[go: up one dir, main page]

TW201438450A - Method for storing and restoring generation of encryption key - Google Patents

Method for storing and restoring generation of encryption key Download PDF

Info

Publication number
TW201438450A
TW201438450A TW102109942A TW102109942A TW201438450A TW 201438450 A TW201438450 A TW 201438450A TW 102109942 A TW102109942 A TW 102109942A TW 102109942 A TW102109942 A TW 102109942A TW 201438450 A TW201438450 A TW 201438450A
Authority
TW
Taiwan
Prior art keywords
gateway
chip
serial number
authentication
wafer
Prior art date
Application number
TW102109942A
Other languages
Chinese (zh)
Other versions
TWI539781B (en
Inventor
dong-yao Li
Original Assignee
Press Inc I
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Press Inc I filed Critical Press Inc I
Priority to TW102109942A priority Critical patent/TWI539781B/en
Publication of TW201438450A publication Critical patent/TW201438450A/en
Application granted granted Critical
Publication of TWI539781B publication Critical patent/TWI539781B/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

Disclosed is a method for storing and restoring the generation of encryption key, which treats the key information inside a CipherCube with a design of multiple backups, so that the key information could be stored in the CipherCube and a CertiTAG in the form of encryption. When a scenario such as damage, malfunction, stealing, or data loss over the CipherCube or the CertiTAG occurs, the key information in the CipherCube and the CertiTAG could be restored through a secured and simple procedure and then an authentication job could be completed. As a result, the process of file data storage and delivery passing in and out of the way from the CipherCube to a cloud system can be encrypted and decrypted normally.

Description

加密金鑰產出儲存與復原之方法Encryption key output storage and recovery method

  本發明係關於一種加密金鑰產出儲存與復原之方法,尤指一種將閘道器(CipherCube)內之金鑰資訊採多重備份之設計,當閘道器(CipherCube)或晶片(CertiTAG)發生毁損、故障、失竊或資料遺失時,能經由安全而且簡單的方式復原閘道器或晶片內之金鑰資訊,而適用於使用者端資訊防護之閘道器或類似之裝置者。
The invention relates to a method for storing and recovering an encryption key, in particular to designing a multiple backup of a key information in a gateway (CipherCube), when a gateway (CipherCube) or a chip (CertiTAG) occurs. In the case of damage, malfunction, theft or loss of data, the key information in the gateway or the chip can be restored in a safe and simple manner, and is applicable to the gateway or the like of the user-side information protection.

  近年來科技產業朝雲端服務發展,不管是個人或是企業公司可透過訂閱雲端儲存(或網路磁碟)服務將大量的文件等各類資訊檔案、內容上傳至雲端內來儲存,且透過設定帳號、密碼來設定存取權限,使個人或企業公司可透過行動裝置(如智慧型手機或平板電腦)、桌上型電腦、筆記型電腦等隨時隨地的進入雲端來下載文件。In recent years, the technology industry has developed towards the cloud service. Whether it is an individual or a corporate company, it can upload a large number of files and other information files and contents to the cloud for storage by subscribing to the cloud storage (or network disk) service. Accounts and passwords are used to set access rights, so that individuals or companies can download files from the mobile device anytime, anywhere via mobile devices (such as smart phones or tablets), desktop computers, and notebook computers.

  但是,僅靠設定帳號及密碼,是不足以避免儲存於雲端(或網路磁碟)內的各類文件資訊遭受駭客或未經授權者的閱覽、竊取等非法存取,因為帳號及密碼容易讓人破解,且一旦儲放在雲端空間(或網路磁碟)的各類文件或檔案,則無法由資料擁有者控制防護措施,而且容易發生帳號或密碼遺忘的問題。另一方面,如果在使用者端對資料採取加密防護方式,一旦發生金鑰或相關驗證資料遺失,則將導致資料無法復原。However, setting up an account and password alone is not enough to prevent illegal access to various types of file information stored in the cloud (or network disk), such as browsing or stealing by hackers or unauthorized persons, because of the account number and password. It is easy to crack, and once stored in various files or files in the cloud space (or network disk), the data owner cannot control the protection measures, and the account or password is forgotten. On the other hand, if the data is protected by the user at the user end, once the key or related verification data is lost, the data cannot be recovered.

  因此,本發明人有鑑於上述缺失,期能提出一種加密金鑰產出儲存與復原之方法,便於進行讀取金鑰資訊及復原金鑰資訊,兼顧現行雲端儲存資料之優點,且能提供使用者針對檔案資料進出閘道器至雲端之間儲存、傳遞可主動採取防護措施,乃潛心研思、設計組製,以提供一種兼具金鑰安全與認證方便的防護之方法。

Therefore, the present inventors have proposed a method for storing and restoring the encryption key output in view of the above-mentioned deficiencies, which facilitates reading key information and recovery key information, taking into account the advantages of the current cloud storage data, and can provide use. For the storage and transmission of archives into and out of the gateway to the cloud, the initiative can take protective measures. It is a research and design system to provide a method that is safe for both key security and authentication.

  本發明之主要目的在提供一種加密金鑰產出儲存與復原之方法,係將閘道器(CipherCube)內之金鑰資訊採多重備份之設計,讓金鑰資訊能以加密方式分別儲存於閘道器內建之記憶體及晶片(CertiTAG)中,當閘道器或晶片中之金鑰資訊遭受破壞、消失、毁損或資料遺失時,系統擁有者能復原儲存於閘道器或晶片內之金鑰資訊;另一方面,當閘道器或晶片失竊時,偷竊者則無法取用或還原儲存於閘道器或晶片內之金鑰資訊;然而,系統擁有者透過數個步驟即可復原金鑰資訊,使檔案資料進出閘道器至雲端之間儲存、傳遞之主動防護措施正常運作,不至發生金鑰或認證失效,進而增加本發明整體之功能性及優異性者。The main purpose of the present invention is to provide a method for storing and restoring an encryption key, which is to design a multiple backup of a key information in a gateway (CipherCube) so that the key information can be separately stored in the gate in an encrypted manner. In the built-in memory and chip (CertiTAG), when the key information in the gateway or chip is damaged, disappeared, damaged or lost, the system owner can restore the storage in the gateway or the chip. Key information; on the other hand, when the gateway or chip is stolen, the thief cannot access or restore the key information stored in the gateway or the chip; however, the system owner can recover through several steps. The key information enables the active protection measures for storing and transmitting the archive data to and from the gateway to the cloud to operate normally, and the key or the authentication failure is not caused, thereby increasing the overall functionality and excellence of the present invention.

  本發明之次一目的係在提供一種加密金鑰產出儲存與復原之保險方法,該金鑰資訊能以加密方式儲放於備份憑證檔(Certificate),當閘道器及晶片同時故障或資料遺失無法通過認證時,將系統開機並讀取備份憑證檔內之金鑰資訊,系統會發出一組認證密碼至系統擁有者預先設定的郵件位址內,經系統擁有者在系統輸入認證密碼並通過驗證後,系統開始讀取備份憑證檔內之手動輸入亂數(Hashed Parameter)、硬體序號(Hashed BOX ID)及晶片序號(Hashed CertiTAG ID)三者複製到閘道器及晶片上,並使閘道器及晶片內容一致,便於系統承續原先之加解密服務,進而增加整體之便利性及安全性者。A second object of the present invention is to provide an insurance method for storing and recovering an encryption key, which can be stored in an encrypted manner in a backup certificate file (Certificate), when the gateway and the chip fail simultaneously or data. If the system fails to pass the authentication, the system will boot and read the key information in the backup certificate file. The system will issue a set of authentication passwords to the system owner's preset email address, and the system owner enters the authentication password in the system. After verification, the system begins to read the Hashed Parameter, the Hashed BOX ID, and the Hashed CertiTAG ID in the backup voucher file, and copies it to the gateway and the chip, and The gateway and the contents of the wafer are made consistent, so that the system can continue the original encryption and decryption service, thereby increasing the overall convenience and security.

  為達上述之目的,本發明加密金鑰產出儲存與復原之方法,主要係運用於閘道器至雲端(或網路磁碟)之間檔案資料上傳加密或下傳解密之主動式安全防護,且連線晶片以進行認證,而閘道器及晶片內係設有手動輸入亂數(Hashed Parameter)、硬體序號(Hashed BOX ID)及晶片序號(Hashed CertiTAG ID)三者並雜湊(Hashed)演算而成;其方法主要步驟係包括:指定郵件位址,於首次啟用時,須輸入閘道器擁有者之郵件位址,並分別寫入閘道器及晶片;閘道器開機認證:且於閘道器開機後與晶片內容比對以進行認證,當閘道器及晶片兩者內之手動輸入亂數(Hashed Parameter)、硬體序號(Hashed BOX ID)及晶片序號(Hashed CertiTAG ID)三者相同,則開始進行服務;閘道器或晶片發生故障或參數資訊遭受破壞、消失,致使閘道器與晶片內容比對認證無法通過時,系統可以讀取儲存於另一閘道器或晶片之資訊,並發出認證密碼至閘道器擁有者指定郵件位址內,通過驗證後,系統則自動將未受破壞、消失的閘道器或晶片內之手動輸入亂數(Hashed Parameter)、硬體序號(Hashed BOX ID)及晶片序號(Hashed CertiTAG ID)三者複製到發生故障的晶片或閘道器,以讓閘道器及晶片內之金鑰內容能一致,便於通過認證並開始進行閘道器至雲端之間檔案資料上傳加密或下傳解密之主動式安全防護動作者。For the above purposes, the method for storing and restoring the encryption key of the present invention is mainly for active security protection of file data uploading encryption or downlink decryption between the gateway device and the cloud (or network disk). And the wiring chip is used for authentication, and the gateway and the chip are provided with a Hashed Parameter, a Hashed BOX ID, and a Hashed CertiTAG ID, and are hashed (Hashed). The main steps of the method include: specifying the mail address. When first enabled, the mail address of the gateway owner must be input and written to the gateway and the chip respectively; the gateway is activated: And after the gateway is turned on, it is compared with the contents of the wafer for authentication, and the Hashed Parameter, the Hashed BOX ID, and the wafer serial number (Hashed Cert) in both the gateway and the chip. TAG ID) If the three are the same, the service will start; if the gateway or the chip fails or the parameter information is damaged or disappears, the system can read and store it in another gate when the gateway and the wafer content are compared and the authentication cannot pass. Information about the device or chip, and send the authentication password to the address specified by the gateway owner. After verification, the system automatically inputs the unhacked or disappeared gateway or the manual input in the chip (Hashed Parameter), hardware number (Hashed BOX ID) and wafer serial number (Hashed CertiTAG ID) are copied to the failed chip or gateway to make the contents of the gateway and the key in the wafer consistent, which is easy to pass the certification. And began the active security protection actor of the file data upload encryption or downlink decryption between the gateway device and the cloud.

  本發明之其他特點及具體實施例,可於以下列配合附圖之詳細說明中,進一步瞭解。
Other features and embodiments of the present invention will be further understood from the following detailed description taken in conjunction with the drawings.

10...閘道器(CiphefCube)10. . . Gateway (CiphefCube)

20...晶片(CertiTAG)20. . . Wafer (CertiTAG)

30...備份憑證檔(Certificate)30. . . Backup certificate file (Certificate)

50...輸入一亂數(Parameter)50. . . Enter a random number (Parameter)

60...時間戳(Time Stamp)60. . . Time Stamp

70...金鑰70. . . Key

80...雲端80. . . Cloud

90...防火牆90. . . Firewall

101...手動輸入亂數(Hashed Parameter)101. . . Manually enter the hash number (Hashed Parameter)

102...硬體序號(Hashed BOX ID)102. . . Hardware serial number (Hashed BOX ID)

103...晶片序號(Hashed CertiTAG ID)103. . . Waser Serial Number (Hashed CertiTAG ID)

步驟S1000...指定郵件位址Step S1000. . . Specify mail address

步驟S2000...閘道器開機認證Step S2000. . . Gateway device boot certification

步驟S3000...閘道器故障或晶片故障Step S3000. . . Gateway failure or wafer failure

步驟S4000...讀取備份憑證檔Step S4000. . . Read backup voucher file

步驟S5000...重新登入認證Step S5000. . . Re-login authentication

第1圖為本發明之主要步驟流程示意圖。
第2圖為本發明之使用狀態示意圖。
第3圖為本發明之加密金鑰資訊示意圖。
第4圖為本發明之加密金鑰產出儲存示意圖。Figure 1 is a schematic flow chart of the main steps of the present invention.
Figure 2 is a schematic view showing the state of use of the present invention.
Figure 3 is a schematic diagram of the encryption key information of the present invention.
Figure 4 is a schematic diagram of the encryption key output storage of the present invention.

  請參考第1~4圖所示,係為本發明加密金鑰產出儲存與復原之方法之示意圖。本發明加密金鑰產出儲存與復原之方法,主要係運用於閘道器(CipherCube)10內,且連線晶片(CertiTAG)20以進行認證,而閘道器10及晶片20內係設有手動輸入亂數(Hashed Parameter)101、硬體序號(Hashed BOX ID)102及晶片序號(Hashed CertiTAG ID)103三者並雜湊(Hashed)演算而成,其方法主要步驟係包括:步驟S1000指定郵件位址:於首次啟用時,須輸入系統擁有者之郵件位址;步驟S2000閘道器開機認證:且於閘道器10開機後與晶片20以連線進行認證,當閘道器10及晶片20兩者內之手動輸入亂數101、硬體序號102及晶片序號103三者相同,則開始進行服務;步驟S3000閘道器故障或晶片故障:當閘道器10或晶片20任一方出現故障而認證無法通過時,其金鑰資訊遭受破壞、消失或認證無法通過之任一方即會發出一認證密碼至系統擁有者指定郵件位址內,再進行操作將閘道器10或晶片20內之手動輸入亂數101、硬體序號102及晶片序號103三者複製到故障另一方,以讓閘道器10及晶片20之金鑰內容能一致,便於通過認證開始進行閘道器10至雲端80之間檔案資料上傳加密或下傳解密之主動式安全防護動作者。Please refer to the figures 1 to 4 for a schematic diagram of the method for storing and restoring the encryption key of the present invention. The method for storing and restoring the encryption key of the present invention is mainly applied to the gateway (CipherCube) 10, and the connection chip (CertiTAG) 20 is used for authentication, and the gateway 10 and the chip 20 are provided. The Hashed Parameter 101, the Hashed BOX ID 102, and the Hashed Certi TAG ID 103 are manually input and the Hashed algorithm is used. The main steps of the method include: specifying the mail in step S1000. Address: When first enabled, the system owner's mail address must be entered; step S2000 gateway is turned on and authenticated: and after the gateway 10 is turned on, the wafer 20 is authenticated by the connection, when the gateway 10 and the chip 20 In the two, the manual input random number 101, the hardware serial number 102 and the wafer serial number 103 are the same, then the service is started; the step S3000 is faulty or the wafer is faulty: when If either the router 10 or the chip 20 fails and the authentication fails, the key information of the device 10 is destroyed, disappears, or the authentication fails to pass, and an authentication password is issued to the system owner's designated mail address, and then the operation is performed. The manual input random number 101, the hardware serial number 102, and the wafer serial number 103 in the gateway 10 or the chip 20 are copied to the other side of the fault so that the contents of the gateway 10 and the wafer 20 can be consistent. The authentication starts the active security protection actor who uploads the encryption or downlink decryption of the archive data between the gateway device 10 and the cloud terminal 80.

  其中,該步驟S3000閘道器故障或晶片故障後仍無法通過認證即進行下一步驟S4000讀取備份憑證:將系統重新登入並讀取備份憑證檔(Certificate)30,該備份憑證檔30會發出一認證密碼至系統擁有者指定郵件位址內,再進行操作備份憑證檔30內之手動輸入亂數101、硬體序號102及晶片序號103三者複製到閘道器10及晶片20內,以讓閘道器10及晶片20之金鑰內容能一致,便於通過認證開始進行服務;另,該步驟S4000讀取備份憑證檔步驟後仍無法通過認證即進行下一步驟S5000重新登入認證:系統將重新操作並再次要求輸入一亂數50,輸入一亂數50後系統再讀取閘道器10之硬體序號102及晶片20之晶片序號103,而後再讀取一個時間戳(Time Stamp)60並雜湊(Hashed)出新的亂數(Hash Manual Parameter),且該系統會重新發出認證密碼之至系統擁有者指定郵件位址內,當系統擁有者取得新密碼認證通過後即取得硬體序號102及晶片序號103進行雜湊(Hashed)演算整合產生一金鑰70,且再將手動輸入亂數101、硬體序號102及晶片序號103三者寫入到閘道器10及晶片20內,以讓閘道器10及晶片20之金鑰內容能一致,便於通過認證開始進行服務;另,該閘道器10係進一步為硬體型式,且內部設有記憶體,以能儲存手動輸入亂數101、硬體序號102及晶片序號103;另,該步驟S4000閘道器開機認證步驟中之閘道器10與晶片20兩者認證出現不一致時即可發出信息通知系統擁有者。Wherein, after the step S3000 gateway failure or the wafer failure still fails to pass the authentication, the next step S4000 is performed to read the backup certificate: the system is re-logged in and the backup certificate file 30 is read, and the backup certificate file 30 is issued. An authentication password is sent to the system owner to specify the mail address, and then the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 in the operation backup document file 30 are copied into the gateway 10 and the wafer 20 to The contents of the key of the gateway 10 and the chip 20 can be made consistent, so that the service can be started by the authentication. In addition, after the step S4000 reads the backup document file, the process cannot be verified, and the next step S5000 re-login authentication is performed: the system will Re-operation and again ask for a random number 50. After inputting a random number 50, the system reads the hardware serial number 102 of the gateway 10 and the wafer serial number 103 of the wafer 20, and then reads a time stamp 60. Miscellaneous (Hashed) a new Hash Manual Parameter, and the system will re-issue the authentication password to the system owner's designated email address. When the system owner obtains the new password authentication, the system obtains the hardware serial number 102 and The wafer serial number 103 is hashed and integrated to generate a key 70, and the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 are written into the gateway 10 and the wafer 20 to allow the gate to be gated. The contents of the key of the tracker 10 and the chip 20 can be consistent, and the service can be started by the authentication. The gateway device 10 is further in a hard type and has a memory inside to store the manual input random number 101. The hardware serial number 102 and the chip serial number 103; in addition, when the authentication of both the gateway 10 and the wafer 20 in the step S4000 gateway power-on authentication step is inconsistent, the system owner can be notified.

  請參考第1~4圖所示,係為本發明加密金鑰產出儲存與復原之方法之示意圖。本發明係運用在雲端80防火牆90前之閘道器(CipherCube)10內來進行上傳加密或下載解密之作動,且該閘道器10係與晶片(CertiTAG)20連線以進行相互認證(如第2圖所示),其中該閘道器10係為硬體型式,且內部設有記憶體(圖未示),以能儲存金鑰資訊,而閘道器10所使用之金鑰並不是出廠預存的,而是經過系統擁有者手動輸入亂數(Hashed Parameter)101,再結合硬體序號(Hashed BOX ID)102及晶片序號(Hashed CertiTAG ID)103,三者結合並雜湊(Hashed)演算而成;因此,資料加密所用的金鑰70是具有唯一性,此外,本發明係將閘道器內之金鑰資訊採多重備份之設計,讓金鑰資訊能以加密方式分別儲放於閘道器10及晶片20中,而閘道器10及晶片20內係存有手動輸入亂數101、硬體序號102及晶片序號103三者並雜湊(Hashed)演算而成(如第3圖示),當閘道器10及晶片20第一次啟用時須先進行步驟S1000指定郵件位址(如第1圖所示):於首次啟用時,須輸入系統擁有者之郵件位址;也就是在閘道器(CipherCube)10及晶片(CertiTAG)20第一次啟用時,須先輸入系統擁有者之郵件位址,以結合第三方的電子郵件來進行認證機制,避免授權代理人或代理管理者任意盜用或複製金鑰70而破壞加密金鑰產出儲存與復原之安全性,待輸入系統擁有者之郵件位址後即進行下一步驟S2000閘道器開機認證:且於閘道器10開機後與晶片20相互連線以進行認證,當閘道器10及晶片20兩者內之手動輸入亂數101、硬體序號102及晶片序號103三者相同,則開始進行服務;也就是該閘道器10開機後須與晶片20先連線便於進行認證,其中當閘道器10及晶片20兩者內的手動輸入亂數101、硬體序號102及晶片序號103三者經認證相同時,其閘道器10即開始提供閘道器至雲端之間檔案資料上傳加密或下傳解密之主動式安全防護動作;再者,當閘道器10與晶片20兩者進行認證出現不一致時,即會發出信息通知來讓系統擁有者知悉無法進行認證,以使系統擁有者能進行排除認證不一致之問題;另當兩者出現認證不一致後即進行下一步驟S3000閘道器故障或晶片故障:當閘道器10及晶片20任一方出現故障,而更換新品操作時,系統即會發出一認證密碼至系統擁有者指定郵件位址內,經過驗證通過後,系統再進行操作將閘道器10及晶片20內之手動輸入亂數101、硬體序號102及晶片序號103三者複製到另一方,以讓閘道器10及晶片20內容能一致,便於通過認證開始進行服務;也就是當閘道器10與晶片20兩者認證不一致時,有可能是閘道器10或晶片20任一方出現故障,舉例來說,假如晶片20中有手動輸入亂數101、硬體序號102及晶片序號103三者而閘道器10中是沒有時,即會發出一認證密碼至系統擁有者指定郵件位址內,而系統擁有者能透過所收到之郵件內認證密碼以通過系統的驗證,系統即進行操作將晶片20中的手動輸入亂數101、硬體序號102及晶片序號103三者複製到閘道器10中,使閘道器10及晶片20的金鑰資訊內容能一致,便於閘道器10及晶片20能通過認證以開始提供進行上傳加密或下載解密之作動服務;反之,假如閘道器10中有手動輸入亂數101、硬體序號102及晶片序號103三者而晶片20中是沒有時,即會發出該認證密碼至系統擁有者指定郵件位址內,而系統擁有者能透過所收到之郵件內認證密碼以通過系統的驗證,系統即進行操作將閘道器10中的手動輸入亂數101、硬體序號102及晶片序號103三者複製到晶片20中,使閘道器10及晶片20的金鑰資訊內容能一致,便於閘道器10及晶片20能認證通過以開始提供進行上傳加密或下載解密之作動服務;藉此,方便進行讀取金鑰資訊及復原金鑰資訊,讓閘道器10能運作正常,不會因為金鑰資訊認證不符時,而導致無法進行上傳加密或下傳解密之作動者。Please refer to the figures 1 to 4 for a schematic diagram of the method for storing and restoring the encryption key of the present invention. The present invention is used in the gateway (CipherCube) 10 in front of the cloud 80 firewall 90 for uploading encryption or downloading and decrypting, and the gateway 10 is connected to the chip (CertiTAG) 20 for mutual authentication (eg, As shown in Fig. 2, the gateway 10 is of a hard type and has a memory (not shown) therein for storing key information, and the key used by the gateway 10 is not Pre-stored, but the system owner manually enters the Hashed Parameter 101, combined with the Hashed BOX ID 102 and the Hashed CertiTAG ID 103. The three are combined and hashed. Therefore, the key 70 used for data encryption is unique. In addition, the present invention adopts a design of multiple backups of the key information in the gateway, so that the key information can be stored in the gate by encryption. Tracker 10 and crystal In 20, the gateway 10 and the chip 20 are provided with a manual input random number 101, a hardware serial number 102, and a wafer serial number 103, and are hashed (as shown in the third figure), as a gateway. When the device 10 and the chip 20 are first enabled, the mail address must be specified in step S1000 (as shown in FIG. 1): when first enabled, the mail address of the system owner must be input; that is, in the gateway device ( When the CipherCube 10 and the chip (CertiTAG) 20 are first enabled, the system owner's email address must be entered first to combine the third party's email to perform the authentication mechanism to prevent the authorized agent or agent from arbitrarily stealing or copying. The key 70 destroys the security of the encryption key storage and recovery. After inputting the mail address of the system owner, the next step S2000 gateway is turned on and authenticated: and after the gateway 10 is powered on and the chip 20 Phase interconnects for authentication, manual input in both gateway 10 and wafer 20 101, the hardware serial number 102 and the wafer serial number 103 are the same, and the service is started; that is, the gateway 10 must be connected to the wafer 20 for authentication after being turned on, wherein both the gateway 10 and the wafer 20 are used. When the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 are authenticated by the same, the gateway 10 starts to provide active security for uploading or encrypting the archive data between the gateway and the cloud. Protective action; further, when the authentication of both the gateway 10 and the chip 20 is inconsistent, an information notification is sent to let the system owner know that the authentication cannot be performed, so that the system owner can perform the problem of eliminating the inconsistency of the authentication; In addition, when there is inconsistency between the two, the next step S3000 gateway failure or wafer failure is performed: when one of the gateway 10 and the chip 20 fails, and the new product is replaced, the system will issue an authentication password to the system. The owner specifies the mail address, after passing the verification, the system operates again to operate the gateway 10 and the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 in the chip 20 are copied to the other side so that the contents of the gateway 10 and the wafer 20 can be consistent, so that the service can be started by authentication; that is, when When the authentication of both the gateway 10 and the wafer 20 is inconsistent, there may be a failure of either the gateway 10 or the wafer 20. For example, if the wafer 20 has a manual input random number 101, a hardware serial number 102, and a wafer serial number. 103, if there is no gateway 101, an authentication password will be sent to the system owner's designated email address, and the system owner can pass the authentication of the received email to pass the system verification. That is, the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 in the wafer 20 are copied into the gateway device 10, so that the information contents of the gateway 10 and the wafer 20 can be consistent. The tracker 10 and the chip 20 can be authenticated to start providing an operation for uploading encryption or downloading and decrypting. On the other hand, if there is a manual input random number 101, a hardware serial number 102, and a wafer serial number 103 in the gateway 10, and the chip 20 does not exist, the authentication password is issued to the system owner's designated mail address. The system owner can use the authentication password in the received email to pass the system verification, and the system operates to copy the manual input random number 101, the hardware serial number 102 and the wafer serial number 103 in the gateway 10 to the chip. In 20, the contents of the key information of the gateway 10 and the chip 20 can be made uniform, so that the gateway 10 and the chip 20 can be authenticated to start providing an operation for performing upload encryption or download decryption; thereby facilitating reading. The key information and the recovery key information enable the gateway 10 to function normally, and the operator cannot perform upload encryption or downlink decryption because the key information authentication does not match.

  另,閘道器(CipherCube)10內之金鑰資訊亦可採多重備份之設計,讓金鑰資訊能以加密方式儲放於備份憑證檔30中(如第3圖所示),當步驟S3000閘道器故障或晶片故障步驟後仍無法通過認證,有可能是閘道器10或晶片20中所儲存的手動輸入亂數101、硬體序號102及晶片序號103三者其中之一出現問題致使無法通過認證,因此即進行下一步驟S4000讀取備份憑證(如第1圖所示):將系統重新登入並讀取備份憑證檔30,該備份憑證檔30會發出一認證密碼至系統擁有者指定郵件位址內,認證密碼通過系統的驗證後,系統即進行操作備份憑證30內之手動輸入亂數101、硬體序號102及晶片序號103三者複製到閘道器10及晶片20內,以讓閘道器10及晶片20內容能一致,便於通過認證開始進行服務;也就是將正在進行的系統登出並重新進行登入,使閘道器10能連結至備份憑證檔30中,且該備份憑證檔30會發出一認證密碼至系統擁有者指定郵件位址內,而系統擁有者能透過所收到之郵件進行操作將備份憑證檔30內之手動輸入亂數101、硬體序號102及晶片序號103三者複製到閘道器10及晶片20內,使閘道器10及晶片20的內容能一致,便於閘道器10及晶片20能認證通過以開始提供進行上傳加密或下載解密之作動服務。再者,如經由步驟S4000讀取備份憑證步驟後仍無法通過認證,有可能是備份憑證檔30內之手動輸入亂數101、硬體序號102及晶片序號103三者已經失效或無法啟用,因此即進行下一步驟步驟S5000重新登入認證(如第1圖所示):系統將重新操作並再次要求輸入一亂數50,輸入一亂數50後系統再讀取閘道器10之硬體序號102及晶片20之晶片序號103,而後再讀取一個時間戳(Time Stamp)60並雜湊(Hashed)出新的亂數(Hash Manual Parameter)(如第4圖所示),且該系統會重新發出新密碼之至系統擁有者指定郵件位址內,當系統擁有者取得新密碼認證通過後即取得硬體序號101及晶片序號102進行雜湊演算整合產生一金鑰70,且再將手動輸入亂數101、硬體序號102及晶片序號103三者寫入到閘道器10及晶片20內,以讓閘道器10及晶片20內容能一致,便於通過認證開始進行服務;也就是當閘道器10、晶片20及備份憑證檔30中的手動輸入亂數101、硬體序號102及晶片序號103三者經由上述之步驟後都無法重新通過認證,且也確認閘道器10、晶片20及備份憑證30三者中所儲存之金鑰資訊都已經失效時,系統將重新進行金鑰70之製作,並再次要求系統擁有者重新輸入一亂數50,輸入一亂數50後系統再讀取閘道器10之硬體序號102及晶片20之晶片序號103,而後再讀取一個時間戳60並雜湊出新的亂數,且該系統會重新發出新密碼之至系統擁有者指定郵件位址內,而系統擁有者取得新密碼並認證通過後同時取得硬體序號102及晶片序號103來進行雜湊演算整合,且再經演算法演算後能產生出一金鑰70,而經雜湊演算整合手動輸入亂數101、硬體序號102及晶片序號103則重新寫入閘道器10及晶片20內,使閘道器10及晶片20內容能一致,且透過重新認證後當兩者認證一致,便於通過認證後開始進行上傳加密或下傳解密之作動者。In addition, the key information in the gateway (CipherCube) 10 can also be designed with multiple backups, so that the key information can be stored in the backup certificate file 30 in an encrypted manner (as shown in FIG. 3), when step S3000 After the gateway failure or the wafer failure step, the certification cannot be passed. It is possible that one of the manual input random number 101, the hardware serial number 102, and the wafer serial number 103 stored in the gateway 10 or the wafer 20 causes a problem. Unable to pass the authentication, so proceed to the next step S4000 to read the backup credentials (as shown in Figure 1): re-login the system and read the backup voucher file 30, which will issue an authentication password to the system owner. After the authentication password is verified by the system, the system performs the operation of the manual input random number 101, the hardware serial number 102 and the wafer serial number 103 to be copied into the gateway 10 and the chip 20. In order to make the contents of the gateway 10 and the wafer 20 uniform, it is easy to pass the certification. The service is performed; that is, the ongoing system is logged out and re-logined, so that the gateway 10 can be connected to the backup credential file 30, and the backup credential file 30 will issue an authentication password to the system owner to specify the mail address. The system owner can copy the manual input random number 101, the hardware serial number 102 and the wafer serial number 103 in the backup document file 30 to the gateway 10 and the wafer 20 through the received mail. The contents of the gateway 10 and the wafer 20 can be identical, so that the gateway 10 and the chip 20 can be authenticated to start providing an active service for uploading encryption or downloading and decrypting. Moreover, if the step of reading the backup voucher after the step S4000 is still unable to pass the authentication, it may be that the manual input random number 101, the hardware serial number 102 and the chip serial number 103 in the backup voucher file 30 have expired or cannot be enabled, so That is, proceed to the next step, step S5000, to re-enter the authentication (as shown in FIG. 1): the system will re-operate and ask for a random number 50 again. After inputting a random number 50, the system reads the hardware serial number of the gateway 10 again. 102 and wafer 20 wafer serial number 103, and then read a time stamp (Time Stamp) 60 and Hashed a new Hash Manual Parameter (as shown in Figure 4), and the system will be re- After the new password is issued to the system owner's designated mail address, when the system owner obtains the new password authentication, the hardware serial number 101 and the wafer serial number 102 are obtained to perform a hash calculation integration to generate a key 70, and then manually input the mess. Number 101, The serial number 102 and the wafer serial number 103 are written into the gateway 10 and the wafer 20 so that the contents of the gateway 10 and the wafer 20 can be made uniform, so that the service can be started by authentication; that is, when the gateway 10 and the wafer are used. The manual input random number 101, the hardware serial number 102, and the chip serial number 103 in the backup voucher file 30 cannot be re-authenticated after the above steps, and the gateway 10, the chip 20, and the backup certificate 30 are also confirmed. When the key information stored in the user has expired, the system will re-create the key 70 and ask the system owner to re-enter a random number 50. After inputting a random number 50, the system reads the gateway 10 again. The hardware serial number 102 and the wafer serial number 103 of the wafer 20, and then a time stamp 60 is read and a new random number is hashed, and the system re-issues the new password to the system owner's designated mail address, and the system The owner obtains the new password and obtains the hardware serial number 102 and the wafer serial number 103 simultaneously after the authentication is passed. After the algorithm is integrated, a key 70 can be generated after the algorithm calculation, and the manual input random number 101, the hardware serial number 102 and the wafer serial number 103 are rewritten into the gateway 10 and the wafer 20 by the hash calculation. The contents of the gateway 10 and the chip 20 can be made consistent, and after the re-authentication, when the two authentications are consistent, it is convenient to start the uploading encryption or the downlink decryption after the authentication.

  由以上可知,本發明之加密金鑰產出儲存與復原之方法,具有如下之優點:
  1、系統擁有者能透過將閘道器10內之金鑰資訊採多重備份之設計,讓金鑰資訊能以加密方式分別儲存於閘道器10內建之記憶體及其晶片20內,以方便進行讀取金鑰資訊及復原金鑰資訊,並使儲存於閘道器10內建之記憶體及其晶片20內之金鑰內容能一致,而進行雲端服務上傳加密或下傳解密之動作者。
  2、系統擁有者進一步能將閘道器10內之金鑰資訊以加密方式儲放於備份憑證檔30中,當閘道器10及晶片20都因故無法完成認證時,則透過將備份憑證檔30內之金鑰資訊複製到閘道器10內建之記憶體及晶片20中,使閘道器(CipherCube)10及晶片(CertiTAG)20之金鑰資訊內容能一致,而進行上傳加密或下傳解密之作動者。It can be seen from the above that the method for storing and restoring the encryption key of the present invention has the following advantages:
1. The system owner can design the multiple key backups of the key information in the gateway 10 so that the key information can be stored in the memory built in the gateway 10 and the chip 20 thereof in an encrypted manner. It is convenient to read the key information and the recovery key information, and the memory stored in the gateway 10 and the key content in the chip 20 can be consistent, and the cloud service upload encryption or downlink decryption action is performed. By.
2. The system owner can further store the key information in the gateway 10 in the backup certificate file 30 in an encrypted manner. When both the gateway device 10 and the chip 20 cannot complete the authentication for any reason, the backup certificate is The key information in the file 30 is copied into the built-in memory and the chip 20 of the gateway device 10, so that the contents of the key information of the gateway (CipherCube) 10 and the chip (CertiTAG) 20 can be consistently uploaded and encrypted or The next act of decryption.

  藉由以上詳細說明,可使熟知本項技藝者明瞭本發明的確可達成前述目的,已符合專利法之規定,爰提出專利申請。From the above detailed description, those skilled in the art can understand that the present invention can achieve the foregoing objects, and has met the requirements of the patent law and filed a patent application.

  惟以上所述者,僅為本發明之較佳實施例而已,當不能以此限定本發明實施之範圍﹔故,凡依本發明申請專利範圍及說明書內容所作之簡單的等效變化與修飾,皆應仍屬本發明專利涵蓋之範圍內。
The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto; therefore, the simple equivalent changes and modifications made by the scope of the present invention and the contents of the specification, All should remain within the scope of the invention patent.

步驟S1000...指定郵件位址Step S1000. . . Specify mail address

步驟S2000...閘道器開機認證Step S2000. . . Gateway device boot certification

步驟S3000...閘道器故障或晶片故障Step S3000. . . Gateway failure or wafer failure

步驟S4000...讀取備份憑證檔Step S4000. . . Read backup voucher file

步驟S5000...重新登入認證Step S5000. . . Re-login authentication

Claims (5)

一種加密金鑰產出儲存與復原之方法,主要係運用於閘道器(CipherCube)內,且連線晶片(CertiTAG)以進行認證,而閘道器及晶片內係設有手動輸入亂數(Hashed Parameter)、硬體序號(Hashed BOX ID)及晶片序號(Hashed CertiTAG ID)三者並雜湊(Hashed)演算而成,其方法主要步驟係包括:
  指定郵件位址:於首次啟用時,須輸入系統擁有者之郵件位址;
  閘道器開機認證:且於閘道器開機後與晶片進行連線以進行認證,當閘道器及晶片兩者內之手動輸入亂數、硬體序號及晶片序號三者相同,則開始進行服務;
  閘道器故障或晶片故障:當閘道器及晶片任一方出現故障或資料遺失或更換新品時,即會發出一認證密碼至系統擁有者指定郵件位址內,認證密碼通過系統的驗證後,系統即進行操作將閘道器及晶片內之手動輸入亂數、硬體序號及晶片序號三者複製到另一方,以讓閘道器及晶片金鑰內容能一致,便於通過認證開始進行服務者。A method for storing and restoring an encryption key is mainly used in a gateway (CipherCube) and a connection chip (CertiTAG) for authentication, and a manual input random number is provided in the gateway and the chip ( Hashed Parameter, Hashed BOX ID and Hashed CertiTAG ID are calculated by Hashed. The main steps of the method include:
Specify the mail address: When first enabled, you must enter the email address of the system owner;
The gateway is activated and authenticated: and after the gateway is turned on, it is connected to the chip for authentication. When the manual input random number, the hardware serial number and the chip serial number in the gateway and the chip are the same, the process starts. service;
Gateway failure or wafer failure: When the gateway or chip fails or the data is lost or replaced, an authentication password will be sent to the system owner's designated email address. After the authentication password passes the system verification, The system operates to copy the manual input random number, hardware serial number and chip serial number in the gateway and the chip to the other side, so that the gateway and the wafer key content can be consistent, and it is convenient for the server to start the authentication. . 如申請專利範圍第1項所述之加密金鑰產出儲存與復原之方法,其中該閘道器故障或晶片故障步驟後仍無法通過認證即進行下一步驟讀取備份憑證檔:將系統重新登入並讀取備份憑證檔(Certificate),該備份憑證會發出一認證密碼至系統擁有者指定郵件位址內,再進行操作備份憑證內之手動輸入亂數、硬體序號及晶片序號三者複製到閘道器及晶片內,以讓閘道器及晶片之金鑰內容能一致,便於通過認證開始進行服務者。The method for storing and recovering an encryption key according to claim 1, wherein the gateway fails to perform the next step after the gateway failure or the chip failure step, and the next step is to read the backup document file: Log in and read the backup certificate file (Certificate), the backup certificate will issue an authentication password to the system owner's designated mail address, and then manually copy the random number, hardware serial number and chip serial number in the operation backup certificate. In the gateway and the chip, the contents of the gateway and the key of the wafer can be made consistent, so that it is convenient to start the service through authentication. 如申請專利範圍第2項所述之加密金鑰產出儲存與復原之方法,其中該讀取備份憑證檔步驟後仍無法通過認證即進行下一步驟重新登入認證:系統將重新操作並再次要求輸入一亂數,輸入一亂數後系統再讀取閘道器之硬體序號及晶片之晶片序號,而後再讀取一個時間戳(Time Stamp)並雜湊出新的亂數,且該系統會重新發出新密碼之至系統擁有者指定郵件位址內,當系統擁有者取得新密碼認證通過後即取得硬體序號及晶片序號進行雜湊演算整合產生一金鑰,且再將手動輸入亂數、硬體序號及晶片序號三者寫入到閘道器及晶片內,以讓閘道器及晶片金鑰內容能一致,便於通過認證開始進行服務者。The method for storing and restoring the encryption key output according to item 2 of the patent application scope, wherein the step of reading the backup document file still fails to pass the authentication, and the next step is to re-login the authentication: the system will be re-operated and requested again. Input a random number, input a random number, then the system reads the hardware serial number of the gateway and the wafer serial number of the chip, and then reads a time stamp (Time Stamp) and hashes out new random numbers, and the system will Re-issue the new password to the system owner's designated mail address. When the system owner obtains the new password authentication, the hardware serial number and the wafer serial number are obtained, and the hash calculation is integrated to generate a key, and then the manual input is random. The hardware serial number and the wafer serial number are written into the gateway and the chip so that the content of the gateway and the wafer key can be consistent, and it is convenient to start the service by the authentication. 如申請專利範圍第1、2或3項所述之加密金鑰產出儲存與復原之方法,其中該閘道器係進一步為硬體型式,且內部設有記憶體,以能儲存手動輸入亂數、硬體序號及晶片序號者。The method for storing and restoring an encryption key according to claim 1, 2 or 3, wherein the gateway device is further in a hard type and has a memory inside to store manual input disorder. Number, hardware serial number and wafer serial number. 如申請專利範圍第1項所述之加密金鑰產出儲存與復原之方法,其中該閘道器開機認證步驟中之閘道器與晶片係進一步當兩者認證無法通過時即發出信息通知者。




The method for storing and recovering an encryption key according to claim 1, wherein the gateway and the chip system in the gateway startup authentication step further issue a message notifier when the two authentications fail to pass. .




TW102109942A 2013-03-20 2013-03-20 Method of storing and storing encryption key output TWI539781B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW102109942A TWI539781B (en) 2013-03-20 2013-03-20 Method of storing and storing encryption key output

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW102109942A TWI539781B (en) 2013-03-20 2013-03-20 Method of storing and storing encryption key output

Publications (2)

Publication Number Publication Date
TW201438450A true TW201438450A (en) 2014-10-01
TWI539781B TWI539781B (en) 2016-06-21

Family

ID=52113535

Family Applications (1)

Application Number Title Priority Date Filing Date
TW102109942A TWI539781B (en) 2013-03-20 2013-03-20 Method of storing and storing encryption key output

Country Status (1)

Country Link
TW (1) TWI539781B (en)

Also Published As

Publication number Publication date
TWI539781B (en) 2016-06-21

Similar Documents

Publication Publication Date Title
US8103883B2 (en) Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption
US8761403B2 (en) Method and system of secured data storage and recovery
KR102068580B1 (en) Method of securing a computing device
TWI463349B (en) Method and system for secure data access among two devices
US8225109B1 (en) Method and apparatus for generating a compressed and encrypted baseline backup
US9443111B2 (en) Device security using an encrypted keystore data structure
US10110383B1 (en) Managing embedded and remote encryption keys on data storage systems
US10824571B1 (en) Separate cryptographic keys for protecting different operations on data
US8135135B2 (en) Secure data protection during disasters
KR20080071528A (en) Method and system for storage data encryption and data access
JP2016539567A (en) Data protection in storage systems using external secrets
CN116601915B (en) Data stored on devices that support Key per IO is encrypted and erased via internal action.
CN105740725B (en) A kind of document protection method and system
TW200832181A (en) System and method of data encryption and data access of a set of storage device via a hardware key
CN114342314A (en) Password erasure via internal and/or external actions
JP5680617B2 (en) Secure data sharing system and execution method
BR102015011937A2 (en) agent to provide cloud security service and security token device for cloud security service
CN104537313B (en) A kind of data guard method, terminal and server
CN103563292B (en) The method and system provided for integrated key
TWI539781B (en) Method of storing and storing encryption key output
CN106650492B (en) A kind of multiple device file guard method and device based on security catalog
US11870906B1 (en) Providing a secure isolated account for cloud-based storage services
CN111143863A (en) A data processing method, apparatus, device and computer-readable storage medium
KR101386606B1 (en) Method for controlling backup storage
CN206282188U (en) A kind of computer of security assurance information

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees