 201210290865A CN 102801730 A CN102801730 A CN 102801730A
Authority
CN
China
Prior art keywords
key
client
storage card
server
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012102908657A
Other languages
Chinese (zh)
Other versions
CN102801730B (en
Inventor
兰轶伦
林青山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Meiya Pico Information Co Ltd
Original Assignee
Xiamen Meiya Pico Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Meiya Pico Information Co Ltd filed Critical Xiamen Meiya Pico Information Co Ltd
Priority to CN201210290865.7A priority Critical patent/CN102801730B/en
Publication of CN102801730A publication Critical patent/CN102801730A/en
Application granted granted Critical
Publication of CN102801730B publication Critical patent/CN102801730B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to an information protection method and device for communication and portable devices, wherein the information protection method comprises the steps of: generating a read secret key and a write secret key, writing the read secret key and the write secret key into all control sectors of a storage card, generating and writing triple data encryption algorithm secret key packets of all data sectors of the storage card; and carrying out Hash delivery processing on a file to be encrypted to obtain a storage card secret card storage sector corresponding to the file to be encrypted, recording the storage card secret card storage sector as an SECNUM, establishing a safety connection between a client end and a secret key authentication server, negotiating with the password authentication server, obtaining the read secret key of the sector corresponding to the storage card, communicating with the storage card according to the read secret key, obtaining the triple data encryption algorithm secret key packets comprising K1, K2 and K3 required by encryption or decryption, and encrypting or decrypting the file to be encrypted. By adopting the invention, security of data of all communication and portable devices can be ensured when visiting the Internet or the security of strong, transmitting and exchanging data locally can be ensured.

Description

A kind of information protection method and device that is used for communication and portable equipment
Technical field
The present invention relates to communication technical field, more particularly, relate to a kind of information protection method and device that is used for communication and portable equipment.
Background technology
The fail safe of communication and portable equipment (like mobile phone, palmtop PC, panel computer etc.) carries no weight all the time, is that for example: non intelligent mobile phone often only has voice and SMS because the communication interface of communication and portable equipment is few on the one hand; Be because the operating system of communication and portable equipment is closed system on the other hand, announce that externally interface is few, the difficult internal information of extracting.
Along with the progress of science and technology, the operating system of communication and portable equipment is developed toward the intelligent operating system direction by original non intelligent operating system, makes functional, the ease for use of this kind equipment increase, and the increasing key message person of being used is saved in the equipment.And the continuous enhancing of systemic-function has also brought more potential safety hazard, and assailants can obtain the ROOT authority of equipment easily, perhaps carries out significant data through the mode of Internet connection and steals, and then obtain the key message in the equipment.
Therefore, have the communication of operating systems such as similar Android, iOS, WP and the system safety problem of portable equipment and more and more paid attention to, and be badly in need of the key message security protection that a kind of enhancement mode encryption and decryption mode is used for this type communication and portable equipment.
Summary of the invention
The technical problem that the present invention will solve is, to the above-mentioned defective of prior art, a kind of information protection method and device that is used for communication and portable equipment is provided.
The technical solution adopted for the present invention to solve the technical problems is:
Construct a kind of information protection method that is used for communication and portable equipment, wherein, comprising:
Storage card initialization procedure: produce and read key and write key; And read key and write all control sectors that key writes storage card with global unique card number said; Produce and write triple DEA key packet of all data sector of said storage card; Comprise K1, K2, K3, with the card number of said storage card and writing in key delivery to the key authentication server of all sectors;
Ciphering process: treat encrypt file and carry out the processing of Hash delivery, obtain corresponding storage card key memory sector, be designated as SECNUM; Client is set up SSL safety with said key authentication server and is connected; And with said cipher authentication server negotiate, connect through safety and to obtain the key of reading that is used to read the corresponding sector of said storage card, communicate by letter with said storage card according to the said key of reading; Obtain and encrypt required K1, K2, K3, file is encrypted;
Decrypting process: client is set up SSL safety with said key authentication server and is connected; And with said cipher authentication server negotiate; Connect the key of reading that obtains the pairing SECNUM of filename that needs deciphering and be used to read the corresponding sector of said storage card through safety; Communicate by letter with said storage card according to the said key of reading, obtain deciphering required K1, K2, K3, file is deciphered.
Information protection method of the present invention wherein, in the said ciphering process, is treated encrypt file and is carried out the processing of Hash delivery, and the step that obtains corresponding storage card key memory sector specifically comprises:
Obtain the filename and the file size of file to be encrypted, carry out hash calculation, obtain cryptographic hash, be designated as HASH1;
Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2;
To said HASH1 and HASH2 splice, delivery, obtain corresponding storage card key memory sector, be designated as SECNUM.
Information protection method of the present invention, wherein, in said ciphering process and the said decrypting process, set up SSL safety step of connecting with the key authentication server and specifically comprise:
Client transmits the communication information needed to the cipher authentication server;
The cipher authentication server transmits communication information needed and server certificate to client;
Client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming, if legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step;
Client produces a symmetric cryptography that is used for communication at random, with the PKI of password authentification server it is encrypted then, and the preparatory main password after will encrypting is then passed to the password authentification server;
If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together;
The legitimacy of password authentification server check client certificate and signature random number, if checking is not passed through, communication is interrupted at once, if checking is passed through, the password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then;
The password authentification server and client side carries out communication with identical main signal code;
Client is sent information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously;
The password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously;
Client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
Information protection method of the present invention wherein, in said ciphering process and the said decrypting process, is saidly communicated by letter with said storage card according to the said key of reading, and obtains and encrypts or decipher required K1, K2, K3, and file is encrypted or decryption step specifically comprises:
The prompting user carries out the storage card operation of swiping the card;
By parameter import into sector number SECNUM, this sector that will read corresponding read key RK;
Communicate by letter with storage card, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication;
After the key authentication success, read the piece in the storage card, and be formatted as required K1, K2, K3.
Information protection method of the present invention, wherein, in said ciphering process and the said decrypting process, carry out encryption method to file and be:
Use K1 to carry out des encryption, use K2 to carry out DES " deciphering " again, carry out des encryption with K3 at last as key as key;
The method that file is deciphered is:
Use K3 to carry out the DES deciphering, use K2 to carry out des encryption again, carry out the DES deciphering with K1 at last as key as key.
The present invention also provides a kind of message protection device that is used for communication and portable equipment, wherein, comprises the storage card with global unique card number, also comprises:
Key generates server; Be used for producing and read key and write key; And with said read key and write key write said storage card all control sectors; Produce and write triple DEA key packet of all data sector of said storage card, comprise K1, K2, K3, the card number of said storage card and writing in key delivery to the key authentication server of all sectors;
Client is used to treat encrypt file and carries out the processing of Hash delivery, obtains corresponding storage card key memory sector; Be designated as SECNUM, set up SSL safety with said key authentication server again and be connected, and with said cipher authentication server negotiate; Obtain the key of reading that is used to read the corresponding sector of said storage card through the safety connection, communicate by letter with said storage card according to the said key of reading through close range wireless communication module again, obtain and encrypt required K1, K2, K3; File is encrypted, perhaps
Being used for setting up SSL safety with said key authentication server is connected; And with said cipher authentication server negotiate; Connect the key of reading that obtains the pairing SECNUM of filename that needs deciphering and be used to read the corresponding sector of said storage card through safety; Communicate by letter with said storage card according to the said key of reading through close range wireless communication module again, obtain deciphering required K1, K2, K3, file is deciphered;
The key authentication server, be used to store said storage card card number and all sectors write key, and communicate with client;
Close range wireless communication module is used for communicating with said storage card, obtains encryption or deciphers required K1, K2, K3, and send to said client.
Message protection device of the present invention wherein, in the said client, is treated encrypt file and is carried out the processing of Hash delivery, and the process that obtains corresponding storage card key memory sector is following:
Obtain the filename and the file size of file to be encrypted, carry out hash calculation, obtain cryptographic hash, be designated as HASH1; Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2; To said HASH1 and HASH2 splice, delivery, obtain corresponding storage card key memory sector, be designated as SECNUM.
Message protection device of the present invention, wherein, in the said client, to set up the process that SSL safety is connected following with the key authentication server:
Client transmits the communication information needed to the cipher authentication server;
The cipher authentication server transmits communication information needed and server certificate to client;
Client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming, if legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step;
Client produces a symmetric cryptography that is used for communication at random, with the PKI of password authentification server it is encrypted then, and the preparatory main password after will encrypting is then passed to the password authentification server;
If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together;
The legitimacy of password authentification server check client certificate and signature random number, if checking is not passed through, communication is interrupted at once, if checking is passed through, the password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then;
The password authentification server and client side carries out communication with identical main signal code;
Client is sent information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously;
The password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously;
Client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
Message protection device of the present invention, wherein, said close range wireless communication module comprises:
Tip element is used to point out the user to carry out the storage card operation of swiping the card;
The parameter transmission unit, be used to import into sector number SECNUM, this sector that will read corresponding read key RK;
Communication unit is used for communicating by letter with storage card, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication;
Key acquiring unit is used for after the key authentication success, reading the piece in the storage card, and being formatted as required K1, K2, K3.
Message protection device of the present invention wherein, in the said client, carries out ciphering process to file and is: use K1 to carry out des encryption as key, use K2 to carry out DES " deciphering " as key again, carry out des encryption with K3 at last;
File is carried out decrypting process is: use K3 to carry out the DES deciphering as key, use K2 to carry out des encryption as key again, carry out the DES deciphering with K1 at last.
Beneficial effect of the present invention is: carry out file encryption and deciphering through adopting triple DEAs; And in data communication, set up SSL safety and connect and guarantee fail safe and the integrality of data in transmission course; And all communications and portable equipment become safety supporting through memory card form; Storage card is as the second road safety certification, and the safety that increases substantially the user cipher authentication is uncertain.The present invention program is suitable for communication and portable equipment user demand higher, but need guarantee all interior users of industry field of Information Security on communication and the portable equipment.
Description of drawings
To combine accompanying drawing and embodiment that the present invention is described further below, in the accompanying drawing:
Fig. 1 is the information protection method storage card initialization procedure flow chart that is used for communication and portable equipment of preferred embodiment of the present invention;
Fig. 2 is the information protection method ciphering process flow chart that is used for communication and portable equipment of preferred embodiment of the present invention;
Fig. 3 is the information protection method decrypting process flow chart that is used for communication and portable equipment of preferred embodiment of the present invention;
Fig. 4 is the message protection principle of device block diagram that is used for communication and portable equipment of preferred embodiment of the present invention.
Embodiment
The information protection method that is used for communication and portable equipment of preferred embodiment of the present invention comprises storage card initialization procedure, ciphering process and decrypting process.Wherein, communication and portable equipment comprise have Android, mobile phone of system such as iOS, WP, palmtop PC, panel computer etc.Storage card preferably adopts non-contact IC card (Mifare 1), is called for short the M1 card, and this storage card is divided into 16 sectors, and 4 of each sectors (piece 0~3), number are addressed to 0~63 by piece by totally 64.The piece 0 of the 0th sector (being 0 of absolute address`) is used to deposit vendor code, has cured, and can not change.The piece 0 of other each sectors, piece 1, piece 2 are data block, are used for stored data; Piece 3 is a controll block, deposits password A, access control, password B.
In the step of following each embodiment, the SSL during the SSL safety of being set up connects is a Secure socket Layer english abbreviation, and its Chinese meaning is a secure socket layer protocol, refers to use the secure network communications protocol of PKI and private key techniques combination.Ssl protocol has been specified a kind of mechanism that the Information Security layering is provided between application protocol (like Http, Telenet, NMTP and FTP etc.) and ICP/IP protocol; It provides data encryption, server authentication, message integrity and optional client authentication for TCP/IP connects; Be mainly used in and improve safety of data between the application program; The data that transmit are encrypted and hidden, guarantee that data are not changed in transmission, promptly guarantee the integrality of data.
SSL combines with symmetric cryptographic technique and open code technology; Can realize following three communication target: (1), secret: the data that transmit between the SSL client-server have all been passed through encryption, and the information that the illegal wiretapping person in the network obtained all will be insignificant cipher-text information; (2), integrality: SSL utilizes cryptographic algorithm and hash (HASH) function; Come the integrality of guarantee information through extraction to transmission information characteristics value; Guarantee to want information transmitted all to arrive the destination, can avoid the information between server and the client computer to be damaged; (3), authentication property: certificate of utility technology and believable third party's authentication can let client-server discern the other side's identity each other.For the authentication certificate holder is its validated user (rather than the user that assumes another's name), SSL requires the certificate holder when shaking hands, to exchange digital certificate each other, guarantees the legitimacy of the other side's identity through checking.
The storage card initialization procedure of said method comprises: produce and read key and write key; And will read key and write all control sectors that key writes the storage card with global unique card number; Produce and write triple DEA key packet of all data sector of storage card; Comprise K1, K2, K3, with the card number of storage card and writing in key delivery to the key authentication server of all sectors.Detailed process is as shown in Figure 1, specifically comprises: step S11, read global unique sequence number (card number) of M1 card; It is parameter with global unique sequence number of M1 card that step S12, the key of being opened by physical isolation generate server, through generating algorithm at random, exports the readwrite key corresponding with each block; Step S13, generating server by key again, is parameter with global unique sequence number of M1 card, through generating algorithm at random, exports key K 1, K2, the K3 of the corresponding 3DES of each block; Step S14, readwrite key and 3DES key are write the M1 card; Step S15, judge whether initialization success; If step S16 fails then carries out abnormality processing; If step S17 success, then the RK information with all sectors of M1 card unique card number in the whole world and M1 transfers in the key authentication server through corresponding data security mode.
Wherein, 3DES (or being called Triple DES) is the common name of triple DEAs (TDEA, Triple Data Encryption Algorithm) block encryption.It is the equal of that each data block is used three des encryption algorithms.Because the enhancing of Computing ability, the key length of master DES password becomes easily by Brute Force; 3DES promptly is that design is used to provide a kind of simple relatively method, promptly avoids similar attack through the key length that increases DES, rather than designs a kind of brand-new block cipher algorithm.3DES uses " key packet ", and it comprises 3 DES key: K1, and K2 and K3 are 56 (removing parity check bit).
The ciphering process of said method is as shown in Figure 2, specifically comprises:
Step S21, treat encrypt file and carry out the Hash delivery and handle, obtain corresponding storage card key memory sector, be designated as SECNUM;
Step S22, client are set up SSL safety with the key authentication server and are connected;
Step S23, with the cipher authentication server negotiate, connect through SSL safety and to obtain the key of reading that is used to read the corresponding sector of storage card; In the negotiations process, server is responsible for checking, writes down following information: the IMSI number (optional) of the network equipment MAC Address (optional) of the corresponding HASH value of the user name of this login and password (but server end only authentication password correctness), the unique card number in the M1 card whole world that the user uses, this equipment, the telephone number (optional) of this equipment, this equipment, the SECNUM of server record this document correspondence, this obtains the key time of origin;
Also comprise: communicate by letter with storage card according to reading key, obtain and encrypt required K1, K2, K3, file is encrypted; Be specially; Step S24, use and to read key RK and read M1 card corresponding K1, K2, K3, the correctness of step S25, checking RK, judges whether authentication success at step S26; Be then execution in step S27, return data; Obtain required K1, K2, K3 and file destination is carried out 3DES encrypt, the site clearing program also returns success, otherwise execution in step S28, carries out abnormality processing.
In the above-mentioned ciphering process, treat encrypt file and carry out the processing of Hash delivery, the step that obtains corresponding storage card key memory sector specifically comprises: obtain the filename and the file size of file to be encrypted, carry out hash calculation, obtain cryptographic hash, be designated as HASH1; Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2; To HASH1 and HASH2 splice, delivery, obtain corresponding storage card key memory sector, be designated as SECNUM.
The decrypting process of said method comprises: client is set up SSL safety with the key authentication server and is connected; And with the cipher authentication server negotiate; Connect the key of reading that obtains the pairing SECNUM of filename that needs deciphering and be used to read the corresponding sector of storage card through safety; Communicate by letter with storage card according to reading key, obtain deciphering required K1, K2, K3, file is deciphered.Idiographic flow is as shown in Figure 3, comprising: step S31, read and treat the declassified document relevant information; Step S32, set up SSL safety with far-end key authentication server negotiate and be connected; Step S33, connect the sector number that obtains the corresponding M1 card of this document to the key authentication server through SSL safety, and the key of reading that is used to read the corresponding sector of M1 card; Step S34, use are read key and are read M1 card corresponding K1, K2, K3; The correctness of key is read in step S35, checking; Step S36, judge whether authentication success; If step S37 authentication success then return data are obtained required K1, K2, K3 file destination is carried out the 3DES deciphering, the site clearing program returns success; Step S38 otherwise carry out abnormality processing.Wherein, In the negotiations process, server is responsible for checking, is write down following information: the telephone number (optional) of this equipment of network equipment MAC Address (optional) of the corresponding HASH value of the user name of this login and password (but server end only authentication password correctness), the global unique card number of M1 card that the user uses, this equipment, the IMSI number (optional) of this equipment, this obtains the key time of origin;
Preferably, in above-mentioned ciphering process and the decrypting process, set up SSL safety step of connecting with the key authentication server and specifically comprise:
(1), client transmits the communication information needed to the cipher authentication server, comprises the version number of Client-SSL agreement, the kind of AES, the random number of generation, and the needed various information of communication between other server and client sides;
(2), the cipher authentication server transmits the communication information needed to client, comprises the version number of ssl protocol, the kind of AES, random number and other relevant informations, server also will transmit the server certificate of oneself to client simultaneously;
(3), client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming; Wherein the legitimacy of server comprises: whether certificate is expired; Whether the CA of issuance server certificate is reliable; Can the PKI of publisher's certificate correctly untie server certificate " digital signature of publisher ", and whether the domain name on the server certificate is complementary with the actual domain name of server; If legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step (4);
(4), client produces a symmetric cryptography that is used for communication at random; With the PKI of password authentification server it is encrypted then; Preparatory main password after will encrypting is then passed to the password authentification server, and wherein PKI is to transmit the communication information needed to client from the cipher authentication server to obtain;
(5), select the password authentification server whether to require client to carry out authentication; If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together;
The legitimacy of (6), password authentification server check client certificate and signature random number; If checking is not passed through, communication is interrupted at once, if checking is passed through; The password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then; Wherein, Concrete legitimate verification process comprises: whether client's certificate uses the date effective; For whether the client provides the company (CA) of certificate reliable; Can the PKI of distribution CA correctly untie the digital signature of the distribution CA of customer's certificate, and whether inspection client's certificate is in certification revocation list (CRL).If check is not passed through, communication is interrupted at once; If checking is passed through, server will be untied " the preparatory main password " of encryption with the private key of oneself, carry out series of steps then and produce main signal code (client also will produce identical main signal code through same method);
(7), the password authentification server and client side carries out communication with identical main signal code (password of promptly conversing);
(8), client sends information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously;
(9), the password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously;
(10), client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
Preferably, in above-mentioned ciphering process and the decrypting process, communicate by letter with storage card according to reading key, obtain and encrypt or decipher required K1, K2, K3, file is encrypted or decryption step specifically comprises: the prompting user carries out the storage card operation of swiping the card; By parameter import into sector number SECNUM, this sector that will read corresponding read key RK; Communicate by letter with storage card by close range wireless communication module, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication; After the key authentication success, read the piece in the storage card, and be formatted as required K1, K2, K3.Also can comprise the abnormal conditions processing, steps such as prompting user exceptions and solution.
Wherein, Preferred near-field communication (the Near Field Communication that adopts; NFC) technology communicates with storage card; The NFC technology is claimed close range technologies again, is a kind of short-range high frequency wireless communication technology, and it allows to carry out contactless Point-to-Point Data Transmission (in ten centimetres) swap data between the electronic equipment.This technology develops by exempting from contact radio frequency identification (RFID), and backward compatible radio frequency identification (Radio Frequency Identification, RFID) technology, so near-field communication has natural fail safe.
Preferably, in above-mentioned ciphering process and the decrypting process, file is carried out AES be: ciphertext=EK3 (DK2 (EK1 (flat literary composition))).That is, use K1 to carry out des encryption, use K2 to carry out DES " deciphering " again, carry out des encryption with K3 at last as key as key; The algorithm that file is deciphered is: flat literary composition=DK1 (EK2 (DK3 (ciphertext))).That is, use K3 to carry out the DES deciphering, use K2 to carry out des encryption again, carry out the DES deciphering with K1 at last as key as key.
In another embodiment of the present invention; A kind of message protection device that is used for communication and portable equipment also is provided; Its general principles block diagram is referring to accompanying drawing 4; Comprising the storage card with global unique card number 10, comprise that also key generates server (not shown), client 30, key authentication server 40 and close range wireless communication module 20.Wherein, Key generates server; Be used for producing and read key and write key, and will read key and write all control sectors that key writes storage card 10, produce and write triple DEAs (3DES) key packet of all data sector of storage card 10; Comprise K1, K2, K3, with the card number of storage card 10 and writing in key delivery to the key authentication server 40 of all sectors.Client 30 is used to treat encrypt file and carries out the processing of Hash delivery, obtains corresponding storage card 10 key memory sectors; Be designated as SECNUM, set up safety with key authentication server 40 again and be connected, and with the cipher authentication server negotiate; Obtain the key of reading that is used to read storage card 10 corresponding sectors through the safety connection, communicate by letter with storage card 10 according to reading key through close range wireless communication module 20 again, obtain and encrypt required K1, K2, K3; File is encrypted; Perhaps, be used for and key authentication server 40 is set up safety and is connected, and with the cipher authentication server negotiate; Obtain the pairing SECNUM of filename that needs deciphering and be used to read the key of reading of storage card 10 corresponding sectors through the safety connection; Communicate by letter with storage card 10 according to reading key through close range wireless communication module 20 again, obtain deciphering required K1, K2, K3, file is deciphered.Key authentication server 40, be used for store M 1 card (being storage card 10) card number and all sectors write key, and communicate with client 30; Close range wireless communication module 20 is used for communicating with storage card 10, obtains encryption or deciphers required K1, K2, K3, and send to client 30.
In the foregoing description, client 30 can be with hardware or software, or way of hardware and software combination solidifies in communication and portable equipment, as solidify in handheld terminals such as mobile phone, palmtop PC, panel computer.
In the client 30 of the foregoing description; Treating encrypt file carries out the Hash delivery to handle, obtain the process of corresponding storage card 10 key memory sectors following: filename and the file size of obtaining file to be encrypted; Carry out hash calculation, obtain cryptographic hash, be designated as HASH1; Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2; To HASH1 and HASH2 splice, delivery, obtain corresponding storage card 10 key memory sectors, be designated as SECNUM.
In the client 30 of the foregoing description; To set up the process that SSL safety is connected following with key authentication server 40: (1), client transmit the communication information needed to the cipher authentication server; The version number that comprises the Client-SSL agreement; The kind of AES, the random number of generation, and the needed various information of communication between other server and client sides; (2), the cipher authentication server transmits the communication information needed to client, comprises the version number of ssl protocol, the kind of AES, random number and other relevant informations, server also will transmit the server certificate of oneself to client simultaneously; (3), client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming; Wherein the legitimacy of server comprises: whether certificate is expired; Whether the company of issuance server certificate is reliable; Can the PKI of publisher's certificate correctly untie server certificate " digital signature of publisher ", and whether the domain name on the server certificate is complementary with the actual domain name of server; If legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step (4); (4), client produces a symmetric cryptography that is used for communication at random; With the PKI of password authentification server it is encrypted then; Preparatory main password after will encrypting is then passed to the password authentification server, and wherein PKI is to transmit the communication information needed to client from the cipher authentication server to obtain; (5), select the password authentification server whether to require client to carry out authentication; If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together; The legitimacy of (6), password authentification server check client certificate and signature random number; If checking is not passed through, communication is interrupted at once, if checking is passed through; The password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then; Wherein, Concrete legitimate verification process comprises: whether client's certificate uses the date effective; For whether the client provides the CA of certificate reliable, can the PKI of distribution CA correctly untie the digital signature of the distribution CA of customer's certificate, and whether inspection client's certificate is in certification revocation list (CRL).If check is not passed through, communication is interrupted at once; If checking is passed through, server will be untied " the preparatory main password " of encryption with the private key of oneself, carry out series of steps then and produce main signal code (client also will produce identical main signal code through same method); (7), the password authentification server and client side carries out communication with identical main signal code (password of promptly conversing); (8), client sends information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously; (9), the password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously; (10), client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
Adopt in the close range wireless communication module 20 of the foregoing description near-field communication (Near Field Communication, NFC) technology communicates with storage card, comprising: Tip element is used to point out the user to carry out storage card 10 operation of swiping the card; The parameter transmission unit, be used to import into sector number SECNUM, this sector that will read corresponding read key RK; Communication unit is used for communicating by letter with storage card 10, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication; Key acquiring unit is used for after the key authentication success, reading the piece in the storage card 10, and being formatted as required K1, K2, K3.
In the client 30 of the foregoing description, file is carried out AES be: ciphertext=EK3 (DK2 (EK1 (flat literary composition))).That is, use K1 to carry out des encryption, use K2 to carry out DES " deciphering " again, carry out des encryption with K3 at last as key as key; The algorithm that file is deciphered is: flat literary composition=DK1 (EK2 (DK3 (ciphertext))).That is, use K3 to carry out the DES deciphering, use K2 to carry out des encryption again, carry out the DES deciphering with K1 at last as key as key.
Adopt information protection method and the device that is used for communication and portable equipment of the present invention, the data that can guarantee all communications and portable equipment are in access internet or the fail safe through the storage of this machine, transmission, swap data.Wherein, it is supporting that all communications and portable equipment form safety through the M1 card, and the M1 card increases substantially the user cipher authenticating safety as the second road safety certification.
Technical scheme of the present invention is very suitable for communication and portable equipment user demand higher but need guarantee all users in the industry field of Information Security on communication and the portable equipment.This technical scheme provides highly reliable identity identifying method, secret key safety transmission mechanism, Cipher Strength are high efficiently communication and the significant data of portable equipment for this type of potential user.Only need in each communication and portable equipment, install and comprise present technique and invent related APP application, can realize safe storage, the transfer management of important key message.
Should be understood that, concerning those of ordinary skills, can improve or conversion, and all these improvement and conversion all should belong to the protection range of accompanying claims of the present invention according to above-mentioned explanation.

Claims (10)

1. an information protection method that is used for communication and portable equipment is characterized in that, comprising:
Storage card initialization procedure: produce and read key and write key; And read key and write all control sectors that key writes storage card with global unique card number said; Produce and write triple DEA key packet of all data sector of said storage card; Comprise K1, K2, K3, with the card number of said storage card and writing in key delivery to the key authentication server of all sectors;
Ciphering process: treat encrypt file and carry out the processing of Hash delivery, obtain corresponding storage card key memory sector, be designated as SECNUM; Client is set up SSL safety with said key authentication server and is connected; And with said cipher authentication server negotiate, connect through safety and to obtain the key of reading that is used to read the corresponding sector of said storage card, communicate by letter with said storage card according to the said key of reading; Obtain and encrypt required K1, K2, K3, file is encrypted;
Decrypting process: client is set up SSL safety with said key authentication server and is connected; And with said cipher authentication server negotiate; Connect the key of reading that obtains the pairing SECNUM of filename that needs deciphering and be used to read the corresponding sector of said storage card through safety; Communicate by letter with said storage card according to the said key of reading, obtain deciphering required K1, K2, K3, file is deciphered.
2. information protection method according to claim 1 is characterized in that, in the said ciphering process, treats encrypt file and carries out the processing of Hash delivery, and the step that obtains corresponding storage card key memory sector specifically comprises:
Obtain the filename and the file size of file to be encrypted, carry out hash calculation, obtain cryptographic hash, be designated as HASHl;
Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2;
To said HASHl and HASH2 splice, delivery, obtain corresponding storage card key memory sector, be designated as SECNUM.
3. information protection method according to claim 1 is characterized in that, in said ciphering process and the said decrypting process, sets up SSL safety step of connecting with the key authentication server and specifically comprises:
Client transmits the communication information needed to the cipher authentication server;
The cipher authentication server transmits communication information needed and server certificate to client;
Client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming, if legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step;
Client produces a symmetric cryptography that is used for communication at random, with the PKI of password authentification server it is encrypted then, and the preparatory main password after will encrypting is then passed to the password authentification server;
If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together;
The legitimacy of password authentification server check client certificate and signature random number, if checking is not passed through, communication is interrupted at once, if checking is passed through, the password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then;
The password authentification server and client side carries out communication with identical main signal code;
Client is sent information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously;
The password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously;
Client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
4. information protection method according to claim 1; It is characterized in that, in said ciphering process and the said decrypting process, saidly communicate by letter with said storage card according to the said key of reading; Obtain and encrypt or decipher required K1, K2, K3, file is encrypted or decryption step specifically comprises:
The prompting user carries out the storage card operation of swiping the card;
By parameter import into sector number SECNUM, this sector that will read corresponding read key RK;
Communicate by letter with storage card, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication;
After the key authentication success, read the piece in the storage card, and be formatted as required K1, K2, K3.
5. information protection method according to claim 1 is characterized in that, in said ciphering process and the said decrypting process, file is carried out encryption method is:
Use K1 to carry out des encryption, use K2 to carry out DES " deciphering " again, carry out des encryption with K3 at last as key as key;
The method that file is deciphered is:
Use K3 to carry out the DES deciphering, use K2 to carry out des encryption again, carry out the DES deciphering with K1 at last as key as key.
6. a message protection device that is used for communication and portable equipment is characterized in that, comprises the storage card with global unique card number, also comprises:
Key generates server; Be used for producing and read key and write key; And with said read key and write key write said storage card all control sectors; Produce and write triple DEA key packet of all data sector of said storage card, comprise K1, K2, K3, the card number of said storage card and writing in key delivery to the key authentication server of all sectors;
Client is used to treat encrypt file and carries out the processing of Hash delivery, obtains corresponding storage card key memory sector; Be designated as SECNUM, set up SSL safety with said key authentication server again and be connected, and with said cipher authentication server negotiate; Obtain the key of reading that is used to read the corresponding sector of said storage card through the safety connection, communicate by letter with said storage card according to the said key of reading through close range wireless communication module again, obtain and encrypt required K1, K2, K3; File is encrypted, perhaps
Being used for setting up SSL safety with said key authentication server is connected; And with said cipher authentication server negotiate; Connect the key of reading that obtains the pairing SECNUM of filename that needs deciphering and be used to read the corresponding sector of said storage card through safety; Communicate by letter with said storage card according to the said key of reading through close range wireless communication module again, obtain deciphering required K1, K2, K3, file is deciphered;
The key authentication server, be used to store said storage card card number and all sectors write key, and communicate with client;
Close range wireless communication module is used for communicating with said storage card, obtains encryption or deciphers required K1, K2, K3, and send to said client.
7. message protection device according to claim 6 is characterized in that, in the said client, treats encrypt file and carries out the processing of Hash delivery, and the process that obtains corresponding storage card key memory sector is following:
Obtain the filename and the file size of file to be encrypted, carry out hash calculation, obtain cryptographic hash, be designated as HASHl; Treat encrypt file itself and carry out hash calculation, obtain cryptographic hash, be designated as HASH2; To said HASHl and HASH2 splice, delivery, obtain corresponding storage card key memory sector, be designated as SECNUM.
8. message protection device according to claim 6 is characterized in that, in the said client, to set up the process that SSL safety is connected following with the key authentication server:
Client transmits the communication information needed to the cipher authentication server;
The cipher authentication server transmits communication information needed and server certificate to client;
Client utilizes the cipher authentication server to pass the legitimacy of the Information Authentication cipher authentication server of coming, if legitimate verification does not pass through, communication will be broken off, if legitimate verification passes through, then proceed next step;
Client produces a symmetric cryptography that is used for communication at random, with the PKI of password authentification server it is encrypted then, and the preparatory main password after will encrypting is then passed to the password authentification server;
If the authentication of password authentification server requirement client; Client is then set up a random number and then it is carried out data signature, this is contained the random number that bears the signature and the certificate of client oneself and the preparatory main password of encrypting pass to the password authentification server together;
The legitimacy of password authentification server check client certificate and signature random number, if checking is not passed through, communication is interrupted at once, if checking is passed through, the password authentification server is untied the preparatory main password of encryption with the private key of oneself, produces main signal code then;
The password authentification server and client side carries out communication with identical main signal code;
Client is sent information to the password authentification server end, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of password authentification server client to finish simultaneously;
The password authentification server sends information to client, indicates the main signal code that the data communication of back will use and is symmetric key, notifies the handshake procedure of client password authentification server end to finish simultaneously;
Client brings into use identical symmetric key to carry out data communication with the password authentification server, carries out the check of communication data integrality simultaneously.
9. message protection device according to claim 6 is characterized in that, said close range wireless communication module comprises:
Tip element is used to point out the user to carry out the storage card operation of swiping the card;
The parameter transmission unit, be used to import into sector number SECNUM, this sector that will read corresponding read key RK;
Communication unit is used for communicating by letter with storage card, import into the sector number SECNUM that will read and this sector corresponding read key RK, carry out key authentication;
Key acquiring unit is used for after the key authentication success, reading the piece in the storage card, and being formatted as required K1, K2, K3.
10. message protection device according to claim 6 is characterized in that, in the said client, file is carried out ciphering process is: use K1 to carry out des encryption as key, use K2 to carry out DES " deciphering " as key again, carry out des encryption with K3 at last;
File is carried out decrypting process is: use K3 to carry out the DES deciphering as key, use K2 to carry out des encryption as key again, carry out the DES deciphering with K1 at last.
CN201210290865.7A 2012-08-16 2012-08-16 Information protection method and device for communication and portable devices Active CN102801730B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210290865.7A CN102801730B (en) 2012-08-16 2012-08-16 Information protection method and device for communication and portable devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210290865.7A CN102801730B (en) 2012-08-16 2012-08-16 Information protection method and device for communication and portable devices

Publications (2)

Publication Number Publication Date
CN102801730A true CN102801730A (en) 2012-11-28
CN102801730B CN102801730B (en) 2015-01-28

Family

ID=47200693

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210290865.7A Active CN102801730B (en) 2012-08-16 2012-08-16 Information protection method and device for communication and portable devices

Country Status (1)

Country Link
CN (1) CN102801730B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905199A (en) * 2014-03-14 2014-07-02 嘉兴市辰翔信息科技有限公司 Digital certificate storage method applied to RFID card
CN104243690A (en) * 2014-07-31 2014-12-24 东莞市福欣电脑科技有限公司 Method for localizing and safely storing mobile application data
CN104318173A (en) * 2014-10-27 2015-01-28 合肥星服信息科技有限责任公司 File non-proliferation technique based on local area network cross-validation
CN105553668A (en) * 2015-12-21 2016-05-04 北京飞杰信息技术有限公司 Method and system for verifying user authorization certificate through verifying authorization time
CN105577379A (en) * 2014-10-16 2016-05-11 阿里巴巴集团控股有限公司 Information processing method and apparatus thereof
CN106874813A (en) * 2015-12-11 2017-06-20 北京数码视讯科技股份有限公司 A kind of method and smart card for automatically selecting M1 cards
CN109872426A (en) * 2019-02-18 2019-06-11 广州视声智能科技有限公司 IC card encryption and authentication method and system
CN111368271A (en) * 2020-03-10 2020-07-03 山东汇贸电子口岸有限公司 Method and system for realizing password management based on multiple encryption
CN111406390A (en) * 2018-12-26 2020-07-10 深圳市大疆创新科技有限公司 Encrypted communication method, device, system and computer storage medium
CN111464504A (en) * 2020-03-11 2020-07-28 珠海向导科技有限公司 Password access device and method
CN112229438A (en) * 2020-08-31 2021-01-15 深圳技术大学 Natural ecological credible monitoring system and method
CN114070550A (en) * 2020-07-31 2022-02-18 马上消费金融股份有限公司 Information processing method, device, equipment and storage medium
CN115017927A (en) * 2021-11-15 2022-09-06 荣耀终端有限公司 Card simulation method, electronic device, and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228430B2 (en) * 2001-01-11 2007-06-05 Lenovo Singapore Pte. Ltd Security system for preventing a personal computer from being used by an unauthorized people
CN101056166A (en) * 2007-05-28 2007-10-17 北京飞天诚信科技有限公司 A method for improving the data transmission security
CN101483654A (en) * 2009-02-09 2009-07-15 北京华大智宝电子系统有限公司 Method and system for implementing authentication and data safe transmission

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228430B2 (en) * 2001-01-11 2007-06-05 Lenovo Singapore Pte. Ltd Security system for preventing a personal computer from being used by an unauthorized people
CN101056166A (en) * 2007-05-28 2007-10-17 北京飞天诚信科技有限公司 A method for improving the data transmission security
CN101483654A (en) * 2009-02-09 2009-07-15 北京华大智宝电子系统有限公司 Method and system for implementing authentication and data safe transmission

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905199B (en) * 2014-03-14 2017-04-12 嘉兴市辰翔信息科技有限公司 Digital certificate storage method applied to RFID card
CN103905199A (en) * 2014-03-14 2014-07-02 嘉兴市辰翔信息科技有限公司 Digital certificate storage method applied to RFID card
CN104243690A (en) * 2014-07-31 2014-12-24 东莞市福欣电脑科技有限公司 Method for localizing and safely storing mobile application data
CN105577379B (en) * 2014-10-16 2020-04-28 阿里巴巴集团控股有限公司 Information processing method and device
CN105577379A (en) * 2014-10-16 2016-05-11 阿里巴巴集团控股有限公司 Information processing method and apparatus thereof
CN104318173A (en) * 2014-10-27 2015-01-28 合肥星服信息科技有限责任公司 File non-proliferation technique based on local area network cross-validation
CN106874813A (en) * 2015-12-11 2017-06-20 北京数码视讯科技股份有限公司 A kind of method and smart card for automatically selecting M1 cards
CN106874813B (en) * 2015-12-11 2019-06-18 北京数码视讯科技股份有限公司 A kind of method automatically selecting M1 card and smart card
CN105553668A (en) * 2015-12-21 2016-05-04 北京飞杰信息技术有限公司 Method and system for verifying user authorization certificate through verifying authorization time
CN105553668B (en) * 2015-12-21 2018-09-04 北京飞杰信息技术有限公司 The time is authorized to verify the method and system of user's certificate of authority by verification
CN111406390A (en) * 2018-12-26 2020-07-10 深圳市大疆创新科技有限公司 Encrypted communication method, device, system and computer storage medium
CN109872426A (en) * 2019-02-18 2019-06-11 广州视声智能科技有限公司 IC card encryption and authentication method and system
CN111368271A (en) * 2020-03-10 2020-07-03 山东汇贸电子口岸有限公司 Method and system for realizing password management based on multiple encryption
CN111464504A (en) * 2020-03-11 2020-07-28 珠海向导科技有限公司 Password access device and method
CN114070550A (en) * 2020-07-31 2022-02-18 马上消费金融股份有限公司 Information processing method, device, equipment and storage medium
CN112229438A (en) * 2020-08-31 2021-01-15 深圳技术大学 Natural ecological credible monitoring system and method
CN115017927A (en) * 2021-11-15 2022-09-06 荣耀终端有限公司 Card simulation method, electronic device, and storage medium
CN115017927B (en) * 2021-11-15 2023-04-11 荣耀终端有限公司 Card simulation method, electronic device, and storage medium

Also Published As

Publication number Publication date
CN102801730B (en) 2015-01-28

Similar Documents

Publication Publication Date Title
CN102801730B (en) Information protection method and device for communication and portable devices
CN107358441B (en) Payment verification method and system, mobile device and security authentication device
CN103067401B (en) Method and system for key protection
CN102223364B (en) Method and system for accessing e-book data
US20060280297A1 (en) Cipher communication system using device authentication keys
CN106527673A (en) Method and apparatus for binding wearable device, and electronic payment method and apparatus
EP1643403A1 (en) Encryption system using device authentication keys
CN106227503A (en) Safety chip COS firmware update, service end, terminal and system
CN103905204B (en) The transmission method and Transmission system of data
US10089627B2 (en) Cryptographic authentication and identification method using real-time encryption
US10044684B2 (en) Server for authenticating smart chip and method thereof
CN101631305B (en) Encryption method and system
JP2008533882A (en) How to backup and restore encryption keys
CN103503366A (en) Managing data for authentication devices
CN102664898A (en) Fingerprint identification-based encrypted transmission method, fingerprint identification-based encrypted transmission device and fingerprint identification-based encrypted transmission system
CN103914913A (en) Intelligent card application scene recognition method and system
CN103326862A (en) Electronically signing method and system
CN104868997A (en) Safety intelligent hardware, and protection method and system of user data of intelligent terminal
CN104424446A (en) Safety verification and transmission method and system
US20120124378A1 (en) Method for personal identity authentication utilizing a personal cryptographic device
CN101227276B (en) Method and system for public key safety transfer of digital mobile certificate
CN102647279A (en) Encryption method, encryption card, terminal equipment and machine-card interlocking device
CN104936172A (en) Beidou positioning data transmission encryption system
CN110611679A (en) Data transmission method, device, equipment and system
CN107276961B (en) Method and device for encrypting and decrypting data based on cryptographic algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20121128

Assignee: Xiaoma Baoli (Xiamen) Network Technology Co.,Ltd.

Assignor: XIAMEN MEIYA PICO INFORMATION Co.,Ltd.

Contract record no.: X2023350000032

Denomination of invention: An information protection method and device for communication and portable equipment

Granted publication date: 20150128

License type: Common License

Record date: 20230301