CN112383914B

Movatterモバイル変換

Info

Publication number: CN112383914B
Application number: CN202011270720.1A
Authority: CN
Inventors: 李重保; 凡帅; 刘文印
Original assignee: Guangdong University of Technology
Current assignee: Guangdong University of Technology
Priority date: 2020-11-13
Filing date: 2020-11-13
Publication date: 2022-02-01
Anticipated expiration: 2040-11-13
Also published as: CN112383914A

Abstract

Translated fromChinese

本发明公开一种基于安全硬件的密码管理方法，包括有安全硬件和密码管理APP，安全硬件包括有加密芯片和TurboNFC通信芯片；加密芯片为可信任平台模块，作为一个独立进行密钥生成以及加解密的装置，其内部拥有独立的处理器和安全存储单元，用来存储密钥和特征数据，并为密码管理APP提供加密和安全认证服务功能；密码管理APP通过非对称加密通信与加密芯片进行传输数据，TurboNFC通信芯片负责数据传输及通信方式的转化；由密码管理APP为用户提供所需的账号和密码管理；本发明可以有效提高密码管理APP的安全性。

The invention discloses a password management method based on security hardware, comprising security hardware and a password management APP, the security hardware includes an encryption chip and a TurboNFC communication chip; the encryption chip is a trusted platform module, which acts as an independent key generation and encryption chip. The decryption device has an independent processor and a secure storage unit inside, which are used to store keys and characteristic data, and provide encryption and security authentication service functions for the password management APP; the password management APP communicates with the encryption chip through asymmetric encryption. For data transmission, the TurboNFC communication chip is responsible for data transmission and the conversion of communication modes; the password management APP provides users with required account and password management; the invention can effectively improve the security of the password management APP.

Description

Password management method based on secure hardware

Technical Field

The invention relates to the technical field of internet password management, in particular to a password management method based on secure hardware.

Background

With the development of the internet, especially the mobile internet, there is an increasing demand for a user to log in an APP or a webpage on a mobile phone, for example, if the user uses kyoto shopping, the user must log in the APP or the webpage of the kyoto shopping mall to complete ordering and payment.

When a user registers a plurality of APPs or websites, it is easy to forget a plurality of passwords and their corresponding relationships with the plurality of APPs or websites. In addition, in order to increase security, the APP or website has related requirements on the login credentials provided by the user, such as length, password composition, and the like, and different APP or website requirements may also have differences, which results in long and complicated passwords, difficulty in remembering by the user, and trouble in password management.

Under the condition, a user may select to set the passwords of all websites or applications to be the same set of passwords, but if the password of one APP or website is obtained, a hacker can log in other APPs or websites in a 'library collision' attack mode easily, so that a single point of failure is caused, and great potential safety hazard is brought. Patent No. CN 108632222 a discloses a password management apparatus and its management method, a password manager, and an electronic device, and proposes to use the password management apparatus to complete secure storage of a password in hardware. But it does not use an emerging technology to turbo nfc, where the hardware and PC wiring requires a wired connection to supply power. And the interface dial-up keypad input results in reduced convenience of use.

Patent No. CN 107392008A discloses a password management method, a password management device, and a computer-readable storage medium, which use hardware to store passwords, and the scheme thereof has high requirements on hardware operation and complex communication interaction.

To sum up, the existing password management on the mobile phone has the following disadvantages: 1. the existing safe hardware power supply mainly depends on a battery or a physical interface (such as a USB interface) to supply power; 2. when the NFC chip is used as a storage medium, the content of the common NFC chip is easy to read, especially read by cracking; 3. due to the technical and size limitations, the common NFC cannot acquire extra power supply capacity to drive an encryption chip with a very high security level; 4. when a user manages the password, the password is stored in a mobile phone memory RAM, a mobile phone local hard disk or a cloud end by common password management software, so that risks of being dragged, lost and the like exist, the user is seriously lost, and further the confidence of the password management software is lost.

Aiming at the problems that password management safety on a mobile phone is low, existing password management APP has a stolen bank, and local and cloud passwords are cracked, no hardware convenient to use and matched software exist at present. Therefore, it is important to solve such problems.

Disclosure of Invention

In order to solve the problems, the invention provides a password management method based on secure hardware, which utilizes the TurboNFC technology to obtain extremely strong IC energy supply capability to drive a high-level encryption chip (supporting almost all national passwords and standard encryption and decryption algorithms) on an NFC circuit board with extremely small plane size (much smaller than the size of a bus card) and thickness, and is matched with a password security management APP to ensure that a user obtains the capability of managing own passwords in a convenient and ultra-high security mode.

In order to implement the technical scheme, the invention provides a password management method based on secure hardware, which is characterized by comprising the following steps: the method comprises security hardware and a password management APP, wherein the security hardware comprises an encryption chip and a TurboNFC communication chip; the encryption chip is a trusted platform module and is used as an independent device for generating a secret key and encrypting and decrypting the secret key, and the encryption chip is internally provided with an independent processor and a safe storage unit for storing the secret key and the characteristic data and providing encryption and safe authentication service functions for the password management APP; the password management APP transmits data through asymmetric encryption communication and an encryption chip, and the TurboNFC communication chip is responsible for data transmission and communication mode conversion; and the password management APP provides the required account number and password management for the user.

The further improvement is that the password management method specifically comprises the following steps:

the method comprises the following steps: binding secure hardware

S1, after discovering the security hardware, the password management APP running on the mobile phone with the NFC function manually starts the following steps to bind one security hardware;

s2, the password management APP sends a unique identification ID of a user on a server of the password management APP and a request binding instruction to the secure hardware;

s3, the security hardware firstly checks whether the security hardware is bound or not, if so, the security hardware is not allowed to be bound again, and error information is returned;

s4, if the secure hardware is not bound, sending the unique identifier of the secure hardware and the asymmetric encryption communication public key used for binding to a password management APP;

s5, after correctly reading the security hardware information and the relevant information of the encryption public key persistence, the password management APP sends a binding confirmation instruction to the security hardware;

s6, after the safety hardware receives the instruction, the mark binding is completed, the asymmetric encryption private key is stored, and the key information required by the subsequent plaintext and password encryption is generated and stored;

s7, the secure hardware finishes binding after returning an end instruction;

step two: encryption and decryption communications

The user is in after the only sign ID on password management APP's the server binds the security hardware, all of password management APP all adopt the data package after encrypting with the communication data package of security hardware to transmit, password management APP and security hardware encrypt the data package that sends separately, decrypt the data package that receives.

The further improvement lies in that the step of encrypting the password stored by the password management APP is as follows:

the method comprises the following steps: when a user stores an account and a password for logging in third-party software on the password management APP, the password management APP encrypts the password application by hardware with high security level;

step two: after confirming hardware encryption by the password management APP, sending a unique identification ID of a user on a server of the password management APP and a plaintext of a password to be encrypted to the security hardware through a mobile phone NFC communication module;

step three: after the secure hardware decodes the data packet, firstly checking whether the unique identification ID of the user on the server of the password management APP is consistent with the bound user ID, and if not, returning error information;

step four: if the user ID is checked to be consistent with the bound user ID, encrypting the password plaintext and returning the password plaintext to the password management APP;

step five: and after receiving the ciphertext, the password management APP stores the ciphertext to the local and the cloud, and performs subsequent related operations.

The further improvement lies in that the step of decrypting the cipher text of the cipher stored by the cipher management APP is as follows:

the method comprises the following steps: when the user needs to use the password, the password management APP applies the stored cipher text of the password for hardware decryption;

step two: after the password management APP checks that the password of the third-party software of the user is encrypted and stored, the user ID and the ciphertext needing to be decrypted are sent to the safety hardware through the mobile phone NFC communication module;

step three: after the safety hardware decodes the data packet, firstly checking whether the user ID is consistent with the bound user ID, and if not, returning error information;

step four: if the cipher texts are consistent with the cipher texts, the cipher texts are decrypted, and the plain texts are returned to the password management APP;

step five: and after receiving the plaintext, the password management APP stores the plaintext on a local and cloud end, or automatically sends the plaintext to a server of third-party software for authentication, or automatically sends the plaintext to a front end of the third-party software for filling.

The further improvement lies in that: a TurboNFC communication chip in the safety hardware is used as a passive device, and receives electromagnetic waves transmitted by a mobile phone through an antenna to receive energy.

The further improvement lies in that: the account and password management function comprises the step of automatically sending the information of the existing account and the password to a server of the third-party software for direct verification when logging in the third-party software.

The further improvement lies in that: the account and password management function further comprises the steps of automatically sending the existing account and password information to the front end of the third-party software when logging in the third-party software, filling the existing account and password information, and sending the information to the server of the third-party software from the front end for verification.

The invention has the beneficial effects that: by using the TurboNFC technology, on an NFC circuit board with extremely small plane size (much smaller than the size of a bus card) and thickness, extremely strong IC energy supply capacity is obtained to drive a high-level encryption chip (supporting almost all national secrets and standard encryption and decryption algorithms), and then a password security management APP is matched, so that a user can obtain the capacity of managing own passwords in an extremely convenient and highly secure manner; the password management APP is used in combination with the safety hardware, so that the safety and the practicability of the password management are improved; the account database of the APP can use the cloud storage to store the local storage, and the safety of the APP is further improved due to the existence of the safety hardware.

Drawings

FIG. 1 is a diagram of the connection framework of the security hardware and password management APP of the present invention.

FIG. 2 is a flow chart of password management APP binding security hardware of the present invention.

Fig. 3 is a flowchart of password encryption processing corresponding to a login account according to the present invention.

Fig. 4 is a flowchart of password decryption processing corresponding to the login account according to the present invention.

Fig. 5 is a block diagram of the security hardware of the present invention.

Detailed Description

In order to further understand the present invention, the following detailed description will be made with reference to the following examples, which are only used for explaining the present invention and are not to be construed as limiting the scope of the present invention.

Example one

As shown in fig. 1 to 4, the present embodiment provides a password management method based on secure hardware, including secure hardware and a password management APP, where the secure hardware includes an encryption chip and a turbo nfc communication chip; the encryption chip is a trusted platform module and is used as an independent device for generating a secret key and encrypting and decrypting the secret key, and the encryption chip is internally provided with an independent processor and a safe storage unit for storing the secret key and the characteristic data and providing encryption and safe authentication service functions for the password management APP; the password management APP transmits data through asymmetric encryption communication and an encryption chip, and the TurboNFC communication chip is responsible for data transmission and communication mode conversion; and the password management APP provides the required account number and password management for the user.

The password management method specifically comprises the following steps:

the method comprises the following steps: binding secure hardware

s7, the secure hardware finishes binding after returning an end instruction;

step two: encryption and decryption communications

The steps of encrypting the password stored by the password management APP are as follows:

The steps of decrypting the cipher text of the cipher stored by the cipher management APP are as follows:

A TurboNFC communication chip in the safety hardware is used as a passive device, and receives electromagnetic waves transmitted by a mobile phone through an antenna to receive energy.

The account and password management function comprises the step of automatically sending the information of the existing account and the password to a server of the third-party software for direct verification when logging in the third-party software.

The account and password management function further comprises the steps of automatically sending the existing account and password information to the front end of the third-party software when logging in the third-party software, filling the existing account and password information, and sending the information to the server of the third-party software from the front end for verification.

The secure hardware and the password management APP in this embodiment are used in a matching manner, the password management APP itself can work independently of the secure hardware, and the password management system of the password management APP, which has been published by the applicant of the present application, can be specifically seen as a system for electronic identity registration and authentication login disclosed in patent No. CN 104270338B.

The TurboNFC communication chip in this embodiment is a special NFC chip, and has features of, in addition to near field communication and wireless energy transmission: the passive interface using the TurboNFC technology has much higher antenna efficiency than the conventional passive interface, can support high-efficiency wireless energy transfer, and uses a small antenna. When a common smart phone with an NFC interface is used as an NFC active interface, a device adopting the TurboNFC technology can achieve wireless power reception of at least 60 mW. When the mobile phone is matched with a new generation of mobile phones adopting an NXP NFC controller for use, the wireless power receiving of 250mW-300mW can be realized. When a small antenna is used, the signal strength of the TurboNFC reaches more than one order of magnitude of the conventional NFC technology.

And TurboNFC is used as a tag end technology, does not depend on an NFC reader-writer, and is completely compatible with standard NFC. The performance of the turbo nfc can be obtained only by using a device having the turbo nfc technology without changing a reader/writer (both software and hardware are included). This makes the use cost of TurboNFC unusually low, and the range of application is very wide. At present, most mobile phones (including samsung, huashi, apple, millet and the like) and most high-end mobile phones on the market have the functions of NFC readers and can be completely compatible with TurboNFC devices without installing any software.

In the embodiment, by using the turbo NFC technology, on an NFC circuit board with a very small plane size (much smaller than the size of a bus card) and thickness, a very strong IC energy supply capability is obtained to drive a high-level encryption chip (supporting almost all national secrets and standard encryption and decryption algorithms), and then a password security management APP is matched, so that a user obtains a capability of managing own password in a very convenient and ultra-secure manner; the password management APP is used in combination with the safety hardware, so that the safety and the practicability of the password management are improved; the account database of the APP can use the cloud storage to store the local storage, and the safety of the APP is further improved due to the existence of the safety hardware.

Example two

The N32S032 encryption chip adopting the national technology is designed by adopting an ARM-M0 security processor core and an AMBA multi-bus structure, and is a 32-bit multipurpose high-performance encryption chip developed by the national technology aiming at mobile internet identity authentication and internet of things security encryption application in electronic banks, electronic commerce, electronic government affairs and the like. The N32S032 encryption chip built-in hardware algorithm coprocessor provides excellent-performance security algorithm modules such as DES/3DES, AES, SHA, RSA, ECC, national commercial passwords SM1/SM2/SM3/SM4 and the like, and simultaneously integrates various application peripheral interfaces of 12-bit 1Msps high-precision SARADC, 10-bit DAC, a comparator, an RTC real-time clock, high-performance PWM, USB2.0(FS), multi-path SPI, UART, I2C and ISO7816, so that the Internet of things and mobile Internet security certification solution can be easily realized.

EXAMPLE III

As shown in fig. 5, in this embodiment, the TurboNFC communication chip in the secure hardware is used as a passive device, and receives energy from electromagnetic waves transmitted by the mobile phone through the antenna. The TurboNFC communication chip selects a TN2115S chip of the weft-opening intelligent core, and the encryption chip selects an N32S032 chip; the energy obtained by the antenna drives the TurboNFC chip TN2115S1 to work, and meanwhile, the energy (the voltage is 3.3V) is supplied to the encryption chip N32S032 to work.

The I2C communication adopted between the TurboNFC communication chip TN2115s1 and the encryption chip N32032 includes, but is not limited to, a duplex interface and a half-duplex interface which CAN be any normal communication, such as various interfaces of UART, SPI, CAN and the like. Because the encrypted data packets are operated on the interfaces, the monitoring and tampering can be prevented.

The mobile phone adopts ISO 14443-3A standard to carry out near field communication with TurboNFC communication chip TN2115s1, and after the TurboNFC communication chip TN2115s1 receives correct instructions, data packets are forwarded to the encryption chip. After the encryption chip N32S032 processes data and transmits an encrypted data packet to a TurboNFC communication chip TN2115S1 chip, the encryption chip uses near field communication to send the data packet to an NFC chip in a mobile phone NFC communication module to a password management APP.

Example four

The embodiment provides a password management APP using method of secure hardware based on TurboNFC, which is implemented according to the following steps:

the method comprises the following steps: after a user scans or pushes a code, finding a corresponding account and a corresponding password (a third party APP or a website which the user wants to log in) in a password management APP (commonly called as 'easy login');

step two: if the password is in a plaintext form, a user directly sends out a password plaintext from the login password management App to a destination (a login password management App plug-in or a target login website server) after clicking a 'login' button on the login password management App;

step three: if the password is in a ciphertext form, after clicking a login button on a login password management App, a user needs to send the password ciphertext to security hardware (commonly called a login device) bound with the login password management App for decryption, then sends the plaintext of the password back to the login password management App after decryption, and then automatically sends the password plaintext from the login password management App to a destination (a login easy plug-in or a target login website server).

The third step comprises the following specific steps:

s1, after clicking a 'login' button on the login password management App by a user, enabling the user to enable a logger to approach (and gradually finely adjust the contact position of) the NFC area of the mobile phone where the login password management App is located until the NFC of the mobile phone and a TurboNFC chip of the logger successfully establish a communication channel;

s2, the password management APP sends a password ciphertext;

s3, calling a decryption algorithm by the logger to obtain a password plaintext;

s4, the logger sends the decrypted cipher plaintext to the cipher management App;

s5, the login password management APP sends the received password plaintext to the destination (login easy plug-in or target login website server).

EXAMPLE five

In this embodiment, the communication chip in the secure hardware is not limited to TurboNFC, and other chips and devices with communication functions may replace the communication chip of TurboNFC.

The foregoing illustrates and describes the principles, general features, and advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.