The content of the invention
Based on the demand, the present invention proposes a kind of soft cipher key system and implementation method, and U-shield function is realized by softwareEnsure client key certificate content safety again simultaneously.
In order to achieve the above object and effect, the present invention use following technology contents:
A kind of soft cipher key system, including following functional blocks:
One key certificate manages subsystem:It is responsible for download, random storage and reads user key certificate, wherein user is closeKey certificate deposits mark of the user in cipher key system, key, the term of validity, enciphering and deciphering algorithm description, Digital Signature Algorithm descriptionAnd the digital signature identification of certificate;User key certificate uses password or encrypting fingerprint;The key certificate manages subsystemSystem includes key certificate kept secure module and key certificate read module;
The key certificate kept secure module:It is responsible for that certificate maintaining secrecy after application program downloads user key certificateStorage;Including a complete certificate file is split as into multiple files, and it is random on the head of each file and afterbody insertionThe random bit of quantity is deposited in above-mentioned file in multiple catalogues of flash or disk at random as interference;
The key certificate read module:Be responsible for upper layer application need to call user key certificate carry out Encrypt and Decrypt andDigital signature produces and read when verifying the key certificate of kept secure;
One cipher key subsystem:It is responsible for using user password or fingerprint solution to the key certificate of password either encrypting fingerprintClose, authentication secret certificate number signature, the private key of extraction key certificate, the public key of acquisition communication counterpart;
One enciphering and deciphering algorithm subsystem:It is responsible for the our private key and other side's public key exported according to cipher key subsystem, realizesVarious asymmetric Encrypt and Decrypts and digital signature, sign test work in secret communication;Once our private key is completed to use, exist at onceRandom number is write in storage private key internal memory and is discharged.
The present invention separately reaches above-mentioned purpose and efficacy using following technology contents:
A kind of implementation method of soft key, comprises the following steps:
1) kept secure, including step 1-1~1-12 are carried out to key certificate;1-1) read what upper level applications providedUser key certificate after password or encrypting fingerprint;Randomizer 1-2) carried using operating system produce one withMachine number, the seed as inside modules pseudo-random sequence;User key certificate file 1-3) is split into N number of text of equal lengthPart, N take 5~10;1-4) using the seed obtained in inside modules pseudo-random sequence and step 1-2, generation 2 × N number of pseudorandomNumber, by 2 × N number of pseudo random number obtains inserting in the head and tail of N number of key certificate file content to MaxRandByteLength modulusEnter the random bit quantity RandByteLength [2N] for interference;1-5) random number carried using operating system is occurredDevice, randomly generate the random Byte that the long degree of 2 × N groups is respectively RandByteLength [n] (n=1~2N);1-6) by 2 × N groupsRandom Byte inserts the head and tail of N number of user key certificate file as interference bit;1-7) use inside modules pseudorandom sequenceRow produce N number of random number as random key, N number of user key certificate file after disturbing bit will be added to use N number of with keyIt is encrypted;1-8) use inside modules pseudo-random sequence, then produce N number of random number, by this N number of random number be mapped as letter andNumeral, using filename of this N groups random letters with number combinatorics on words as N number of family key certificate file;N can be deposited by 1-9) collectingThe catalogue of key certificate file after individual scrambling, search operation system directory form, finds system directory position;1-10)Using inside modules pseudo-random sequence, then N number of random number is produced, this N number of random number is mapped as N number of file storing directory, thisA little file storing directories are derived from step 1-9;The key certificate file after N number of plus interference bit and encryption 1-11) is used into stepRandom file name is named successively caused by 1-8, and path deposits these certificate files successively according to caused by step 1-10;1-12) the inside pseudo-random sequence seed that step 1-2 is obtained is preserved using after user password or encrypting fingerprint with document formIn local directory;
2) key certificate is read out, including step 2-1~2-9;2-1) using user password or fingerprint decryption originallyThe pseudo-random sequence seed of ground storage;2-2) using the seed obtained in inside modules pseudo-random sequence and 2-1, generation 2 × N number ofPseudo random number, by 2 × N number of pseudo random number obtains the head in N number of key certificate file content to MaxRandByteLength modulusWith the amount R andByteLength [2N] of the random disturbances bit of tail insertion;2-3) produced using inside modules pseudo-random sequenceN number of random number obtains the encryption key of key certificate file;N number of random number 2-4) is produced using inside modules pseudo-random sequence,Mapping letter and number obtains the filename of key certificate file;2-5) produced using inside modules pseudo-random sequence N number of randomNumber, mapping directory obtain the storing directory successively of key certificate file;2-6) the key certificate filename obtained using step 2-4The key certificate file storing directory obtained with step 2-5 reads key certificate file;2-7) key pair is obtained using step 2-3The key certificate file decryption broken;2-8) obtain RandByteLength [2N] using step 2-2 and remove the key broken to demonstrate,proveThe interference bit of head and tail in written matter;2-9) key certificate broken is restored and submits to cipher key subsystem;
3) key, including step 3-1~3-3 are obtained;3-1) use user password or fingerprint decruption key certificate;3-2)Key certificate digital signature and the term of validity are verified;The private key of we 3-3) is read, if similar symmetrical or non-rightThe public affairs of title system, private key asymmetric encipherment system, then according to the mark of communication counterpart from third party CA centers or directly by public keyMatrix maps to obtain the public key of other side;
4) encryption and decryption is carried out to key:The our private key and other side's public key exported according to cipher key subsystem, realize that secrecy is logicalAsymmetric Encrypt and Decrypt and digital signature, sign test work in letter;Once our private key is completed to use, at once in storage private keyDeposit middle write-in random number and discharged.
The present invention at least has the advantages that:
The present invention is run as daemon software when in use, relatively conventional U-shield " hard key ", without extrapolation hardware, toolHave the characteristics of easy to use, cost is cheap, at the same by the fractionation to key certificate, random plus interference bit, accidental enciphering andThe method of random name storage, it is ensured that the security of key certificate, source code technology is stolen by using anti-dis-assembling and shut out substantiallyPass through the possibility that internal memory obtains private key in key certificate in running software absolutely.
Other objects of the present invention and advantage can from disclosed herein technology contents be further understood.ForThe above and other objects, features and advantages of the present invention can be become apparent, special embodiment below simultaneously coordinates institute's accompanying drawingFormula is described in detail below.
Embodiment
The content of announcement of the invention is related to a kind of cipher key system realized by software, and its technical characteristics is, phaseAdditional hardware i.e. " hard key " is needed to use for U-shield scheme, the present invention can be described as " soft key ".The present invention is real by softwareExisting, cost is cheap;Terminal need not link additional hardware during use, easy to use;Key certificate uses password or encrypting fingerprintAfter split into some files, random name and random storage, ensure key certificate safety to greatest extent.
Next it will transmit through embodiment and coordinate institute's accompanying drawings, illustrate that the present invention has innovation compared with prior art, enteredThe unique technology part such as step or effect, enables those of ordinary skill in the art to realize according to this.It should be noted that the common skill in this areaArt personnel are in lower carried out modification and change without departing from the spirit, all without departing from the protection category of the present invention.
Referring to Fig. 1, the soft cipher key system of the present invention includes key certificate management subsystem, cipher key subsystem and encryption and decryptionAlgorithm subsystem, and support the software systems of above three subsystem.
Key certificate manages subsystem:It is responsible for download, random storage and reading user key certificate, wherein user key is demonstrate,provedBook deposit mark of the user in cipher key system, key, the term of validity, enciphering and deciphering algorithm description, Digital Signature Algorithm description andDigital signature identification of certificate etc..User key certificate uses password or encrypting fingerprint, and password or encrypting fingerprint algorithm areAlgorithms most in use, specific descriptions can search related data.Key certificate management subsystem be divided into key certificate kept secure module andKey certificate read module.
Key certificate kept secure module:By certificate kept secure after application program downloads user key certificate, mostLimits prevent certificate to be stolen.The key of kept secure is a complete certificate file being split as multiple files, andIn the random bit of the head of each file and afterbody insertion random amount as interference, these files are deposited at randomIn multiple catalogues of flash or disk.
Key certificate read module:It is responsible for needing to call user key certificate to carry out Encrypt and Decrypt and numeral in upper layer applicationSignature produces and read when verifying the key certificate of kept secure.
Cipher key subsystem:The key certificate of password either encrypting fingerprint is decrypted using user password or fingerprint, checkingKey certificate digital signature, the private key for extracting key certificate, the public key for obtaining communication counterpart.
Enciphering and deciphering algorithm subsystem:The our private key and other side's public key exported according to cipher key subsystem, realizes secret communicationIn various asymmetric Encrypt and Decrypts and digital signature, sign test work.Once our private key is completed to use, at once in storage private keyRandom number is write in internal memory and is discharged, is leaked in plain text to prevent private key.
The workflow of the soft cipher key system of the present invention is illustrated with reference to Fig. 1:
Step 1, by key certificate kept secure module, kept secure is carried out to key certificate, specific works step is as follows:
Step 1-1:Read the user key certificate after password or encrypting fingerprint that upper level applications provide;
Step 1-2:The randomizer carried using operating system produces a random number, as inside modules puppet withThe seed of machine sequence, inside modules pseudo-random sequence can use m-sequence generator or other method to realize, pseudo-random sequenceAfter seed is certain, pseudo random number caused by order is fixed;
Step 1-3:User key certificate file is split into N number of file of equal length, N can take 5~10;
Step 1-4:Use the seed obtained in inside modules pseudo-random sequence and step 2, generation 2 × N number of pseudorandomNumber, by 2 × N number of pseudo random number obtains inserting in the head and tail of N number of key certificate file content to MaxRandByteLength modulusEnter the random bit quantity RandByteLength [2N] for interference, MaxRandByteLength can take 1024 or otherValue.
Step 1-5:The randomizer carried using operating system, randomly generating the long degree of 2 × N groups is respectivelyRandByteLength [n] (n=1~2N) random Byte (8bit);
Step 1-6:The random Byte of 2 × N groups is inserted into the head and tail of N number of user key certificate file as interference bit;
Step 1-7:N number of random number is produced as random key using inside modules pseudo-random sequence, will add interference bitN number of user key certificate file afterwards is encrypted using N number of with key, and direct XOR, or AES etc. can be used in encryption methodOther symmetric encipherment algorithms;
Step 1-8:Using inside modules pseudo-random sequence, then N number of random number is produced, by this N number of random number using specificMapping mode, be mapped as letter and number, using this N groups random letters with number combinatorics on words as N number of family key certificate fileFilename, suffix can use the conventional suffix name such as txt, dat, it is possible to use dll (windows systems), so (Linux system)Etc. fascinating suffix;
Step 1-9:The catalogue of the key certificate file after N number of scrambling can be deposited by collecting, search operation system directory form,System directory position is found, windows systems are such as:Windows catalogues, Program Files catalogues etc., androidSystem is such as:Android catalogues, DCIM etc., also it can collect some catalogues in the application program using soft key;
Step 1-10:Using inside modules pseudo-random sequence, then N number of random number is produced, by this N number of random number using specificMapping mode be mapped as N number of file storing directory, these file storing directories are derived from step 1-9;
Step 1-11:Key certificate file after N number of plus interference bit and encryption is used into random text caused by step 1-8Part name is named successively, and path deposits these certificate files successively according to caused by step 1-10;
Step 1-12:After the inside pseudo-random sequence seed that step 1-2 is obtained is using user password or encrypting fingerprintSpecific local directory is stored in document form.
Step 2, by key certificate read module, key certificate is read out, its job step is key certificate secrecyThe inverse process of memory module, it is specific as follows:
Step 2-1:The pseudo-random sequence seed being locally stored using user password or fingerprint decryption;
Step 2-2:Use the seed obtained in inside modules pseudo-random sequence and step 1, generation 2 × N number of pseudorandomNumber, by 2 × N number of pseudo random number obtains inserting in the head and tail of N number of key certificate file content to MaxRandByteLength modulusThe amount R andByteLength [2N] of the random disturbances bit entered;
Step 2-3:The encryption for obtaining key certificate file using the N number of random number of inside modules pseudo-random sequence generation is closeKey;
Step 2-4:N number of random number is produced using inside modules pseudo-random sequence, mapping letter and number obtains key cardThe filename of written matter;
Step 2-5:N number of random number is produced using inside modules pseudo-random sequence, mapping directory obtains key certificate fileStoring directory successively;
Step 2-6:The key certificate file that the key certificate filename and step 2-5 obtained using step 2-4 is obtained is depositedPut catalogue and read key certificate file;
Step 2-7:Key is obtained to the key certificate file decryption broken using step 2-3;
Step 2-8:Using step 2-2 obtain RandByteLength [2N] remove in the key certificate file broken head andThe interference bit of tail;
Step 2-9:The key certificate broken is restored and submits to cipher key subsystem.
Step 3, by cipher key subsystem, key is obtained, is comprised the following steps that:
Step 3-1:Use user password or fingerprint decruption key certificate;
Step 3-2:Key certificate digital signature and the term of validity are verified;
Step 3-3:Read the private key of we, if similar symmetrical or asymmetric system public affairs, private key it is asymmetric plusClose system, then map to obtain the public key of other side according to the mark of communication counterpart from third party CA centers or directly by public key matrix.
Step 4, by enciphering and deciphering algorithm subsystem, encryption and decryption is carried out to key.The we exported according to cipher key subsystem are privateKey and other side's public key, realize the various asymmetric Encrypt and Decrypts in secret communication and digital signature, sign test work.It is once our privateKey is completed to use, and writes random number in private key internal memory is deposited at once and is discharged, is leaked in plain text to prevent private key.
Above key certificate management subsystem, cipher key subsystem and enciphering and deciphering algorithm subsystem need to use C language or otherThe language that source code can not be obtained by straightforward procedures such as dis-assemblings is write, while the puppet for obscuring is inserted in code is realizedCode etc. prevents the technology that source code is obtained by decompiling, so as to prevent the private key in key certificate to greatest extent in internal memory withIt is stolen when occurring in plain text.
The present invention has boundless usage scenario, such as in the small amount payment application program of various mobile terminals,U-shield etc external hardware is not needed, it is easy to use, while key certificate can obtain safeguard protection.
With android mobile phone terminals, embodiment is used as using symmetrical or asymmetric encipherment system payment application:
【It is as follows that certificate downloads storing step】(correspond to step 1) of the present invention:
Step a:Android payment applications download user key certificate from server;
Step b:The key certificate kept secure module of key certificate management subsystem splits key certificate, uses insidePseudo-random sequence order produces a series of random numbers, and interference bit, accidental enciphering, random is added to the key certificate file after fractionationName and storage (specific steps are seen above);
Step c:The random seed of internal pseudo-random sequence is stored using user password or encrypting fingerprint.
【Certificate read step is as follows】(correspond to step 2) of the present invention:
Step a:Read and use user password or fingerprint decruption key certificate management subsystem internal pseudo-random sequenceRandom seed;
Step b:The key certificate read module of key certificate management subsystem uses internal pseudo-random sequence order to produceA series of random numbers, the random each scattered key certificate named and stored is read, remove interference bit, each certificate of decryptionFile, scattered certificate file is merged into a complete certificate (specific steps are seen above).
【Payment step is as follows】(corresponding to step 3 of the present invention and 4):
Step a:Payment information (by scanning Quick Response Code or input) is obtained, obtains pricing information;
Step b:Select the means of payment (other modes such as e-bank or electronics collar);
Step c:User inputs payment cipher or scanning payment Quick Response Code;
Step d:User inputs soft key and starts password or fingerprint, and application program is verified using password or fingerprint algorithmPassword or fingerprint;
Step e:The key certificate read module of the key certificate management subsystem of soft key reads the key of random storageCertificate;
Step f:The cipher key subsystem of soft key uses user password or fingerprint decruption key certificate, obtains the private of userKey and public key matrix;
Step g:The cipher key subsystem of soft key will pay communication counterpart mark and pass through symmetrical or asymmetric public key matrixMapping obtains other side's public key;
Step h:By the payment cipher of user's input or scanning payment Quick Response Code so that the means of payment and payment information useThe enciphering and deciphering algorithm subsystem of soft key is encrypted and digital signature;
Step i:Information after the encryption of upper-level payment application transfer is to channel of disbursement (third party or bank);
Step j:Sign test is by success of withholing, paying and completing.
Above-described is only the preferred embodiment of the present invention, and the invention is not restricted to above example.It is appreciated that thisOther improvement and become that art personnel directly export or associated without departing from the spirit and concept in the present inventionChange, be considered as being included within protection scope of the present invention.