CN118611876B - Algorithm library authorization and encryption method, system and device based on encryption dog - Google Patents
Algorithm library authorization and encryption method, system and device based on encryption dog Download PDFInfo
- Publication number
- CN118611876B CN118611876B CN202411098219.XA CN202411098219A CN118611876B CN 118611876 B CN118611876 B CN 118611876B CN 202411098219 A CN202411098219 A CN 202411098219A CN 118611876 B CN118611876 B CN 118611876B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- dongle
- algorithm library
- encryption
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 89
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012795 verification Methods 0.000 claims abstract description 46
- 238000010276 construction Methods 0.000 claims description 6
- 238000005336 cracking Methods 0.000 abstract description 10
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 11
- 238000004590 computer program Methods 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000006872 improvement Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000001010 compromised effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
本发明涉及信息技术安全领域,尤其涉及一种基于加密狗的算法库授权及加密方法、系统和设备。包括:S101.获取由加密狗随机生成的公私钥B中的公钥B;S102.构建包括公钥B在内的明文;S103.获取由算法厂商生成的公私钥A中的私钥A;S104.采用私钥A对明文进行加密,生成加密信息;S105.将加密信息写入加密狗的私有内存区;其中,公钥A被存放在算法库中。为了克服破解加密狗获取私钥来实现算法库授权校验的技术问题,本发明不需要将算法厂商的私钥A存放在加密狗中,从而有效规避加密狗中的私钥被获取的可能性,可有效保护算法库授权。
The present invention relates to the field of information technology security, and in particular to an algorithm library authorization and encryption method, system and device based on a dongle. It includes: S101. Obtaining a public key B in a public-private key B randomly generated by a dongle; S102. Constructing a plaintext including the public key B; S103. Obtaining a private key A in a public-private key A generated by an algorithm manufacturer; S104. Encrypting the plaintext using the private key A to generate encrypted information; S105. Writing the encrypted information into a private memory area of the dongle; wherein the public key A is stored in the algorithm library. In order to overcome the technical problem of cracking the dongle to obtain the private key to implement algorithm library authorization verification, the present invention does not need to store the private key A of the algorithm manufacturer in the dongle, thereby effectively avoiding the possibility of the private key in the dongle being obtained, and can effectively protect the algorithm library authorization.
Description
Technical Field
The present invention relates to the field of information technology security, and in particular, to a dongle-based algorithm library authorization and encryption method, system, and device.
Background
In the existing algorithm authorization scheme based on the dongle, the private key is stored in the dongle, the public key is stored in the algorithm library, and the algorithm library authorization verification is carried out by adopting a mode of encrypting the public key by the private key or decrypting the public key by encrypting the private key. The disadvantage of this solution is that: if the security mechanism of the dongle itself is compromised and the private key is obtained, the security of the entire authorization mechanism is compromised. Once the dongle is broken, i.e. the private key is obtained, the algorithm library authorization cannot be controlled, and thus loss is caused. How to secure the dongle itself is a major concern for such a solution.
Disclosure of Invention
Technical problem to be solved by the invention
In order to solve the technical problem of obtaining a private key by cracking a dongle to realize algorithm library authorization verification, the invention provides an algorithm library authorization and encryption method, system and equipment based on the dongle, which do not need to store the private key A of an algorithm manufacturer in the dongle, thereby effectively avoiding the possibility that the private key in the dongle is obtained and effectively protecting the algorithm library authorization.
Technical proposal
In order to solve the problems, the technical scheme provided by the invention is as follows:
An algorithm library authorization encryption method based on a dongle comprises the following steps: s101, obtaining a public key B in public and private keys B randomly generated by a dongle; s102, constructing a plaintext comprising a public key B; s103, acquiring a private key A in public and private keys A generated by algorithm manufacturers; s104, encrypting the plaintext by adopting a private key A to generate encryption information;
s105, writing the encryption information into a private memory area of the dongle; wherein the public key a is stored in an algorithm library.
Optionally, if the plaintext further includes one or more of algorithm vendor information and a dongle unique identifier UID, before step S102, the method further includes: and obtaining more than one of algorithm manufacturer information and a dongle unique identifier UID.
Optionally, the encryption algorithm used by the public and private key a generated by the algorithm manufacturer and the encryption algorithm used by the public and private key B randomly generated by the dongle are one or more of an RSA algorithm, an ECC algorithm and a DSA algorithm.
A dongle-based algorithm library authorization encryption system comprising: the plaintext construction module is used for acquiring a public key B in public and private keys B randomly generated by the dongle and constructing plaintext comprising the public key B; the encryption module is used for acquiring a private key A in public and private keys A generated by algorithm manufacturers, encrypting a plaintext by adopting the private key A and generating encryption information; the dongle storage module is used for writing encryption information into a private memory area of the dongle; and the algorithm storage module is used for acquiring the public key A in the public and private keys A generated by algorithm manufacturers and storing the public key A in the algorithm library.
Optionally, the plaintext construction module is further configured to obtain one or more of algorithm vendor information and a dongle unique identifier UID, and construct plaintext including the public key B and one or more of the algorithm vendor information and the dongle unique identifier UID; the algorithm storage module is also used for acquiring the information of the algorithm manufacturer and storing the information of the algorithm manufacturer in the algorithm library.
An algorithm library authorization method based on a dongle comprises the following steps: s201, obtaining encryption information in the dongle; s202, obtaining a public key A stored in an algorithm library; s203, decrypting the encrypted information by adopting the public key A to obtain a plaintext; s204, acquiring a random number X randomly generated by an algorithm library; s205, obtaining a random number Y obtained by decrypting the encryption information of the random number X by using a public key B in a plain text through an algorithm library; s206, judging whether the random number X is consistent with the random number Y, if so, checking successfully, and obtaining algorithm library authorization; if not, the verification fails, and the authorization of the execution algorithm library is refused; the encryption information of the random number X is obtained by encrypting the random number X by adopting a private key B after the encryption information of the random number X is randomly generated by a dongle receiving algorithm library.
Optionally, if the plaintext further includes one or more of algorithm vendor information and a dongle unique identifier UID, the method further includes: s213, checking more than one of algorithm manufacturer information and a unique identification UID of the dongle, if the checking is successful, continuing the random number checking, and if the checking is failed, refusing the authorization of the execution algorithm library.
A dongle-based algorithm library authorization system comprising: the decryption module is used for obtaining encryption information in the dongle, obtaining a public key A stored in the algorithm library, decrypting the encryption information by adopting the public key A, and obtaining a plaintext; the random number acquisition module is used for acquiring a random number X randomly generated by the algorithm library and acquiring a random number Y obtained by decrypting the encryption information of the random number X by the algorithm library by adopting a public key B in the plain text; the encryption information of the random number X is obtained by encrypting the random number X by adopting a private key B after the encryption information of the random number X is randomly generated by a dongle receiving algorithm library; the random number verification module is used for judging whether the random number X is consistent with the random number Y, if so, the verification is successful, and the algorithm library authorization is obtained; if not, the verification fails, and the authorization of the execution algorithm library is refused.
Optionally, the system further comprises a plaintext verification module, wherein the plaintext verification module is used for verifying more than one of algorithm manufacturer information and a unique encryption key identifier UID, if verification is successful, the random number verification module continues to execute, and if verification fails, the authorization of executing the algorithm library is refused.
A dongle-based algorithm library authorization device for performing or storing the method of any one of the above claims, or for installing the system of any one of the above claims.
Compared with the prior art, the technical scheme provided by the invention has the following beneficial effects:
the embodiment of the application provides an algorithm library authorization encryption method, a system and equipment based on a dongle, wherein the algorithm library authorization encryption method based on the dongle is only mastered by algorithm manufacturers and is not provided for clients, after the method is completed, the dongle and the algorithm library are delivered to the clients, the clients obtain the dongle and the algorithm library, and the dongle randomly generates a public key B because a public key A is stored in the algorithm library; therefore, for clients, the public key A and the public and private key B are mastered, and the information of the private key A is completely unknown, namely, the private key A is only controlled by algorithm manufacturers and is used when the method is carried out; therefore, the dongle is not required to store the private key A, and the risk of divulging the private key A is avoided, so that the safety and reliability of the authorization of the algorithm library are effectively ensured.
The embodiment of the application provides a dongle-based algorithm library authorization method, a dongle-based algorithm library authorization system and dongle-based algorithm library authorization equipment, wherein a client obtains the dongle and the algorithm library from an algorithm manufacturer, thereby obtaining authorization for the algorithm library. The public key A is stored in the algorithm library, the encrypted information is stored in the dongle, the encrypted information is decrypted through the public key A, the participation of the private key A is not needed, and the authorization verification of the algorithm library is completed by utilizing the public and private key B randomly generated by the dongle. The public and private key B randomly generated in the dongle is utilized, so that the security encryption mechanism of the dongle is optimized, the exposure risk of the secret key and sensitive data in the outside can be reduced, and because the encryption process is completely completed in the dongle, an attacker can not obtain the secret key information easily through a software means, and the security is improved. Even if the dongle is cracked to obtain the private key B, the authorization verification of the algorithm library cannot be completed, because the ciphertext stored in the private memory area in the dongle is encrypted by using the private key A, the public key A is required to be obtained for decryption, and the public key A is stored in the algorithm library and is not in the dongle, the algorithm library is also required to be cracked to obtain the public key A for decryption, so that the difficulty of cracking is greatly improved, and the authorization validity of the algorithm library based on the dongle is ensured.
Drawings
Fig. 1 is a flowchart of an algorithm library authorization encryption method based on a dongle according to an embodiment of the present invention.
Fig. 2 is a block diagram of an algorithm library authorization encryption system based on a dongle according to an embodiment of the present invention.
Fig. 3 is a flowchart of an algorithm library authorization method based on a dongle according to an embodiment of the present invention.
Fig. 4 is a second flowchart of an algorithm library authorization method based on a dongle according to an embodiment of the present invention.
Fig. 5 is a block diagram of an algorithm library authorization system based on a dongle according to an embodiment of the present invention.
Fig. 6 is a schematic structural diagram of an algorithm library authorization device based on a dongle according to an embodiment of the present invention.
Fig. 7 is a block diagram of the algorithm library and the content structure of the dongle when the encryption method, system and device for algorithm library authorization based on the dongle according to a combined embodiment of the present invention are executed.
Fig. 8 is a block diagram of the algorithm library and the content structure of the dongle when the method, the system and the device for authorizing the algorithm library based on the dongle according to the combined embodiment of the invention are executed.
Detailed Description
For a further understanding of the present invention, the present invention will be described in detail with reference to the drawings and examples.
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the application are shown in the drawings. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
Example 1
The embodiment provides an algorithm library authorization encryption method based on a dongle, as shown in fig. 1, including:
S101, obtaining a public key B in public and private keys B randomly generated by a dongle;
S102, constructing a plaintext comprising a public key B;
S103, acquiring a private key A in public and private keys A generated by algorithm manufacturers;
s104, encrypting the plaintext by adopting a private key A to generate encryption information;
s105, writing the encryption information into a private memory area of the dongle; wherein the public key a is stored in an algorithm library.
Regarding the execution sequence of the technical solution of the present embodiment, the sequences of steps S101 and S103 may be performed simultaneously or sequentially, but the execution sequence is not limited, but step S101 needs to be completed before step S102, and step S103 needs to be completed before step S104; steps S102, S104 and S105 are required to be sequentially performed.
The technical scheme of the embodiment is controlled by algorithm manufacturers only, is used for safety management of industry algorithm libraries, is not provided for customers, and after the method is completed, the dongle and the algorithm libraries are delivered to the customers, the customers obtain the dongle and the algorithm libraries, and the security is improved by optimizing the safety encryption mechanism of the dongle by utilizing the public and private keys B randomly generated in the dongle, so that the exposure risk of secret keys and sensitive data in the outside can be reduced, and because the encryption generation process of the public and private keys B is completely completed in the dongle, an attacker is difficult to acquire secret key information through a software means. As shown in fig. 7, the algorithm library stores a public key a, and the dongle randomly generates a public and private key B; therefore, for clients, the public key A and the public and private keys B are obtained by opening the algorithm library and the dongle, and the information of the private key A is completely unknown, namely, the private key A is only controlled by an algorithm manufacturer and is used when the method is carried out, so that the dongle is not required to store the private key A, and the risk that the private key A is compromised does not exist; and further, the reliability and the effectiveness of the authorization of the algorithm library can be ensured. Even if the encryption mechanism of the dongle is cracked, the public key A is stored in the algorithm library, and the public key A can be obtained by cracking the algorithm library, so that the cracking difficulty is further increased, and the authorization effectiveness of the algorithm library is ensured.
Memory partitioning and design of dongles is intended to meet the requirements of high security and efficiency by explicitly partitioning different functions and data types. The system comprises a read-only memory area, a random access memory area, a programmable memory area, a secure memory area and an encryption processor, wherein the read-only memory area ensures the non-tamper property of firmware; the random access storage area provides space for temporary data processing, and meanwhile, the volatility of the data is guaranteed to be helpful for protecting sensitive information; the programmable storage area and the secure storage area respectively provide functions of user data storage and key protection; while the encryption processor is focused on improving the efficiency and security of encryption operation; this design makes dongles ideal hardware devices for performing key management and encryption tasks. The private memory area in the dongle corresponds to the security memory area of the dongle, and the security is considered, so that the encrypted information is stored in the security memory area, and because the security memory area can be accessed only by a password, the data in the security memory area can be accessed only by an attacker breaking the password, the security of storing the encrypted information is enhanced, and the validity and the reliability of authorization of the algorithm library are further ensured.
As a further improvement of the present technical solution, if the plaintext further includes one or more of algorithm vendor information and a dongle unique identifier UID, before step S102, the method further includes: and obtaining more than one of algorithm manufacturer information and a dongle unique identifier UID.
The algorithm manufacturer information and the unique identification UID of the dongle are added into the plaintext, and the method comprises the steps of separately adding the algorithm manufacturer information and the unique identification UID of the dongle or adding the algorithm manufacturer information and the unique identification UID of the dongle simultaneously, so that the verification step of corresponding information is added when the algorithm library is authorized, and the effectiveness of the algorithm library authorization based on the dongle is further enhanced.
As a further improvement of the embodiment, the encryption algorithm used by the public and private key A generated by the algorithm manufacturer and the encryption algorithm used by the public and private key B randomly generated by the dongle are more than one of RSA algorithm, ECC algorithm and DSA algorithm.
When the public and private keys A generated by the algorithm manufacturer and the public and private keys B randomly generated by the dongle are added to the terminal where the algorithm manufacturer is located and the dongle, the algorithm for generating the public key and the private key pair needs to be added, and one or a combination of several different public key encryption algorithms such as RSA, ECC (elliptic curve encryption) and DSA (digital signature algorithm) can be adopted. Which algorithm is selected to generate the public and private key pairs may be determined based on the particular application scenario, security requirements, performance considerations, cost budget, and storage capabilities. ECC is an increasingly popular choice due to its high efficiency and low resource requirements, especially in resource constrained environments. However, the widespread support and maturity of RSA has also made it still the first choice in many situations. DSA is more suitable for scenes that require digital signatures.
Example 2
The embodiment provides an algorithm library authorization encryption system based on a dongle, as shown in fig. 2, including: the plaintext construction module is used for acquiring a public key B in public and private keys B randomly generated by the dongle and constructing plaintext comprising the public key B; the encryption module is used for acquiring a private key A in public and private keys A generated by algorithm manufacturers, encrypting a plaintext by adopting the private key A and generating encryption information; the dongle storage module is used for writing encryption information into a private memory area of the dongle; and the algorithm storage module is used for acquiring the public key A in the public and private keys A generated by algorithm manufacturers and storing the public key A in the algorithm library.
For the client, the system of the embodiment obtains the public key A by opening the algorithm library and the dongle, and the information of the private key A is completely unknown, namely, the private key A is only controlled by an algorithm manufacturer, and the system is operated without the dongle to store the private key A and the risk of divulging the private key A; and further, the reliability and the effectiveness of the authorization of the algorithm library can be ensured. Even if the encryption mechanism of the dongle is cracked, the public key A is stored in the algorithm library, and the public key A can be obtained by cracking the algorithm library, so that the cracking difficulty is further increased, and the authorization effectiveness of the algorithm library is ensured.
As a further improvement of this embodiment, the plaintext construction module is further configured to obtain one or more of algorithm vendor information and a dongle unique identifier UID, and construct plaintext including the public key B and one or more of the algorithm vendor information and the dongle unique identifier UID; the algorithm storage module is also used for acquiring the information of the algorithm manufacturer and storing the information of the algorithm manufacturer in the algorithm library.
The system of the embodiment is used for the safety management of the industry algorithm library, the scheme increases the content of plaintext information, obtains and verifies the plaintext information, and simultaneously breaks the algorithm library and the dongle, thereby increasing the breaking difficulty of an attacker, and further effectively ensuring the algorithm library authorization mechanism based on the dongle.
Example 3
The embodiment provides an algorithm library authorization method based on a dongle, as shown in fig. 3, including:
S201, obtaining encryption information in the dongle;
s202, obtaining a public key A stored in an algorithm library;
s203, decrypting the encrypted information by adopting the public key A to obtain a plaintext;
S204, acquiring a random number X randomly generated by an algorithm library;
S205, obtaining a random number Y obtained by decrypting the encryption information of the random number X by using a public key B in a plain text through an algorithm library;
S206, judging whether the random number X is consistent with the random number Y, if so, checking successfully, and obtaining algorithm library authorization; if not, the verification fails, and the authorization of the execution algorithm library is refused;
The encryption information of the random number X is obtained by encrypting the random number X by adopting a private key B after the encryption information of the random number X is randomly generated by a dongle receiving algorithm library.
In the execution sequence of this embodiment, it should be noted that steps S201, S202, and S204 are not divided into specific sequences, but steps S201 and S202 are all completed before step S203 is executed.
Steps S201, S202 and S203 correspond to a decryption portion of the dongle-based algorithm library authorization encryption method in embodiment 1; steps S204, S205, and S206 correspond to the verification section.
After obtaining the dongle and the algorithm library from the algorithm manufacturer, the client can execute the method of the technical scheme of the embodiment, thereby obtaining authorization for the algorithm library. As shown in fig. 8, the public key a is stored in the algorithm library, the encrypted information is stored in the dongle, the encrypted information is decrypted by the public key a, the private key a is not needed to participate, and the public key B randomly generated by the dongle is utilized to complete the authorization verification of the algorithm library. The public and private keys B randomly generated in the dongle are utilized, the security encryption mechanism of the dongle is optimized, the exposure risk of the secret key and sensitive data in the outside can be reduced, and because the encryption generation process of the public and private keys B is completely completed in the dongle, an attacker is difficult to acquire secret key information through a software means, so that the security is improved.
Because the public and private keys B are randomly generated by the dongle and are generally stored in a safe storage area of the dongle or a special public and private key storage area in the dongle, the area cannot directly access public and private key data in the dongle after the dongle is opened, and only the data access can be performed by calling an encryption and decryption function provided by the dongle, so that the security of the public and private keys B is ensured. Using the public key B as a part of the plaintext information for encrypting the private key A to form encrypted information; the public key A is stored in an algorithm library to decrypt the encryption information to obtain a public key B in the plaintext, and the decrypted public key B is used for decrypting the encrypted data of the random number X encrypted by the private key B, namely the encryption information of the random number X. The attack difficulty is increased by encrypting the plaintext containing the public key B through the private key A, because only the public key A in the algorithm library can solve the correct public key B, if an attacker can solve the ciphertext by using other public keys C, but can not solve the correct public key B, the correct random number X can not be solved by using the incorrect public key B, so that the verification of the random number can not be passed, and the validity and the reliability of the authorization of the algorithm library are ensured.
Even if the dongle is cracked to obtain the private key B, the authorization verification of the algorithm library cannot be completed, because the ciphertext stored in the private memory area in the dongle is encrypted by using the private key A, the public key A is required to be obtained for decryption, and the public key A is stored in the algorithm library and is not in the dongle, the algorithm library is also required to be cracked to obtain the public key A for decryption, so that the difficulty of cracking by an attacker is greatly improved, and the authorization validity of the algorithm library based on the dongle is ensured.
As a further improvement of the present embodiment, if the plaintext further includes one or more of algorithm vendor information and a dongle unique identifier UID, the method further includes: s213, checking more than one of algorithm manufacturer information and a unique identification UID of the dongle, if the checking is successful, continuing the random number checking, and if the checking is failed, refusing the authorization of the execution algorithm library.
The plaintext includes separately adding algorithm vendor information and dongle unique identification UID, or both. Taking the example that the algorithm manufacturer information and the unique encryption key identification UID are added in the plaintext at the same time, as shown in figure 4, S213 checks the algorithm manufacturer information and the unique encryption key identification UID, and if both the algorithm manufacturer information and the unique encryption key identification UID are checked successfully, the process is continued; if either of the checks fails, the execution algorithm library authorization is denied.
The algorithm manufacturer information and the public key A are stored in an algorithm library, and after the algorithm manufacturer delivers the dongle and the algorithm library to a client, the algorithm manufacturer information can be obtained for verification by opening the algorithm library. And opening the dongle, reading the private memory area of the dongle, and obtaining the encryption information stored in the private memory area of the dongle, wherein the content of the encryption information is unknown to a client, so that the effectiveness of algorithm library authorization based on the dongle is further enhanced.
When producing the dongles, each dongle has its own unique identification UID, namely the unique chip serial number (UID) of the dongle, when delivering the dongles to clients, the dongle can provide a function for acquiring the unique identification UID of the dongles, a user opens the dongle to call the function to acquire the unique identification UID of the dongle, and the storage position of the unique identification UID of the dongle is mastered by the dongle, so that the user is unaware, and if the user passes the verification of the unique identification UID of the dongle, the cracking difficulty of an attacker is further increased, thereby ensuring the authorization validity of the algorithm library.
Example 4
The embodiment provides an algorithm library authorization system based on a dongle, as shown in fig. 5, including:
The decryption module is used for obtaining encryption information in the dongle, obtaining a public key A stored in the algorithm library, decrypting the encryption information by adopting the public key A, and obtaining a plaintext;
The random number acquisition module is used for acquiring a random number X randomly generated by the algorithm library and acquiring a random number Y obtained by decrypting the encryption information of the random number X by the algorithm library by adopting a public key B in the plain text; the encryption information of the random number X is obtained by encrypting the random number X by adopting a private key B after the encryption information of the random number X is randomly generated by a dongle receiving algorithm library;
The random number verification module is used for judging whether the random number X is consistent with the random number Y, if so, the verification is successful, and the algorithm library authorization is obtained; if not, the verification fails, and the authorization of the execution algorithm library is refused.
The system of the embodiment does not need to store the private key A, and can avoid the potential safety hazard that the dongle is cracked. The public and private keys B generated randomly in the dongle are utilized by the decryption module, the random number acquisition module and the random number verification module, the security encryption mechanism of the dongle is optimized, the method can reduce the exposure risk of the secret key and the sensitive data outside, and because the encryption process is completely finished inside the dongle, an attacker can not obtain the secret key information by a software means, so that the security is improved. Even if the dongle is cracked to obtain the private key B, the authorization verification of the algorithm library cannot be completed, because the ciphertext stored in the private memory area in the dongle is encrypted by using the private key A, the public key A is required to be obtained for decryption, and the public key A is stored in the algorithm library and is not in the dongle, the algorithm library is also required to be cracked to obtain the public key A for decryption, so that the difficulty of cracking is greatly improved, and the authorization validity of the algorithm library based on the dongle is ensured.
As a further improvement of the technical scheme of the embodiment, the device further comprises a plaintext verification module, wherein the plaintext verification module is used for verifying more than one of algorithm manufacturer information and a unique identification UID of the dongle, if the verification is successful, the random number module continues to execute, and if the verification is failed, the authorization of executing the algorithm library is refused. According to the technical scheme, the verification step is added, so that the reliability of the system is further improved, and the effectiveness of the algorithm library authorization system based on the dongle is ensured.
Example 5
A certain algorithm manufacturer builds a pair of RSA2048 public and private keys A, the public keys A are stored in an algorithm library, the algorithm library is used for being submitted to a client, the public keys A are used for decrypting ciphertext, and then authorization verification of the algorithm library is completed; the private key A is stored in the dongle burning software which is only used for burning the dongle by an algorithm manufacturer and is not provided for clients.
The algorithm manufacturer adopts the burning software to carry out the dongle burning link as follows:
1. Opening the dongle to obtain a unique identifier of the dongle, namely a unique chip serial number (UID) of the dongle;
2. the dongle randomly generates a pair of RSA2048 public and private keys B;
3. Constructing a plaintext C, wherein the plaintext C is a public key B+algorithm manufacturer information+a unique encryption key UID;
4. Encrypting the plaintext C by adopting the private key A to generate a ciphertext D;
5. And writing the ciphertext D into a private memory area of the dongle.
The dongle and the algorithm library can be provided to the client after the dongle burning link is finished.
After receiving the dongle and the algorithm library, the client performs an algorithm library authorization verification link:
1. Opening a dongle to obtain a ciphertext D stored in a private memory area of the dongle, and obtaining a unique identifier UID of the dongle;
The algorithm library calls a function of reading the private memory in the dongle to obtain a unique identifier UID of the ciphertext D dongle in the private memory, and the client is unaware; the public key A and the information of the algorithm manufacturer are stored in an algorithm library, the client is not known, and the encryption dog contains a public key B and a private key B.
2. Decrypting the ciphertext D by adopting a public key A in the algorithm library to obtain a plaintext C, wherein C is a public key B+algorithm manufacturer information+a unique encryption key identification UID;
3. checking algorithm manufacturer information and a unique encryption key identification UID;
4. the algorithm library generates a random number X and sends the random number X to the dongle;
5. the encryption dog encrypts the random number X by adopting a private key B to generate encryption information E;
6. the algorithm library decrypts the encrypted information E by adopting the public key B obtained in step 2 to obtain a random number Y;
7. the algorithm library checks the random number X and the random number Y, and if the random number X and the random number Y pass the check, the algorithm library authorizes the check to pass.
Example 6
The embodiment provides a dongle-based algorithm library authorization device, which comprises: one or more processors; a memory for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to perform the method of any of embodiments 1 or3 above; or, the apparatus is used for installing the system according to any one of the embodiments 2 or 4.
Further, the present embodiment provides a storage medium storing a computer program which, when executed by a processor, implements the method according to any one of the above embodiments 1 or 3.
Fig. 6 is a schematic structural diagram of an algorithm library authorization device based on a dongle according to an embodiment of the present invention.
As shown in fig. 6, as another aspect, the present application also provides an apparatus 500 including one or more Central Processing Units (CPUs) 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data required for the operation of the device 500 are also stored. The CPU501, ROM502, and RAM503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, and the like; an output portion 507 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
In particular, according to embodiments of the present disclosure, the method described in any of the above embodiments may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method described in any of the embodiments above. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511.
As still another aspect, the present application also provides a computer-readable storage medium, which may be a computer-readable storage medium contained in the apparatus of the above-described embodiment; or may be a computer-readable storage medium, alone, that is not assembled into a device. The computer-readable storage medium stores one or more programs for use by one or more processors in performing the methods described herein.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules involved in the embodiments of the present application may be implemented in software or in hardware. The described units or modules may also be provided in a processor, for example, each of the units may be a software program provided in a computer or a mobile smart device, or may be separately configured hardware devices. Wherein the names of the units or modules do not in some cases constitute a limitation of the units or modules themselves.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service ("Virtual PRIVATE SERVER" or simply "VPS") are overcome. The server may also be a server of a distributed system or a server that incorporates a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the application referred to in the present application is not limited to the specific combinations of the technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the spirit of the application. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411098219.XA CN118611876B (en) | 2024-08-12 | 2024-08-12 | Algorithm library authorization and encryption method, system and device based on encryption dog |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411098219.XA CN118611876B (en) | 2024-08-12 | 2024-08-12 | Algorithm library authorization and encryption method, system and device based on encryption dog |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118611876A CN118611876A (en) | 2024-09-06 |
| CN118611876B true CN118611876B (en) | 2024-11-12 |
Family
ID=92548564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411098219.XA Active CN118611876B (en) | 2024-08-12 | 2024-08-12 | Algorithm library authorization and encryption method, system and device based on encryption dog |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118611876B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650325A (en) * | 2016-10-14 | 2017-05-10 | 杭州优稳自动化系统有限公司 | Software platform management method based on softdog |
| CN106650326A (en) * | 2016-10-14 | 2017-05-10 | 杭州优稳自动化系统有限公司 | Softdog device and secondary authorization management method based on softdog |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10169563B2 (en) * | 2017-01-27 | 2019-01-01 | International Business Machines Corporation | Encryption authorization dongle having volatile memory |
| GB2579884B (en) * | 2017-09-05 | 2020-11-11 | Istorage Ltd | Methods and systems of securely transferring data |
| CN108376211B (en) * | 2018-02-07 | 2020-10-20 | 杭州矩视科技有限公司 | Software authorization management method, server and system |
| GB2607846B (en) * | 2018-06-06 | 2023-06-14 | Istorage Ltd | Dongle for ciphering data |
| GB2578767B (en) * | 2018-11-07 | 2023-01-18 | Istorage Ltd | Methods and systems of securely transferring data |
| CN110602140A (en) * | 2019-09-29 | 2019-12-20 | 苏州思必驰信息科技有限公司 | Encryption and decryption method and system for chip authorization |
| CN111611552B (en) * | 2020-05-21 | 2023-04-07 | 浩云科技股份有限公司 | License authorization method and device based on combination of software and hardware |
| CN112199740B (en) * | 2020-12-03 | 2021-03-16 | 飞天诚信科技股份有限公司 | Encryption lock implementation method and encryption lock |
| CN114520727B (en) * | 2022-04-15 | 2022-06-21 | 广州万协通信息技术有限公司 | Security chip data protection method and system |
| CN115694786A (en) * | 2022-09-27 | 2023-02-03 | 中银金融科技有限公司 | Data encryption method and device based on national cryptographic algorithm and readable storage medium |
| CN116346341A (en) * | 2023-03-29 | 2023-06-27 | 阿里云计算有限公司 | Private key protection and server access method, system, equipment and storage medium |
| CN117371005A (en) * | 2023-09-14 | 2024-01-09 | 河北光兴半导体技术有限公司 | Software authorization method, device, computing equipment and dongle medium |
| CN117879849A (en) * | 2023-10-19 | 2024-04-12 | 深圳市洞见智慧科技有限公司 | Data processing method, system and related equipment based on trusted execution environment |
-
2024
- 2024-08-12 CN CN202411098219.XA patent/CN118611876B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650325A (en) * | 2016-10-14 | 2017-05-10 | 杭州优稳自动化系统有限公司 | Software platform management method based on softdog |
| CN106650326A (en) * | 2016-10-14 | 2017-05-10 | 杭州优稳自动化系统有限公司 | Softdog device and secondary authorization management method based on softdog |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118611876A (en) | 2024-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| US10057763B2 (en) | Soft token system | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN113841145A (en) | Lexus software in inhibit integration, isolation applications | |
| US20230370263A1 (en) | Master key escrow process | |
| US9529733B1 (en) | Systems and methods for securely accessing encrypted data stores | |
| CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
| WO2021137769A1 (en) | Method and apparatus for sending and verifying request, and device thereof | |
| WO2022052665A1 (en) | Wireless terminal and interface access authentication method for wireless terminal in uboot mode | |
| CN117807567A (en) | Software function authorization method and device | |
| CN117063174A (en) | Security module and method for inter-app trust through app-based identity | |
| US11601285B2 (en) | Securely authorizing service level access to a backup system using a specialized access key | |
| CN112967056A (en) | Access information processing method and device, electronic equipment and medium | |
| CN106992978B (en) | Network security management method and server | |
| US20250007712A1 (en) | Transaction security techniques | |
| CN111291398B (en) | Block chain-based authentication method and device, computer equipment and storage medium | |
| CN111831978B (en) | A method and device for protecting configuration files | |
| CN118611876B (en) | Algorithm library authorization and encryption method, system and device based on encryption dog | |
| CN114491481B (en) | Safety calculation method and device based on FPGA | |
| CN110851881B (en) | Security detection method and device for terminal equipment, electronic equipment and storage medium | |
| CN115514567B (en) | Access method, access system, computer equipment and medium for IoT terminal device | |
| CN115643012A (en) | Evidence obtaining method and system based on block chain | |
| CN117375814B (en) | Data storage method, device, system, equipment and storage medium | |
| US20240004986A1 (en) | Cla certificateless authentication of executable programs | |
| CN119945797A (en) | Password setting and verifying method, system, device and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |