[go: up one dir, main page]

CN119106414A - Key protection method, system, device and storage medium for software cryptographic module - Google Patents

Key protection method, system, device and storage medium for software cryptographic module Download PDF

Info

Publication number
CN119106414A
CN119106414A CN202310669128.6A CN202310669128A CN119106414A CN 119106414 A CN119106414 A CN 119106414A CN 202310669128 A CN202310669128 A CN 202310669128A CN 119106414 A CN119106414 A CN 119106414A
Authority
CN
China
Prior art keywords
key
password
protection
user
user password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310669128.6A
Other languages
Chinese (zh)
Inventor
尹一桦
石元兵
帅军军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Technology Network Security Technology Co ltd
Original Assignee
China Electronics Technology Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronics Technology Network Security Technology Co ltd filed Critical China Electronics Technology Network Security Technology Co ltd
Priority to CN202310669128.6A priority Critical patent/CN119106414A/en
Publication of CN119106414A publication Critical patent/CN119106414A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a key protection method, a system, equipment and a storage medium of a software cryptographic module, belonging to the technical field of information security technology. The key protection method of the software password module comprises the steps of receiving a user password, judging whether the user password is correct or not, if yes, collecting biological characteristics of a user, obtaining local hardware characteristics of equipment where the software password module is located, performing key derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and protecting a protection key by using the root key, wherein the protection key is used for protecting target data. The application can improve the safety of the software cryptographic module and avoid information leakage.

Description

Key protection method, system, equipment and storage medium for software cryptographic module
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, a system, an apparatus, and a storage medium for protecting a key of a software cryptographic module.
Background
The cryptographic technology is a basic stone of information security, how to guarantee safe and efficient cryptographic computing capability is a ring of vital importance for guaranteeing information security, and careful design of a cryptographic computing security protection model is needed to reduce leakage and tampering risks of important computing parameters such as keys, sensitive parameters and the like caused by a storage environment and a computing process, so that the cryptographic module can provide expected security computing service for applications.
Cryptographic techniques are increasingly important and widely used in a variety of applications. Products that provide cryptographic computing functionality include various types of cryptographic machines, cryptographic cards, cryptographic chips, and software and hardware cryptographic modules. The software cryptographic module has the irreplaceable advantages of flexible use, convenient operation, low cost and the like, and is popular.
The existing mainstream software cryptographic module products lack protection of hardware, run in an unreliable semi-honest computing environment, and lack reasonable and reliable security protection model design, so that root keys are in a weak security protection state, and further other working keys and sensitive parameters in the software cryptographic module are in leakage and tampered risks.
Therefore, how to improve the security of the software cryptographic module and avoid information leakage is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a key protection method of a software cryptographic module, a key protection system of the software cryptographic module, a data decryption method of the software cryptographic module, electronic equipment and a storage medium, which can improve the security of the software cryptographic module and avoid information leakage.
In order to solve the technical problems, the application provides a key protection method of a software cryptographic module, which comprises the following steps:
receiving a user password and judging whether the user password is correct or not;
If yes, acquiring biological characteristics of a user, and acquiring local hardware characteristics of equipment where the software cryptographic module is located;
performing key derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key;
And protecting the protection key by using the root key, wherein the protection key is used for protecting the target data.
Optionally, collecting the biological characteristics of the user includes:
collecting facial images, fingerprint images, sound information and gesture information of the user;
And extracting features of the face image, the fingerprint image, the sound information and the gesture information to obtain the biological features.
Optionally, the method further comprises:
After protecting the protection key with the root key, the root key is deleted.
Optionally, after deleting the key generation factor and the root key, the method further includes:
If a data decryption request is received, receiving the user password and judging whether the user password is correct or not;
If yes, acquiring the biological characteristics of the user, and performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain the root key;
and decrypting the protection key by using the root key, and decrypting the target data by using the decrypted protection key.
Optionally, performing key derivative calculation by using the user password, the biometric feature and the local hardware feature to obtain a root key, including:
and performing digest calculation on the user password, the biological characteristics and the local hardware characteristics to obtain a 256-bit hash value, and performing key derivative calculation by using the hash value to obtain the root key.
The application provides a data decryption method of a software cryptographic module, which comprises the following steps:
If a data decryption request is received, receiving the user password and judging whether the user password is correct or not;
If yes, acquiring biological characteristics of a user, and acquiring local hardware characteristics of equipment where the software cryptographic module is located;
performing key derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain the root key;
and decrypting the protection key by using the root key, and decrypting the target data by using the decrypted protection key.
The application also provides a key protection system of the software cryptographic module, which comprises:
The password receiving module is used for receiving the user password and judging whether the user password is correct or not;
the feature acquisition module is used for acquiring the biological features of the user if the user password is correct, and acquiring the local hardware features of the equipment where the software password module is located;
the derivative calculation module is used for carrying out key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain a root key;
and the key protection module is used for protecting a protection key by utilizing the root key, wherein the protection key is used for protecting target data.
The application also provides a data decryption system of the software cryptographic module, which comprises:
The password verification module is used for receiving the user password if a data decryption request is received, and judging whether the user password is correct or not;
The feature acquisition module is used for acquiring the biological features of the user if the user password is correct and acquiring the local hardware features of the equipment where the software password module is located;
The root key calculation module is used for performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain the root key;
and the decryption module is used for decrypting the protection key by using the root key and decrypting the target data by using the decrypted protection key.
The application also provides a storage medium, on which a computer program is stored, which when executed implements the key protection method of the software cryptographic module or the steps executed by the data decryption method of the software cryptographic module.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the key protection method of the software cryptographic module or the step executed by the data decryption method of the software cryptographic module when calling the computer program in the memory.
The application provides a key protection method of a software cryptographic module, which comprises the steps of receiving a user password, judging whether the user password is correct or not, if yes, collecting biological characteristics of a user, obtaining local hardware characteristics of equipment where the software cryptographic module is located, performing key derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and protecting a protection key by using the root key, wherein the protection key is used for protecting target data.
After the user password is verified to be correct, the application collects the biological characteristics and the local hardware characteristics of the user, carries out password derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and is accessed to protect the protection key by utilizing the root key. The biological characteristics have the characteristics of difficult counterfeiting, and the characteristics of easy use and high safety are combined with the password technology. The embodiment utilizes three factors of the user password, the biological characteristics and the local hardware characteristics to jointly generate the root key, can avoid the safety risk caused by the loss of the user password, and reduces the key attack caused by information leakage. The application can improve the safety of the software cryptographic module and avoid information leakage. The application also provides a key protection system of the software cryptographic module, a data decryption method of the software cryptographic module, an electronic device and a storage medium.
Drawings
For a clearer description of embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described, it being apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a flowchart of a method for protecting a key of a software cryptographic module according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a software cryptographic module key protection model based on biological characteristics according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of a key protection system of a software cryptographic module according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flowchart of a key protection method of a software cryptographic module according to an embodiment of the application.
The specific steps may include:
S101, receiving a user password, judging whether the user password is correct or not, if so, entering S102, otherwise, ending the flow;
the embodiment can be applied to a software cryptographic module. Before the step, the operation of inputting the user password on the software password module by the user can exist, the user password is compared with the pre-stored standard password, if the user password is consistent, the user password is judged to be correct, and if the user password is inconsistent, the user password is judged to be incorrect.
S102, acquiring biological characteristics of a user, and acquiring local hardware characteristics of equipment where the software cryptographic module is located;
The device where the software password module is located is provided with a plurality of biological feature collection devices, such as an infrared camera, a temperature sensor, a microphone, fingerprint collection equipment and the like, and the biological feature collection devices can be started on the basis that the password of the user is correct, so that the biological features of the user can be collected. Furthermore, the embodiment may further obtain local hardware features of the device where the software cryptographic module is located, such as an IP address, a MAC address, a device serial number, and the like.
S103, performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain a root key;
the embodiment can perform key derivative calculation based on the user password, the biological characteristics and the local hardware characteristics to generate a root key. Specifically, in this embodiment, the user password, the biometric feature and the local hardware feature may be subjected to digest calculation to obtain a 256-bit hash value, and the hash value is used to perform key derivation calculation to obtain the root key.
And S104, protecting a protection key by utilizing the root key, wherein the protection key is used for protecting target data.
The software cryptographic module is provided with a protection key, the user of the protection key protects the target data, and the protection key can be encrypted by using the root key to realize protection of the protection key.
As a possible implementation manner, the target data includes a user key sensitive parameter and a public sensitive parameter, the protection key includes a user protection key for protecting the user key sensitive parameter and a public protection key for protecting the public sensitive parameter, and the root key may protect the user protection key and the public protection key respectively.
Further, after the protection key is protected by the root key, the root key may be deleted to improve security of the software cryptographic module.
After verifying that the user password is correct, the embodiment collects the biological characteristics and the local hardware characteristics of the user, performs password derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and accesses the root key to protect the protection key. The biological characteristics have the characteristics of difficult counterfeiting, and the characteristics of easy use and high safety are combined with the password technology. The embodiment utilizes three factors of the user password, the biological characteristics and the local hardware characteristics to jointly generate the root key, can avoid the safety risk caused by the loss of the user password, and reduces the key attack caused by information leakage. The embodiment can improve the safety of the software cryptographic module and avoid information leakage.
As a further introduction to the corresponding embodiment of FIG. 1, the biometric feature of the user may be obtained by capturing a facial image, a fingerprint image, sound information, and gesture information of the user, and performing feature extraction on the facial image, the fingerprint image, the sound information, and the gesture information. Facial features and iris features can be obtained by feature extraction of facial images, fingerprint features and vascular (finger vein) features can be obtained by feature extraction of fingerprint images, voiceprint features can be obtained by feature extraction of sound information, and hand gesture features can be obtained by feature extraction of gesture information.
As a further introduction to the corresponding embodiment of fig. 1, the root key may be deleted after protecting the protection key with the root key. After deleting the key generation factor and the root key, if a data decryption request is received, receiving the user password, judging whether the user password is correct, if so, collecting the biological characteristics of the user, performing key derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain the root key, decrypting the protection key by using the root key, and decrypting the target data by using the decrypted protection key.
The embodiment of the application also provides a data decryption method of the software cryptographic module, which comprises the steps of receiving the user password and judging whether the user password is correct or not if the data decryption request is received, collecting the biological characteristics of a user and obtaining the local hardware characteristics of equipment where the software cryptographic module is located if the user password is correct, performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain the root key, decrypting the protection key by utilizing the root key, and decrypting the target data by utilizing the decrypted protection key.
After verifying that the user password is correct, the embodiment collects the biological characteristics and the local hardware characteristics of the user, performs password derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and decrypts the protection key by accessing the root key so as to decrypt the target data by using the decrypted protection key. The biological characteristics have the characteristics of difficult counterfeiting, and the characteristics of easy use and high safety are combined with the password technology. The embodiment utilizes three factors of the user password, the biological characteristics and the local hardware characteristics to jointly generate the root key, can avoid the safety risk caused by the loss of the user password, and reduces the key attack caused by information leakage. The embodiment can improve the safety of the software cryptographic module, can also improve the safety of the data decryption process, and avoids information leakage.
The embodiment provides a data decryption process of a software cryptographic module, and the key encryption process can also exist before the process, wherein the key encryption process comprises the steps of receiving a user password, judging whether the user password is correct, collecting biological characteristics of a user, acquiring local hardware characteristics of equipment where the software cryptographic module is located, performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain a root key, encrypting target data by utilizing a protection key, and encrypting the protection key by utilizing the root key.
The flow described in the above embodiment is explained below by way of an embodiment in practical application.
The security development of the network space is maintained, so that the penetration attack frequently occurring in the network space is relieved, and the security risk brought by the new business form under the digital development background is solved. The existing mainstream software cryptographic module products run in an unreliable and semi-honest computing environment due to lack of hardware protection, and lack of reasonable and reliable security protection model design, so that a root key is in a weak security protection state, and further other working keys and sensitive parameters in the software cryptographic module are in leakage and tampered risks. Therefore, how to design a convenient and safe key protection model and protection method solves the potential safety hazard of the root key of the software cryptographic module, meets the strong commercial computing security requirement of the market, and becomes the main difficult problem for restricting the development of the software cryptographic module at present.
At present, a common method for solving the security of a root key of a software cryptographic module mainly comprises the following steps:
the method 1 comprises the steps of hiding a root key of a software cryptographic module;
The method has the defects that the hidden security is almost 0 in the local simple mode, an attacker can easily find the hidden root key and recover the encrypted and protected data, and the data is leaked or tampered.
Mode 2, confusing and covering the root key by using the password, thereby realizing a protection mechanism;
the disadvantage of the above approach is that its security is actually based on the confidentiality of the password and the confidentiality of the confusion algorithm, because of the easy aggressiveness of the password, resulting in a lower security of the method.
Mode 3, a mechanism for protecting by using the security storage capacity provided by the host processor;
The method has the defects of higher requirements on hardware such as a CPU (Central processing Unit) or a GPU (graphics processing Unit) of a host machine, high requirements on the running hardware environment, high manufacturing cost and safety and reliability depending on the safety of the hardware.
Mode 4, a mechanism based on key threshold technology;
The method has the defects that the normal operation of the software cryptographic module depends on the background, when the network environment is unstable or the background is attacked, the normal operation of the software cryptographic module can not be effectively ensured, and meanwhile, because cooperative work is needed, the necessary network overhead is generated, and the efficiency is lower.
Therefore, the prior related technology has the defects of too weak safety, incapability of ensuring self safety when providing password computing service outwards, dangerous overflow, too high requirement on hardware, expensive counterfeiting, use field Jing Shouxian and challenge the safety of the hardware, or too complex principle mechanism, difficult realization, low efficiency and unsatisfactory realization. The current safety situation of the software cryptographic module causes that most of products in the market cannot obtain higher safety certification qualification, and because the potential safety hazard is larger, the requirements of equal protection and secret assessment are difficult to meet, and the products cannot be really applied in a large scale.
At present, common methods for solving the security problem of the root key by using the software cryptographic module comprise hiding, confusion, segmentation and preservation, joint calculation and use and other modes. The protection mechanism is either too weak in security or too high in hardware requirement or too complex and low in efficiency, and various disadvantages exist. The embodiment summarizes and analyzes the advantages and disadvantages of the prior art, and combines biological characteristics and cryptographic techniques to provide a security enhancement technique for a software cryptographic module.
Unlike cipher machine, cipher card, cipher chip and other hardware cipher module with natural safe hardware storage environment, the software cipher module has sensitive parameters, especially root key stored in one un-trusted and vulnerable dishonest environment, because of lacking the safety protection of hardware equipment. In modern cryptography theory, the security of an information system is mainly due to the protection of keys, not to algorithmic confidentiality or otherwise. Therefore, to solve the security of the software cryptographic module, the security problem of the secret key of the software cryptographic module is solved first, and only after the security of the software cryptographic module is ensured, the security of other applications using the cryptographic service provided by the software cryptographic module can be ensured by the secret key.
The embodiment combines biological characteristics and a cryptographic technology to provide a security enhancement technology of a software cryptographic module, which is used for solving the problems of 1) the problem of the prominent secure storage of a root key of the software cryptographic module due to lack of a hardware protection environment, 2) the problem of the possible security attack of the software cryptographic module due to loss and theft, and 3) meeting the requirements of convenience and security.
The embodiment provides a software cryptographic module security enhancement technology based on biological characteristics in a semi-honest environment easy to attack. The technology mainly fuses biological characteristics of human fingerprints, faces, voiceprints, irises, blood vessels and the like with cryptographic technologies, and provides a technical idea of protecting a root key and other sensitive parameters of a software cryptographic module, and the specific scheme is as follows:
Referring to fig. 2, fig. 2 is a schematic structural diagram of a software cryptographic module key protection model based on biological characteristics according to an embodiment of the present application, where the key protection model includes a sensitive parameter layer, a protection key layer, a root key layer and an acquisition computation layer. The fingerprint of the user can be acquired by using a capacitive or photoelectric fingerprint acquisition device at the acquisition and calculation layer, the facial image of the user can be acquired by using a facial recognition device (such as a camera), the voice of the user can be acquired by using a voice acquisition device (such as a microphone), and other characteristics (such as iris characteristics, gesture characteristics and the like) can be acquired by using other acquisition devices. And the biological characteristics can be obtained by realizing characteristic extraction and information coding through a characteristic extraction algorithm in an acquisition and calculation layer. The user password (i.e., user password) and the local hardware information (i.e., local hardware features) can also be obtained at the acquisition and computation layer. The root key layer can be derived from the root key, the protection key layer can store a user protection key and a public protection key which are protected by the root key, and the sensitive parameter layer is used for storing user key sensitive parameters protected by the user protection key and public sensitive parameters protected by the public protection key.
In the acquisition and calculation layer, the software cryptographic module acquires biological characteristics of a user, such as iris, voiceprint, fingerprint, facial features and the like through various biological characteristic acquisition devices, and calculates biological characteristic information of the user by giving a characteristic extraction algorithm, so that a key generation factor is formed through coding conversion, and meanwhile, in order to enhance the randomness and safety of the software cryptographic module, a user local password and user local hardware information can be respectively used as other additional key generation factors. And taking the key factor as input, and calculating and generating a software cryptographic module root key through a key derivative function conforming to the national cryptographic standard. At the protection key layer, there are various protection keys that are used separately for different purposes, and are used to protect the lowest layer of various different sensitive parameters, such as user sensitive parameters, public sensitive parameters, and the like. Finally, the software cryptographic module encrypts and protects the protection key through the root key, the protection key protects the sensitive parameters, and a complete protection chain is formed, so that the endophytic safety of the software cryptographic module is ensured.
When in use, the software cryptographic module can recover the master key and decrypt the relevant sensitive parameters according to the following procedures:
step 1, a user inputs a correct user password, and a software password module compares the user password to obtain a first password generating factor after success;
And 2, after the password comparison is successful, the software password module collects biological characteristics such as the face, the fingerprint or the sound, the gesture and the like of the user. And extracting the characteristic value, and calculating to obtain a second password generation factor.
And 3, the software password module acquires a local hardware factor and acquires a third password generation factor.
And 4, the software password module takes the first password generation factor, the second password generation factor and the third password generation factor as input to temporarily calculate the root key.
And 5, decrypting the protection key by using the root key, and destroying the calculated root key.
And 6, unlocking the sensitive parameters needed to be used by using the protection key.
Based on the personalized characteristic information such as biological characteristics, user passwords, local hardware and the like as input, the principle of generating a root key by combining the password technology is as follows:
(a) The biological feature extraction information codes to obtain bio-s, a user password P and a local hardware feature L;
(b) Summarizing the biometric feature, the user password, the local hardware feature, generating a 256-bit HASH value H, h=hash (bio-s|p||l);
(c) Key derivation, key=kdf (H, L, C, dlen), where KDF is the Key derivation function, C is the number of iterations greater than 1024, and Dlen is the length of the derived Key.
(D) And encrypting the protection data by using a derivative Key, wherein E_M=SM4 ECB (Key, M), E_M is an encrypted message, key is the derivative Key, and M is the message plaintext.
The embodiment provides a root key derivative calculation method based on biological characteristics and other local personalized data, provides a key security protection layer for protecting user sensitive information through a root key and a protection key, and provides a method for recovering the root key and encrypted data by extracting the biological characteristics and combining other personalized data. Compared with the traditional accessory processing mode, the embodiment has the advantages that 1) a root key is calculated based on identity characteristics temporarily when a user logs in, and is destroyed immediately after logging in, the root key is not required to be stored in an unsafe environment, the risk of key leakage caused by storage environment problems is avoided, 2) the user logs in by using passwords and identity characteristics each time, the possible safety risk caused by password loss is avoided, 3) a safe key protection layer is formed through a scientific and reasonable key protection model, 4) various personalized data such as passwords, local environment characteristic information and the like are introduced in addition to biological characteristics, the possible key attack caused by key material leakage is reduced, 5) a background storage key is not required, the key leakage in the background storage process and the background storage process is avoided, 6) background joint calculation is not required, the bottleneck of centralized service is avoided, the efficiency is relatively high, and 7) the characteristics of being natural in biological characteristics and being not easy to use and high in safety are combined with a password technology.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a key protection system of a software cryptographic module according to an embodiment of the present application;
the system may include:
a password receiving module 301, configured to receive a user password and determine whether the user password is correct;
the feature collection module 302 is configured to collect a biological feature of a user if the user password is correct, and obtain a local hardware feature of a device where the software password module is located;
a derivative calculation module 303, configured to perform key derivative calculation by using the user password, the biometric feature, and the local hardware feature, to obtain a root key;
and the key protection module 304 is configured to protect a protection key by using the root key, where the protection key is used to protect the target data.
In the embodiment, after the user password is correct, the biological characteristics and the local hardware characteristics of the user are acquired, the user password, the biological characteristics and the local hardware characteristics are utilized to carry out password derivative calculation to obtain a root key, and the root key is accessed to protect the protection key. The biological characteristics have the characteristics of difficult counterfeiting, and the characteristics of easy use and high safety are combined with the password technology. The embodiment utilizes three factors of the user password, the biological characteristics and the local hardware characteristics to jointly generate the root key, can avoid the safety risk caused by the loss of the user password, and reduces the key attack caused by information leakage. The embodiment can improve the safety of the software cryptographic module and avoid information leakage.
Further, the process of collecting the biological characteristics of the user by the characteristic collection module 302 includes collecting facial images, fingerprint images, sound information and gesture information of the user, and extracting characteristics of the facial images, the fingerprint images, the sound information and the gesture information to obtain the biological characteristics.
Further, the method further comprises the following steps:
And the root key destruction module is used for deleting the root key after protecting the protection key by utilizing the root key.
Further, the method further comprises the following steps:
the decryption module is used for receiving the user password and judging whether the user password is correct or not if a data decryption request is received after deleting the key generation factor and the root key, collecting the biological characteristics of the user and performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain the root key if the user password is correct, and decrypting the protection key by utilizing the root key and decrypting the target data by utilizing the decrypted protection key.
Further, the deriving calculation module 303 performs a key derivation calculation to obtain a root key by using the user password, the biometric feature and the local hardware feature, and includes performing a digest calculation to obtain a 256-bit hash value, and performing a key derivation calculation to obtain the root key by using the hash value.
The data decryption system of the software cryptographic module provided by the embodiment of the application comprises:
The password verification module is used for receiving the user password if a data decryption request is received, and judging whether the user password is correct or not;
The feature acquisition module is used for acquiring the biological features of the user if the user password is correct and acquiring the local hardware features of the equipment where the software password module is located;
The root key calculation module is used for performing key derivative calculation by utilizing the user password, the biological characteristics and the local hardware characteristics to obtain the root key;
and the decryption module is used for decrypting the protection key by using the root key and decrypting the target data by using the decrypted protection key.
After verifying that the user password is correct, the embodiment collects the biological characteristics and the local hardware characteristics of the user, performs password derivative calculation by using the user password, the biological characteristics and the local hardware characteristics to obtain a root key, and decrypts the protection key by accessing the root key so as to decrypt the target data by using the decrypted protection key. The biological characteristics have the characteristics of difficult counterfeiting, and the characteristics of easy use and high safety are combined with the password technology. The embodiment utilizes three factors of the user password, the biological characteristics and the local hardware characteristics to jointly generate the root key, can avoid the safety risk caused by the loss of the user password, and reduces the key attack caused by information leakage. The embodiment can improve the safety of the software cryptographic module, can also improve the safety of the data decryption process, and avoids information leakage.
Since the embodiments of the system portion and the embodiments of the method portion correspond to each other, the embodiments of the system portion refer to the description of the embodiments of the method portion, which is not repeated herein.
The present application also provides a storage medium having stored thereon a computer program which, when executed, performs the steps provided by the above embodiments. The storage medium may include a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, etc. various media capable of storing program codes.
The application also provides an electronic device, which can comprise a memory and a processor, wherein the memory stores a computer program, and the processor can realize the steps provided by the embodiment when calling the computer program in the memory. Of course the electronic device may also include various network interfaces, power supplies, etc.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the application can be made without departing from the principles of the application and these modifications and adaptations are intended to be within the scope of the application as defined in the following claims.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.

Claims (10)

1.一种软件密码模块的密钥保护方法,其特征在于,包括:1. A key protection method for a software cryptographic module, comprising: 接收用户密码,并判断所述用户密码是否正确;Receive a user password and determine whether the user password is correct; 若是,则采集用户的生物特征,并获取所述软件密码模块所在设备的本地硬件特征;If so, collecting the user's biometric features and obtaining the local hardware features of the device where the software password module is located; 利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到根密钥;Performing a key derivation calculation using the user password, the biometric feature, and the local hardware feature to obtain a root key; 利用所述根密钥对保护密钥进行保护;其中,所述保护密钥用于保护目标数据。The root key is used to protect the protection key, wherein the protection key is used to protect the target data. 2.根据权利要求1所述软件密码模块的密钥保护方法,其特征在于,所述采集用户的生物特征,包括:2. The key protection method of the software password module according to claim 1, characterized in that the collecting of the user's biometric features comprises: 采集所述用户的面部图像、指纹图像、声音信息和姿态信息;Collecting facial images, fingerprint images, voice information and posture information of the user; 对所述面部图像、所述指纹图像、所述声音信息和所述姿态信息进行特征提取,得到所述生物特征。Feature extraction is performed on the facial image, the fingerprint image, the sound information and the posture information to obtain the biological feature. 3.根据权利要求1所述软件密码模块的密钥保护方法,其特征在于,还包括:3. The key protection method of the software cryptographic module according to claim 1, characterized in that it also includes: 在利用所述根密钥对保护密钥进行保护之后,删除所述根密钥。After the protection key is protected by using the root key, the root key is deleted. 4.根据权利要求3所述软件密码模块的密钥保护方法,其特征在于,在删除所述密钥生成因子和所述根密钥之后,还包括:4. The key protection method of the software cryptographic module according to claim 3, characterized in that after deleting the key generation factor and the root key, it also includes: 若接收到数据解密请求,则接收所述用户密码,并判断所述用户密码是否正确;If a data decryption request is received, the user password is received and it is determined whether the user password is correct; 若是,则采集用户的生物特征,并利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到所述根密钥;If yes, collect the user's biometric features, and use the user password, the biometric features and the local hardware features to perform key derivation calculation to obtain the root key; 利用所述根密钥解密所述保护密钥,并利用解密后的所述保护密钥对所述目标数据进行解密。The protection key is decrypted using the root key, and the target data is decrypted using the decrypted protection key. 5.根据权利要求1所述软件密码模块的密钥保护方法,其特征在于,利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到根密钥,包括:5. The key protection method of the software password module according to claim 1, characterized in that the key derivation calculation is performed using the user password, the biometric feature and the local hardware feature to obtain the root key, comprising: 对所述用户密码、所述生物特征和所述本地硬件特征进行摘要计算,得到256比特的散列值,利用所述散列值进行密钥衍生计算,得到所述根密钥。A digest calculation is performed on the user password, the biometric feature and the local hardware feature to obtain a 256-bit hash value, and a key derivation calculation is performed using the hash value to obtain the root key. 6.一种软件密码模块的数据解密方法,其特征在于,包括:6. A method for decrypting data in a software cryptographic module, comprising: 若接收到数据解密请求,则接收所述用户密码,并判断所述用户密码是否正确;If a data decryption request is received, the user password is received and it is determined whether the user password is correct; 若是,则采集用户的生物特征,并获取所述软件密码模块所在设备的本地硬件特征;If so, collecting the user's biometric features and obtaining the local hardware features of the device where the software password module is located; 利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到所述根密钥;Performing a key derivation calculation using the user password, the biometric feature, and the local hardware feature to obtain the root key; 利用所述根密钥解密所述保护密钥,并利用解密后的所述保护密钥对所述目标数据进行解密。The protection key is decrypted using the root key, and the target data is decrypted using the decrypted protection key. 7.一种软件密码模块的密钥保护系统,其特征在于,包括:7. A key protection system for a software cryptographic module, comprising: 密码接收模块,用于接收用户密码,并判断所述用户密码是否正确;A password receiving module is used to receive a user password and determine whether the user password is correct; 特征采集模块,用于若所述用户密码正确,则采集用户的生物特征,并获取所述软件密码模块所在设备的本地硬件特征;A feature collection module, used to collect the user's biometric features if the user password is correct, and obtain the local hardware features of the device where the software password module is located; 衍生计算模块,用于利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到根密钥;A derivation calculation module, used to perform key derivation calculation using the user password, the biometric feature and the local hardware feature to obtain a root key; 密钥保护模块,用于利用所述根密钥对保护密钥进行保护;其中,所述保护密钥用于保护目标数据。A key protection module is used to protect a protection key using the root key; wherein the protection key is used to protect target data. 8.一种软件密码模块的数据解密系统,其特征在于,包括:8. A data decryption system of a software cryptographic module, characterized by comprising: 密码验证模块,用于若接收到数据解密请求,则接收所述用户密码,并判断所述用户密码是否正确;A password verification module, for receiving the user password and determining whether the user password is correct if a data decryption request is received; 特征获取模块,用于若所述用户密码正确,则采集用户的生物特征,并获取所述软件密码模块所在设备的本地硬件特征;A feature acquisition module, used to collect the user's biometric features if the user password is correct, and to acquire the local hardware features of the device where the software password module is located; 根密钥计算模块,用于利用所述用户密码、所述生物特征和所述本地硬件特征进行密钥衍生计算,得到所述根密钥;A root key calculation module, used to perform key derivation calculation using the user password, the biometric feature and the local hardware feature to obtain the root key; 解密模块,用于利用所述根密钥解密所述保护密钥,并利用解密后的所述保护密钥对所述目标数据进行解密。The decryption module is used to decrypt the protection key using the root key, and decrypt the target data using the decrypted protection key. 9.一种电子设备,其特征在于,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器调用所述存储器中的计算机程序时实现如权利要求1至5任一项所述软件密码模块的密钥保护方法或权利要求6所述软件密码模块的数据解密方法的步骤。9. An electronic device, characterized in that it comprises a memory and a processor, wherein a computer program is stored in the memory, and when the processor calls the computer program in the memory, the steps of the key protection method of the software cryptographic module according to any one of claims 1 to 5 or the data decryption method of the software cryptographic module according to claim 6 are implemented. 10.一种存储介质,其特征在于,所述存储介质中存储有计算机可执行指令,所述计算机可执行指令被处理器加载并执行时,实现如权利要求1至5任一项所述软件密码模块的密钥保护方法或权利要求6所述软件密码模块的数据解密方法的步骤。10. A storage medium, characterized in that computer executable instructions are stored in the storage medium, and when the computer executable instructions are loaded and executed by a processor, the steps of the key protection method of the software cryptographic module according to any one of claims 1 to 5 or the data decryption method of the software cryptographic module according to claim 6 are implemented.
CN202310669128.6A 2023-06-07 2023-06-07 Key protection method, system, device and storage medium for software cryptographic module Pending CN119106414A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310669128.6A CN119106414A (en) 2023-06-07 2023-06-07 Key protection method, system, device and storage medium for software cryptographic module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310669128.6A CN119106414A (en) 2023-06-07 2023-06-07 Key protection method, system, device and storage medium for software cryptographic module

Publications (1)

Publication Number Publication Date
CN119106414A true CN119106414A (en) 2024-12-10

Family

ID=93714341

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310669128.6A Pending CN119106414A (en) 2023-06-07 2023-06-07 Key protection method, system, device and storage medium for software cryptographic module

Country Status (1)

Country Link
CN (1) CN119106414A (en)

Similar Documents

Publication Publication Date Title
US11803633B1 (en) Method and system for securing user access, data at rest and sensitive transactions using biometrics for mobile devices with protected, local templates
US11108546B2 (en) Biometric verification of a blockchain database transaction contributor
US20160269178A1 (en) Privacy-Enhanced Biometrics-Secret Binding Scheme
US20100138667A1 (en) Authentication using stored biometric data
KR101897715B1 (en) System for non-password secure biometric digital signagure
CN101199160A (en) String-based biometric authentication method and system
KR20180003113A (en) Server, device and method for authenticating user
CN111614467B (en) System backdoor defense method and device, computer equipment and storage medium
CN107113170A (en) Biometric template storage and verification method, biometric identification device, and terminal
CA2686801C (en) Authetication using stored biometric data
WO2012050585A1 (en) Authenticate a fingerprint image
CN106921489A (en) A kind of data ciphering method and device
TWI476629B (en) Data security and security systems and methods
CN119922013A (en) Identity authentication method, device, storage medium and electronic device
CN111698253A (en) Computer network safety system
CN101626290A (en) Method for signature and confidentiality by fingerprints
CN116405211B (en) Multiple encryption method, device, equipment and storage medium based on biological characteristics
CN113935002B (en) A secure face authentication method and system based on honeypot technology
CN119106414A (en) Key protection method, system, device and storage medium for software cryptographic module
Rudrakshi et al. A model for secure information storage and retrieval on cloud using multimodal biometric cryptosystem
CN112187477A (en) Iris privacy authentication method
CN105227562A (en) The key business data transmission mediation device of identity-based checking and using method thereof
Cimato et al. Biometrics and privacy
JP2001144743A (en) Encryption key generation device, encryption / decryption device, encryption key generation method, encryption / decryption method, and program providing medium
Ghouzali et al. ANDROID SECURE STORAGE APPLICATION USING FUZZY VAULT-BASED KEY BINDING.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination