TW384591B - Method for security control using token card - Google Patents

Method for security control using token card Download PDF

Info

Publication number
TW384591B
TW384591B TW86110567A TW86110567A TW384591B TW 384591 B TW384591 B TW 384591B TW 86110567 A TW86110567 A TW 86110567A TW 86110567 A TW86110567 A TW 86110567A TW 384591 B TW384591 B TW 384591B
Authority
TW
Taiwan
Prior art keywords
client
key
server
verification
packet
Prior art date
Application number
TW86110567A
Other languages
Chinese (zh)
Inventor
Guo-Jen Fan
Yan-Shiue Chen
Jen-Hua Sung
Original Assignee
Ind Tech Res Inst
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ind Tech Res Inst filed Critical Ind Tech Res Inst
Priority to TW86110567A priority Critical patent/TW384591B/en
Application granted granted Critical
Publication of TW384591B publication Critical patent/TW384591B/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The clients in a network environment are always the portion of minimum protection and the easiest object of violation by intruders. To provide the client with more reliable and safe protection, this invention provides a method for security control of token card, which means protection to the client software and the confidential data stored in the storage device, such as confidential golder key, using cryptography to encode/decode, electronic signature technique and dispatching secrets, thus to make it more difficult for intruders to break the security and damage the systems. A feasible method is also provided to recover lost golden keys of the user. Besides, an ownership verification mechanism is also provided to protect the ownership of issuer and the integrity of the document.

Description

Μ濟部中央橾隼局負工瀉费合作杜印氧 Α7 Β7 五、發明説明(ί ) 本發明係有關於一套識別卡(token card)安全控管方 法,特別係有關於利用密碼學加解密、數位電子簽章技術、 以及分散機密的觀念來加以保護網路作業環境下安全性及 可靠度之控管方法。此種識別卡可以是軟式磁片、IC卡、 ZIP或M0等等屬於可攜式之所有儲存裝置(儲存媒體)。 由於網際網路之商業應用日益普及與盛行,網路辦 公室與電子銀行也隨著快速發展,而其電子資訊傳送之 正確性則端輥密碼元件,以及其安全控管機制連作之高 度保密性來保障所有人之權益β 就網路作業環境而言,使用者必須藉其各別之識別 裝置、登錄機器、操作軟體、及一般協定等之統合運作, 而可以讓使用者在其用戶端成功地登錄並完成驗證。而 使用者在接取(access)網路時,卻也是最容易洩露其本身 之機密’所以在網路系統下,用戶端往往是防護最少的 部份’而容易為入侵者所截取而用以破解系統》 此外,由於在網路上資料之互通有無,所以使用者 在其登錄端(用戶端)所使用之軟體,也常遭受到電腦病毒 之潛在威脅》目前對於軟體的保護,除以防毒軟體來防 止程式被侵入,並無明顯的方法可以偵測軟體是否已為 病毒所篡改。 在儲存媒體(儲存裝置)方面,一般於學理上之討論皆 假設儲杳媒體是非常安全的,如利用1C卡或簽章卡,但 是此類設備其價格較高,且須購買額外之設備,所以短 期内無法大量推廣》而磁片是一便宜且普及的儲存媒 本紙ilUUl適用中國國家橾牟(CNS } A4洗格( 210X297公釐) 111.— —J-lk—^ ,裝--— II—訂------""Cj (請先聞讀背面之注意事項再填寫本頁) 經濟部中央標準局員工消费合作杜印製 A7 B7 五、發明説明(么) 體,但是其安全性低,目前有以PKCS#5方式用以增加 磁片安全之方法,然而其卻往往容易被字典攻擊法所破 解。 而現行之網路安全機制中,用以確保安全性的秘密 金鑰若因種種因素而遺失的話,將會使得加密的資料無 法獲得,徒增困擾。所以在網路安全傳輸上,金鑰之回 復系統是有其必要性。 在網路文件交換環境中,文件之效力可能相當的 久,在科技快速進展的現代,電子文件被篡改和冒名之 可能性相當大。所以設計一套電子公文擁有權的驗核機 制,使得即使在簽章金鑰被破解的情形下,仍然不會有 被偽簽的危險,以提供發文端必要之保護,是有其必要 性的。 有鑑於此,本發明針對上述網路應用所可能遭遇之 問題,提出一套識別卡安全控管方法,其包括以下部份: 一、 檢驗系統中檔案有無遭篡改的檢查機制,用以 偵測系統内檔案有無遭受入侵者亦或病毒侵入。 二、 植基相互認證系統的控管機制,用以防制入侵 者對已加密之資料進行字典或蠻橫找尋攻擊法,並進而 防止使用者在使用不安全的機器上進行登入。 三、 使用於簽章控管的群體導向數位簽章機制,藉 由使用者完成與伺服端認證後,文件由使用者簽過後, 須再經由伺服端簽過,用以防止使用者在無意下,或操 作錯誤下簽出文件。 (請先閲讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家橾準(CNS〉A4規格(2丨0X297公釐) 五、發明説明(3 A7 B7 四、 金鑰回復機制,當使用者金鑰遺失或有爭端發 生時,而需由公正之第三者舉證時,可藉以導出金鑰。 五、 回復金鑰加解密機制。 六、 所有權驗核機制,用以確保他人無法仿冒,或 是在已發出的文件間插入其他偽造的文件。 為讓本發明之上述目的、特徵、和優點能更明顯易 懂,下文特針對上述各部份之控管方式,舉出較佳實施 例,並配合所附圖式,做詳細說明如下。 圈示之簡單說明: 第圖示一軟體之目錄架構圖 - ^1-, -I HI 11^1 an nn mu t Jn (請先閲讀背面之注意事項再填寫本f ) 經濟部中央揉準局貝工消费合作社印製 第2A〜顯示本發明第二實施例之動作過程簡圖。 第3Α〜3Β圖係回復金鑰加丨解密機制,分別為資料 傳送及驗證程序和金鑰及密文回復程序。 實施例一:(檢驗系統襠案有無遭篡改的檢査機制) 一種識別卡安全控管方法,用以偵測並防止用戶端 電腦系統中之檔案遭受入侵者篡改或病毒損害,此控管 方法在用戶端電腦系統上之運作機制包含如下兩個程 序:檢驗軟體安裝程序;以及程式偵試程序。 檢驗軟體安裝程序包括如下之步驟: 對於欲控管之軟體的根目錄下各子目錄底下之每一 檔案及目錄,利用"安全雜湊函數"以產生相對應之第一 檔案雜湊值,並儲奇於用戶端電腦系統上; 分別將各該子目錄中之每一第一檔案雜湊值加以結 訂 本紙張尺度通用中國國家標準(CNS ) A4規格(2丨OX 25>7公釐} 經濟部中央標準局貝π消费合作社印製 A7 B7 五、發明説明(中) 合,再利用安全雜湊函數產生相對應之第一目錄雜湊 值,並將此第一目錄雜凑值分別儲存於各該子目錄中。 如此重覆,一層層對該根目錄下的各層下子目錄作相同 之動作,以得到各相對應之檔案雜湊值及目錄雜湊值, 並分別儲存於用戶端電腦系統及各子目錄中,直到位於 該根目錄下所有之子目錄均有其相對之目錄雜湊值,再 於此根目錄下,將此根目錄下之所有目錄雜湊值加以結 合,並利用安全雜湊函數產生一第一根目錄雜湊值;利 用用戶端的私密金鑰而將上述根目錄雜湊值加以簽章, 並將上述簽章結果儲存於用戶之一可攜式儲存裝置(即 識別卡)中;並將程式檢驗程式儲存於該可攜式儲存裝置 中,此時可將該儲存裝置設成唯讀,而完成此檢驗軟體 安裝程序。 而程式偵試程序則包括以下步驟: 執行一程式檢驗程式;該檢驗程式將用戶端欲偵試 之軟體的根目錄下子目錄中每一檔案,利用安全雜湊函 數產生相對應之第二檔案雜湊值,並檢查其與儲存於用 戶端之上述第一檔案雜湊值是否相等,若不相等則表示 欲偵試之軟體中的程式有遭竄改或是版本不符而停止此 偵試程序;否則上述檢驗程式再以如前述安裝程序之過 程,而分別將各子目錄中之檔案雜湊值加以結合,再利 用安全雜湊函數產生相對應之第二目錄雜湊值,並將該 第二目錄雜湊值與分別儲存於上述各子目錄中第一目錄 雜湊值加以比較,若不相等則表示欲偵試之軟體中的程 --—niLmL, -、裝-- ·· (請先閲讀背面之注意事項再填寫本頁) 訂 本紙張尺度適用中國國家標準(CNS ) Α4規格(210X297公釐) 鑪濟部中央揉準局貝工消费合作社印装 A7 ___^_B7 五、發明説明(5 ) 式有遭竄改或是版本不符而停止此偵試程序。 對各層下子目錄重覆上述之檢查動作,直到位於根 目錄下所有之子目錄均有其相對之第二目錄雜湊值且均 通過驗證,再於根目錄下將上述根目錄下之目錄雜湊值 加以結合,並再利用安全雜湊函數產生一第二根s錄雜 湊值,將其與儲存於用戶端之第一根目錄雜湊值相比 較,若不相等則表示欲偵試之軟體中的程式有遭竄改或 是版本不符而停止此偵試程序》最後對第二根目錄雜湊 值加以簽章,並自上述可攜式儲存裝置中讀出第一根目 錄湊值之簽章結果,驗正兩者是否相符合,若不符合則 表示用戶端之程式有遭篡改或是版本不符之情形。 假設欲控管之軟體的檔案結構如第1圖所示。於檢 驗軟體安裝程序♦,首先對欲控管之軟體的根目錄下, 各目錄底下之檔案或目錄A〜G進行雜湊運算而得雜湊 值hs(A)~hs(G),並將hs(A)〜hs(G)值存於用戶端之電猫系 統中。將I子目錄下之雜湊值hs(A)和hs(B)相結合後, 例如是取互斥運算,再對其進行雜湊運算而得子目錄雜 湊值hs(I),同理也可得子目錄雜湊值hs(II),再將這些子 目錄雜湊值存於各自之子目錄中。 將子目錄III下之雜湊值hs(I)、hs(E)、和hs(F)相結 合後,再對其進行雜湊運算而得子目錄雜湊值hs(III), 同理將子目錄IV下之雜湊值hs(II)、和hs(G)相結合後,$ 再對其進行雜湊運算而得子目錄雜凑值hs(IV),亦將這, 些子目錄雜湊值存於各自之子目錄中。最後,將雜湊值 (請先聞讀背面之注意事項再填寫本頁) 本紙張尺度遑用中國國家搮隼(CNS > Α4规格(210Χ 297公釐) 經濟部中央樣準局負工消费合作杜印製 A7 B7 五、發明説明(6 ) hs(III)、和hs(IV)相結合後,再進行雜湊運算而得一根目 錄雜湊值hs(root)。 最後,以用戶端的私密金鑰而將上述根目錄雜湊值 hs(root)加以簽章,並將上述簽章結果儲存於用戶之可攜 式儲存裝置中,·再將程式檢驗程式儲存於上述可攜式儲 存裝置中,則完成檢驗軟體安裝程序。 於程式偵試程序中,先執行上述程式檢驗程式,該 檢驗程式將用戶端欲偵試之軟體根目錄下子目錄中每一 檔案,利用安全雜凑函數產生相對應之雜湊值 hs*(A)~hs*(G),並分別一對一檢查其與儲存於用戶端之 雜湊值hs(A)〜hs(G)是否相等,若不相等則欲偵試之軟體 的程式有遭篡改或是版本不符而停止此程序。 否則上述偵試程式再以如安裝程序之過程,而分別 產生hs*(I)〜hs*(IV)、以及hs*(root),再分別一對一檢查 其與儲存於用戶端之雜湊值hs(I)〜hs(IV)、hs(root)是否相 等若不相等則欲偵試之軟體的程式有遭篡改或是版本不 符而停止程序。最後,對上述根目錄雜湊值hs*(root)加 以簽章,並自上述可攜式儲存裝置t讀出第一根目錄湊 值之簽章結果,驗正兩者是否相符合,若不符合則表示 欲偵試之軟體之程式有遭篡改或是版本不符之情形,而 完成驗證之程序。 由上可知,經由逐身之檢查,可將所有所有檔案結 構上之任何變動均查覺出來,故而讓使用者得知用戶端 -* S1. —>1- i nn HI —^n alL-p ι_ϋ n - (請先閲讀背面之注意事項再填寫本頁) 訂 的程式是否有遭篡改或是版本不符之情 形發生 本紙浪尺度適用中國國家揉準(CNS ) A4規格(210X297公釐) M濟部t央橾率局貞X消费合作杜印氧 端私密金鑰Kss A7 B7 五、發明説明(Ί ) 實施例二:(植基相互認證系統的控管機制) 請參照第2A〜2 C圓,其表不本實施例動作過程之 簡圖’下文將配合第2A〜2C來說明本實施例》 本發明之一種植基松互認證系統的控管機制,主要 係利用伺服端、用戶端及其可攜式儲存裝置間之密碼相 互認證方法,藉以防止入侵者對可攜式儲存裝置中已加 密之機密資料進行字典或蜜橫找尋攻擊法,並進而防止 用戶使用不安全的機器進行登入。 上述控管方法在用戶端電腦系統上之運作機制包含 如下三個程序: I. 註冊程序’初次登錄使用時之控管方法。 II. 認證程序,使用者完成註冊程序後,再次登錄使 用時之控管方法。 III. 更換密碼程序》 請參照第2A圖,註冊程序包括如下步輝: [a]用戶端利用其識別碼Π3、一會談金鑰ΤΚ(有時亦 稱為通訊基碼)、一第一驗證因子>Π、及相關資料,合併 產生一用戶端第一簽體(TK+ID+N1),用戶端對該用戶端 第一簽體以伺服端之公開金鑰KSP進行加密,而得用戶 端第一密件C1=EN(KSP,TK+ID+N1),將該用戶端第一 密件C1、識別碼ID、一註冊請求Reg_req,及相關資料 傳送至伺服端。 ⑼伺服端伊彳文到上述註冊請求Reg_req後,以伺服 解開上述用戶端第一密件C1而獲得前述 本纸浪尺度遄用中國國家標準(CNS > A4说格(210X 297公釐) ----------'1—Γ"-裝------訂------ * {請先閲讀背面之注f項再填寫本頁) A7 B7 鲤濟部中央橾準局貝工消費合作社印製 五、發明説明(δ ) 之會談金鑰TK、第一驗證因子N1、及識別碼ID等相關 資料。 伺服端產生一加密金鑰SK、一第二驗證因子N2、 及一整數η’伺服端以上述之加密金鑰sk、整數n、第 一驗證闼子Ν1、第二驗證因子Ν2、以及相關資料合併 產生一伺服端第一簽體(η+Ν2+Ν 1 +SK+Time 1 +Salt),以上 述會談金鑰TK對上述伺服端第一簽體加密而得一伺服 端第一密件 Sl=(TK,n+N2+Nl+SK+Timel+Salt),再將 S1 回傳給用戶端,其中Timel為系統時間,而Salt為一加 鹽值’此加鹽值可使之每次輸出不同的值》 [c] 用戶端完成接收後,以上述之會談金鑰TK解開 上述伺服端第一密件S1,而得上述整數η、上述加密金 鑰SK、上述第一驗證因子Ν1與第二驗證因子Ν2,系 統時間Timel、及加鹽值Salt。用戶端檢查上述第一驗證 因子(N1)是否為原先所送之值,並檢查系統時間Timel 以驗證傳輸時間是否在合理之範圍内,驗證正確後用戶 端將使者個人密碼PWD合併加鹽值Salt進行η次雜凑運 算而得一密碼封包OTP=Hn(Salt+PWD); [d] 用戶端以上述密碼封包OTP、上述第二驗證因子 N2、及系統時間 Time2 為用戶端第二簽艘 (0TP+N2+Time2),利用上述會談金鑰(TK)對上述用戶端 第二簽體進行加密而得一用戶端第七密件C2=EN(TK, OTP+N2+Time2)後,將C2饵傳送給伺服端》 |>]伺服端接收到上述用戶端第二密件C2後,以上 10 -» -1 ^^1 —^1 -- - n^i m I * (請先閱讀背面之注意事項再填寫本頁) 訂- LT. 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 艟濟部中央搮準局貝X消费含作社印装 A7 ______B7_—___ 五、發明説明(ί) 述之會談金鑰TK解開上述第二密件C2,而得上述之密 碼封包OTP,伺服端並驗證上述第二驗證因子是否為原 先所送之值,並檢查系統時間Time2以驗證傳輸時間是 否在合理之範圍内,若正確無誤則將上述之密碼封包 OTP、以及整數η储存於伺服端,益產生一註冊標記 Reg_yes。伺服端利用上述密碼封包ΟΤΡ、註冊標記 Reg_yes、及系統時間Time3為伺服端第二簽體(OTP + Req_yes + Time3),以上述會談金鑰對上述伺服端第二簽 艘進行加密而得一伺服端第二密件S2 = EN(TKL, OTP + Req_yes + Time3),再將S2回傳給用戶端。 [f]用戶端以會談金鑰解開上述伺服端第二密件 S2,而接收上述註冊標記Reg_yes確認註冊無誤,且已 檢查系統時間Time3以驗證傳輸時間是否在合理之範 圍内後,即自行產生一用戶端金鑰CK並且對使用者密 碼PWD進行雜湊運而導出一密碼金鑰PWK=H(PWD)。 使用上述加密金鑰SK與密碼金鑰PWK,將上述用戶端 金鑰CK加密成為用戶端密文ECK並將其結果存於用戶 端上。另外亦使用上述用戶端金鑰CK與密碼金鑰PWK 對使用者之私密資料DK:加密成為一密鑰密文EDK,並 將其存於可攜式儲存裝置上,而完成註冊之程序。 請參照第2B面,完成註冊程序後,使用者再次登 入使用·時,認證程序包括如下步驟: [a]用戶端將其識別,ID ’ 一第三驗證因子N3、與 此程序所要使用之會談金鑰TKl合併產生一用戶端第三 11 本紙浪尺度適用中國«家櫟率(CNS ) A4规格( 210X297公釐) > ·1, ---:J thm m -♦ -( --- - I (請先w讀背面之注意事項再填寫本頁) 訂 經濟部中央梂準局興X消费合作社印裂 A7 B7五、發明説明(/〇 ) 簽體(TK1+ID+N3),用戶端對上述用戶端第三簽體以伺 服端之公開金鑰KSP進行加密,而得用戶端第三密件 C3=EN(KSP,TK2+ID+N3),並將上述用戶端第三密件 C3、上述識別碼ID、一確認請求Auth_req,及相關資料 傳送至伺服端。 [b] 伺服端接收到確認請求Auth_req後,以伺服端私 密金鑰Kss解開上述用戶端第三密件C3而獲得上述之會 談金鑰TK1、第三驗證因子N3、及識別碼ID等相關資 料,伺服端並由儲存裝置中找出使用者於上述註冊程序 中所對應之密碼封包OTP、以及整數η等相關資料。若 整數η小於2則用戶端之使用者須重新註冊,若整數η 不小於2,則伺服端產生一小於η的整數k及m而m = η -k 〇 再將會談金鑰Τία、整數m、第三驗證因子N3及相 關資料合併為伺服端第三簽體(m + N3 + Time4 + Salt), 以會談金鑰TK1對其加密而得伺服端第三密件S3 = EN(TK1,m+N3+Time4+Salt),並將伺服端第三密件S3 回傳給用戶端。 [c] 用戶端完成接收後,以上述之會談金鑰TK1解開 上述伺服端第三密件S3,而得上述整數m、上述第三驗 證因子N3,用戶端檢查上述第三驗證因子N3是否為原 先所送之值,並檢查系統時間Time4以驗證傳教時間是 .否在合理之範圍内。 ' 驗證正確後用戶端將使者輸入之個人密碼PWD合 12 I纸張尺度遑用中國國家標準(CNS ) A4規格(210X297公釐) -i \? m· 1 ^ (請先閲讀背面之注意事項再填寫本頁) 訂 .6 經濟部中央橾率局貝工消费合作杜印裝 A7 B7 五、發明説明(丨丨) 併加鹽值Salt後再進行m次雜凑運算而得一第一封包 OTPl=Hm(Salt+PWD),並產生一第四驗證因子N4,其中 上述加鹽值Salt即為註冊程序時之加鹽值。 [d] 用戶端以上述第一封包0TP1、上述第四驗證固 子(Ν4)、及相關之資料合併為用戶端第四簽體 (0TP1+N4+Time5),利用上述會談金鑰TKl對上述用戶 端第四簽體進行加密而得一用戶端第四密件 C4=EN(TK1,OTPl+N4 + Time5)後’將 C4 回傳送給 祠服端® [e] 伺服端接收到上述用戶端第四密件C4後,以上 述之會談金鑰TK1解開上述第四密件’而得上述之第一 封包0TP1,伺服端並驗證上述第四驗證因子(N4)是否為 原先所送之值,並檢查系統時間Time4以驗證傳輸時間 是否在合理之範圍内,若正確無誤則伺服端對上述第一 封包0TP1再進行k次雜湊算,其運算結果Hk(OTPl)與 註冊程序中儲存於伺服端之密碼封包OTP比對是否相 同,驗證正確後即儲存整數m於伺服端而取代原先之整 數η,同時儲存0TP1取代原來之OTP,之後將上述註冊 程序中產生之加密金鑰SK、密碼封包0ΤΡ1、及驗證成 功之訊息 Auth_yes 合併為伺服第四簽體 (0TP1+SK_+Auth_yes+Time6),將其以會談金鎗 TK1 加密 後得 S4=EN(TK1 , 0TP1+SK+Auth_y«s+Time6)後再回傳 給用戶端。 [f] 用戶端以會談金鑰TK1解開上述加密資料S4 13 本纸張尺度逋用tBI_家標率(CNS ) Λ4洗格(210X297公釐)~~ ' ______1;—f 裝______訂______0. * (請先閩讀背面之注$項再填寫本霣) 經濟部中央樣準局負工消费合作社印製 A7 B7 五、發明説明(G ) 後,而分別得到加密金餘SK、密碼封包OTP 1、及驗證 成功之訊息Auth_yes,並檢查系統時間Time6以驗證傳 輸時間是否在合理之範圍内,待確定驗證成功後,即對 使用者密碼PWD進行雜湊運而導出一密碼金鑰 PWK=H(PWD),用戶端使用上述加密金鑰SK與密碼金 鑰PWK對存於用戶端上之密文ECK解密以得到上述之 註冊程序中之用戶端金餘CK。 使用上述用戶端金鑰CK、密碼金鑰PWK和加密金 鑰SK對存於可攜式儲存裝置中之密文ECK解密而得到 使用者之私密資料DK,如此即完成證驗之過程,之後用 戶端之使者即可以利用其私密資料DK執行欲進行之動 作。 請參照第2C圖,當使用者欲更改密碼時,其更換 密碼程序包括如下步驟: [a] 用戶端將其識別碼ID,一第五驗證因子N5、與 此程序所要使用之會談金鑰TK2合併產生一用戶端第五 簽體(TK2+ID+N5),用戶端對上述用戶端第五簽體以伺 服端之公開金鑰KSP進行加密,而得用戶端第五密件 C5=EN(KSP, TK2+ID+N5),並將上述用戶端第五密件 C5、上述識別碼ID、一密碼更換請求CP_req,及相關資 料傳送至伺服端。 [b] 伺服端接收到密碼更換請求CP_req後,以伺服 端私密金鑰Kss解開上述用戶端第五密件C5而獲得上述 之會談金鑰TK2、第五驗證因子N5、及識別碼ID等相 14 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) {請先閲讀背面之注意事項再填寫本頁) 裝· ,ΤΓ .6. 經濟部t央棣準局貝工消费合作社印装 A7 _ ·_B7__ 五、發明説明(丨3 ) 關資料’伺服端並找出使用者於上述註冊程序中所對應 之整數η資料’伺服端再產生一正整數m=n-k、及整數I, 其中k也為整數,再將整數m、l、第五驗證因子N5及 相關資料合併為伺服端第五簽體(m+I+N5+N6+Time7+ Saltl+Salt2),以會談金鑰TK2對其加密而得伺服端第五 密件 S5=EN(TK2,m+I+N5+N6+Time7+ Salt+Saltl),並 將伺服端第五密件S5回傳給用戶端》 [c] 用戶端完成接收後,以上述之會談金鑰TK2解開 上述伺服端第五密件S5,而得上述整數m、I、上述第五 驗證因子N5,用戶端檢查上述第五驗證因子N5是否為 原先所送之值,且檢查系統時間Τΰηβ7是否在合理之範 圍内,驗證正確後用戶端將使者輸入之個人密碼PWD合 併加鹽值Salt 1進行m次雜湊運算而得一第一封包 OTPl=Hm(Salt+PWD),同時對使用者所輸入之新密 碼NPWD進行I次雜湊運算,而得一第二封包 Ο τ P 2 = Hi(Saltl + NPWD)。 [d] 用戶端以上述第一封包0TP1、第二封包0TP2, 及上述第六驗證因子N6、及相關之資料合併為用戶端第 六簽體(OTP 1 +OTP2+N6+Time8),利用上述會談金鑰TK2 對上述用戶端第六簽體進行加密而得一用戶端第六密件 C6=EN(TK2,OTPl+OTP2+N6+Time8)後,將 C6 回傳送 給伺服端。 & [e] 伺服端接收到上述用戶端第六密件C6後,以上 述之會談金鑰TK2解開上述第六密件C6,而得上述之第 15 本紙張尺度逋用中國國家樣準(CNS ) A4規格(210X297公釐) " --- n I l· n L· ^ HI * (請先閱讀背面之注意事項再填寫本買) 訂 6 經濟部中央揉準局負工消费合作社印*. A7 B7 五、發明説明(綷) 一封包0TP1和第二封包,伺服端並驗證上述第六驗證 因子N6是否為原先所送之值,且檢查系統時間 是否在合理之範圍内;若正媒無誤則伺服端對上述第一 封包0TP1進行k次雜湊算’其運算結果與註冊程序t 儲存於伺服端之密碼封包比對是否相同’驗證正確後即 儲存整數I於伺服端而取代原先之整數n’也將第二封包 儲存於伺服端,並產生一新加密金鑰NSK’將註冊程序 產生之加密金瑜SK和新加密金鑰NSK、以及第一封包 0TP1與第二封包0TP2、及更換成功之訊息CP_yes合併 為伺服第六簽體(0TP1 + 0TP2 + SK + NSK + CP_yes + Time9 ),將其以會談金鑰加密後回傳給用戶端。 [f]用戶端以會談金鑰TK2解開上述加密資料後,而 分別得到加密金鑰SK、新加密金鑰NSK’第一封包0TP1 和第二封包0TP2、及更換成功之訊息CP_yes,確定更 換成功後,且檢查系統時間Time9是在合理之範圍内後。 先以PWK及SK解出存於用戶端的密文ECK,再用 CK合併使用者的個人密碼所導出的金鑰PWK以及SK 解出原先加密存於可攜式儲存裝置中的密鑰密文EDK, 之後用戶端即自行產生一用戶端新金鑰(NCK),利用先前 獲得之NSK與使用者之新密碼NPWD而導出的NPWK 加密NCK儲存於用戶端上,再以NPWK、NSK及NCK 加密DK而將結果存於可攜式儲存裝置t。 實施例三之一:(使用於簽章控管的群醴導向數位f章, 制) 16 本紙张尺度適用中國國家標準(CNS ) A4規格(2丨0X297公釐) ------1丨_i-T 裝------1T------0 (請先Μ讀背面之注意事項再填寫本買) 經濟部中央標準局貝工消費合作社印製 A7 B7_五、發明説明(丨6* ) 一種識別卡安全控管方法,為多重簽章方式之群導 向數位簽章系統下,用以防止用戶在無意下簽出文件之 控管方法,其包括如下步驟:當要簽出文件時,以用戶 端使用者之私密金鑰先行對上述文件簽章而得一第一簽 章,再以伺服端之私密金鑰對上述第一簽章再行簽章而 得到一第二簽章,而完成簽章之過程;以及在驗證過程 中,將上述第二簽章先以伺服端之公開金鑰解開而得一 驗證簽章,再將上述驗證簽章以使用者之公開金鑰解開 而得一驗證文件,比較上述第一驗證文件與上述原先送 出之文件是否相同,若正確則表示簽章係為正確無誤。 下文中以RSA簽章系統下建構本發明簽聿控管系 統之實施例。 於RSA系統之多重簽章方式之群導向數位簽章系 統下,用以防止用戶在無意下簽出文件之控管方法,其 包括如下步驟: 用戶端與伺服端之公開金錄分別為up及sp,其模 數為Nu和Ns,而其相對應之之私密金鑰分別為us和ss; 在簽章過程時,首先以用戶端的私密金鑰us對文件 Μ簽章而得SIG卜Mus mod Nu,再用伺服端的私密金鑰 ss 對 SIG1 簽章而得 SIG2=SIG1SS mod Ns ; 在驗證過程時,收文者要驗證文件Μ之簽章SIG2 時,先用伺服端的公開金鑰sp贫算SIG2sp mod Ns而解 得SIG1,号以用戶端之公開金鑰up計算SIGlupmodNu 而解得一待驗證值Ml ; 17 本紙張尺度適用中國國家揉準(CNS ) A4規格(2丨0X297公釐) * *1 ϋι—HIL---r 、裝-- * (請先閲讀背面之注意事項再填寫本頁) 訂 經濟部中央樣準局貝工消费合作社印裝 A7 B7_ 五、發明説明(4) 檢查Ml與文件Μ是否相等,若相等則SIG2才是 正確的簽章,否則不是正確簽章。 由上述可知,本機制其文件之簽出須先經由用戶端 簽章後,再經由伺服端簽過一次,所以具有雙重驗證之 功能,所以不會發生因使者疏忽下或操作錯誤之情形 下,而簽出文件。 實施例三之二:(使用於簽章控管的群艘導向數位簽 章機制) 一種識別卡安全控管方法,為在群體簽章方式之群 導向數位簽章系統下,用以防止用戶在無意下簽出文件 之控管方法,其方法為: 伺服端與用戶端使用者兩者對外只有一共通公開金 鑰,伺服端與用戶端使用者各有其私密金鑰和與其私密 金鑰相對應之公開金鑰,上述共通公開金鑰係由伺服端 公開金鑰與使用者公開金鑰而得,而欲簽出之文件須先 經使用者之私密金鑰簽過後,再由伺服端之私密金鑰簽 過才可送出,當要驗證所簽出文件之簽章時則須使用上 述共通公開金鑰對所簽出之文件解密後加以比對即可。 下文將以ElGamal之變型系統建構本發明簽章控管 系統之實施例。 一種識別卡安全控管方法,植基於ElGamal之變型 系統彳為在群體簽章方式之群導向數位簽章系統下,用 以防止用戶在無意下簽出文件之控管方法,上述系統存 在一生成子g及一大質數P,用戶端使用者之私密金鑰為 18 本紙張尺度適用中國國家標準(CNS ) A4C格(210X297公釐) (請先閲讀背面之注意事項再填寫本頁) 經濟部_央樣準局員工消费合作社印製 A7 B7五、發明説明(β) us,而其相對應之公開金瑜為up=gus mod P,祠服端私密 金鍮為ss,而其相對之公開金餘為sp=gss mod P,而兩者 對外之共通公開金鑰為Y=(upxsp)modP,上述控管方法 之特德^在於:當用戶端之使用者欲簽出文件(M)時,用戶 端與伺服端依下列步驟進行簽章過程及驗證過程: 簽章過程時: [έ]用戶端與伺服端分別產生隨機變數kl及k2 ; [b] 用戶端計算rl=gkl mod P,同時伺服端也計算 r2=gk2 mod P,之後用戶端與伺服端互相交換rl及r2 ; [c] 用戶端與伺服端均計算R=(rlxr2) mod Ρ ; [d] 用戶端先驗證spM與(r2Rxgss)mod P是否相等,若 兩者相等則用戶端計算Sl=(usxM-klxR)mod (P-1);及 [e] 伺服端驗證P是否相等,若 兩者相等則伺服端計算S2=(ssxM-k2xR) mod (P-1),若不 相等則結束簽章程式重頭進行;否則SIG=(R,S = (S1+S2) mod P-1)即作為對文件Μ之簽章。 II.在驗證過程時: 以共通公開金鑰Υ驗證YM mod Ρ是否與RRxgs mod P相等,若相則表示SIG為文件Μ之正確簽章,否則不 是正碟的簽章。 由上述可知,本機制其文件之簽出,須先經由用戶 端簽章後,再經由伺服端簽過一次,所以具有雙重驗證 之功能,所以不會發生因使者疏忽下或操作錯誤之情形 下,而簽出文件β 19 ------:---λ—、裝-- « (請先閱讀背面之注意事項再填寫本頁) 訂 .6 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 經濟部中夬樣準局貞工消费合作社印裝 A7 B7 五、發明説明(1¾) 實施例四之一:(金鑰回復機制) 一種識別卡安全控管方法,可藉以建構成使用於儲 存裝置之金鑰回復系統,上述系統可建置於一金鑰交換 系統其已公佈一公開值(M),以及具有第一金餘回復中心 (TKRC1)及第二金鑰回復中心(TKRC2)之作業環境下,上 述金鑰回復系統之控管方法如下步驟: [a] 用戶端與伺服端先執行如第二實施例所示,相互 認證之程序,認證完成後伺服端可得一加密金鑰(SK)及 儲存裝置上之私密資料(DK),並由自己所選之密碼而獲 得 PWK。 [b] 用戶端產生兩大質數p和q,其中pxq=N,N為 一模數。 [c] 用戶端與第一金餘回復中心(TBCRC1)利用上述金 鑰交換系統或是執行上述相互認證之程序而獲得一第一 共享金鑰(SK1),同時亦與第二金鑰回復中心(TKRC2)進 行相同之程序而獲得一第二共享金鑰(SK2)。 [d] 第一與第二金鑰回復中心(TKRC1和TKRC2) 分別產生一第一媒介數(R1)和第二媒介數(R2),再分別利 用其與用戶端間之第一和第二共享金鑰(SK1和SK2),而 對上述之第一與第二媒介數加密後’傳送給用戶端。 [e] 用戶端接到上述第一和第二媒介數後,藉兩者以 產生一公開金鑰,若無法產生上述公開金鑰(PK)則 重覆步驟c、d、e直到可以得出一公開金鑰為止;其中 上述公開金鑰PK符合下列之式子,PKx(f<Rl,R2)) = 1 20 本^張尺度逋用中國®^準(CNS )八4祕(21〇χ—297公釐〉一 " ------rI-、裝------訂------C * (請先閲讀背面之注意事項再填寫本頁) 經濟部中央橾準局貝工消费合作杜印製 A7 _^_B7_五、發明説明(θ) mod F(N),其中 F(N)=(p-l) X (q-l)或 F(N)為(p-l)和(q-l) 之最小公倍數,而用戶端相對於PK之私密金鑰為S = f(Rl,R2) mod F(N)。而上述f(Rl,R2)可依需要選擇為 R1+R2 或 RlxR2。 [f] 用戶端計算MPK modN而得一生成子C,並將上 述生成子C、公開金鑰PK'及模數N傳送給上述第一金 鎗回復中心(TKRC1),及第二金鑰回復中心(TKRC2),並 將上述公開金鑰PK、模數F(N)傳送至一認證中心CA。 [g] 第一金鑰回復中心(TKRC1)計算Ml =CR1 modN 後,並將其傳送給第二金鑰回復中心(TKRC2),同時,第 二金鑰回復中心(TKRC2)計算M2=CR2 mod N,並將其傳 送給第一金鑰回復中心(TKRC1); [h] 第一金鑰回復中心(TKRC1)計算Ml* = CR1 mod N、或 Ml* =(CR1xCR2)modF(N)其端視所選擇之 f(Rl , R2) 而定,並驗證檢查]Vil*是否等於Μ,同時,第二金鑰回 - * In ml 9 nn n e (請先閲讀背面之注意事項再填寫本頁) 訂 算 M2* = CR2 mod Ν、或 M2* =(CR2xCR1)mod F(N)其端視所選擇之f(Rl,R2)而定, 並驗證檢查1^12*是^等於M,若通過驗證,則其中第一 和第二金鑰回復中心分別利用其各自之的私密金鑰對公 開金鑰PK及模數N簽章後再將其傳送至上述認證中心 CA。 [i]上述認證中心收到第一和第二金鑰回復中心對公 開金鑰PK及模數N之簽章後,待驗證通過後即對PK及 N作一憑證證明,再回傳給用戶端之使用者; 21 復中心(TKRC2)計 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 經濟部中央揉攀局貝工消费合作社印装 A7 —_B7 五、發明説明(2〇) [j]用戶端則可使用加密金鑰SK,私密資料DK及 PWK加密用戶之私密金鑰S及其他個人私密金鑰》 如上所述,當用戶之金鑰遺失或有爭端,而必須由 第三者舉證時,即由第一和第二金鑰回復中心及認證中 心呼叫出相關之資料,如R1和R2藉S=(RlxR2)mod F(N)、或 S=(Rl+R2)mod F(N)其端視所選之 f(Rl,R2)而 定,以導出用戶端私密金鑰S。 實施例四之二:(金鑰回復機制) 一種識別卡安全控管方法,可藉以建構成使用於儲 存裝置之金鑰回復系統,上述系統可建置於一金鑰交換 系統其已公佈一公開值(Μ),以及具有第一金鑰回復中心 (TKRC1)及第二金鑰回復中心(TKRC2)之作業環境下,上 述金鑰回復系統其植基於解離散對數困難度的密碼系統 已存在一大質數Ρ及產生子g,其控管方法如下步驟: [a] 用戶端與伺服端先執行一如第二實施例之相互 認證之程序,認證完成後伺服端可得一加密金鑰(SK)及 儲存裝置上之私密資料(DK),並由自己所選之密碼而獲 得之PWK。 [b] 用戶端與第一金鑰回復中心(TKRC1)利用上述金 鑰交換系統或是執行上述相互認證之程序而獲得一第一 共享金鑰(SK1),同時亦與第二金鑰回復中心(TKRC2)進 行相同之程序而獲得一第二#享金鑰(SK2)。 [c] 第一金鑰回復中心(TKRC1)產生一第一媒介數 (R1),利用其與用戶端間的共享金鑰SK1加密後傳送給 22 本紙張尺度通用中國國家標¥ ( CNS ) Λ4規梢^U10X297公嫠) — (請先W讀背面之注意事項再填寫本頁) 裝·The Ministry of Economic Affairs, the Central Government Bureau of the Ministry of Economic Affairs, cooperation in charge of work-relief, Du Yin oxygen A7 B7 V. Description of the invention (ί) The present invention relates to a set of security control methods for a token card, and particularly relates to the use of cryptography to increase Decryption, digital electronic signature technology, and the concept of decentralized confidentiality to control the security and reliability of the network operating environment. Such identification cards can be all kinds of portable storage devices (storage media) such as soft magnetic disks, IC cards, ZIP or M0. Due to the increasing popularity and prevalence of commercial applications of the Internet, Internet offices and e-banks have also developed rapidly, and the correctness of electronic information transmission is the end-roller cipher element and the high degree of confidentiality of its security control mechanism. Protecting the rights and interests of everyone β As far as the network operating environment is concerned, users must rely on the integrated operation of their respective identification devices, registration machines, operating software, and general agreements to allow users to successfully operate on their clients Sign in and complete verification. And when users access the network, they are also the most likely to reveal their own secrets. “So in a network system, the client is often the least protected part,” which is easily intercepted and used by intruders. "Breaking the System" In addition, due to the availability of data on the Internet, users of software used in their login (client) are often subject to the potential threat of computer viruses. "Current software protection, divided by anti-virus software There is no obvious way to detect if the software has been tampered with by a virus. In terms of storage media (storage devices), the theoretical discussion generally assumes that storage media is very secure, such as using a 1C card or a signature card, but such equipment is more expensive and requires additional equipment. Therefore, it cannot be promoted in a large amount in the short term. ”And magnetic disk is a cheap and popular storage medium. The paper ilUUl is applicable to the Chinese National Mou (CNS) A4 Washer (210X297 mm) 111. — —J-lk — ^, installed --- II—Order ------ " " Cj (please read the notes on the back before filling out this page) Staff Consumer Cooperation of the Central Bureau of Standards of the Ministry of Economic Affairs Du printed A7 B7 V. Description of the invention (?) However, its security is low. At present, there are methods to increase the security of magnetic disks by using PKCS # 5. However, it is often easy to be cracked by dictionary attacks. In the current network security mechanism, the secret to ensure security is If the key is lost due to various factors, it will make the encrypted data unavailable and increase troubles. Therefore, the key recovery system is necessary for the secure transmission of the network. In the network file exchange environment, Document validity For a long time, in the modern fast-moving technology, the possibility of tampering and impersonation of electronic documents is quite high. Therefore, a set of verification mechanism for the ownership of electronic documents is designed so that even if the signature key is cracked, it is still There is no danger of being spoofed, in order to provide the necessary protection of the sending end, it is necessary. In view of this, the present invention proposes a set of identification card security control methods for the problems that may be encountered in the above-mentioned network applications. It includes the following parts: 1. The inspection mechanism to check whether the files in the system have been tampered with, to detect whether the files in the system have been invaded by intruders or viruses. 2. The control mechanism of the plant-based mutual authentication system is used to: Prevent intruders from using dictionary or brute-forcing attacks on encrypted data, and then prevent users from logging in on unsecure machines. 3. A group-oriented digital signature mechanism used for signature control, by After the user completes the authentication with the server, after the document is signed by the user, it must be signed by the server to prevent the user from inadvertently or Check out the document if you make a mistake. (Please read the precautions on the back before filling out this page.) This paper size applies to the Chinese National Standard (CNS> A4 specification (2 丨 0X297 mm). 5. Description of the invention (3 A7 B7. 4. The key recovery mechanism can be used to derive the key when the user's key is lost or there is a dispute and a fair third party needs to prove it. 5. The key recovery and decryption mechanism. 6. The ownership verification mechanism, To ensure that others cannot counterfeit or insert other forged documents between the issued documents. In order to make the above-mentioned objects, features, and advantages of the present invention more obvious and understandable, the control methods of the above-mentioned parts are specifically targeted below. The preferred embodiment will be described in detail with the accompanying drawings as follows. A brief description of the circle is shown below: The first diagram shows the directory structure of the software-^ 1-, -I HI 11 ^ 1 an nn mu t Jn (please read the precautions on the back before filling in this f). 2A ~ printed by the Central Government Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperative, shows the operation process of the second embodiment of the present invention. Figures 3A ~ 3B are the reply key encryption and decryption mechanisms, which are the data transmission and verification procedures, and the key and ciphertext recovery procedures, respectively. Embodiment 1: (Check mechanism for checking whether the crotch case of the system has been tampered with) An identification card security control method is used to detect and prevent the files in the client computer system from being tampered with by intruders or damaged by viruses. This control method is used in The operating mechanism on the client computer system includes the following two procedures: checking software installation procedures; and program testing procedures. Checking the software installation procedure includes the following steps: For each file and directory under each subdirectory under the root directory of the software to be controlled, use the "security hash function" to generate a corresponding first file hash value, and Stored on the client computer system; set the hash value of each first file in each sub-directory separately and set the paper size Common Chinese National Standard (CNS) A4 Specification (2 丨 OX 25 > 7 mm} Economy Printed by the Central Bureau of Standards of the People ’s Republic of China Consumer Cooperative A7 B7 5. Description of the invention (middle), and then use the security hash function to generate the corresponding first directory hash value, and store the first directory hash value in each Subdirectories: Repeat this way, the same actions are performed on the subdirectories under each level of the root directory to obtain the corresponding file hash value and directory hash value, and store them in the client computer system and each subdirectory. Until all the sub-directories in the root directory have their relative directory hash values, and then in this root directory, the hash values of all directories in the root directory are combined. And use a secure hash function to generate a first root directory hash value; use the private key of the client to sign the root directory hash value, and store the signature result on one of the user ’s portable storage devices ( (Identification card); and store the program verification program in the portable storage device. At this time, the storage device can be set as read-only to complete the verification software installation process. The program detection process includes the following steps : Run a program verification program; the verification program will use the secure hash function to generate a corresponding second file hash value for each file in the sub-directory under the root directory of the software the client wants to test, and check that it is stored with the client Whether the hash values of the first files are equal. If they are not equal, it means that the program in the software to be tested has been tampered with or the version is not consistent, and the testing process is stopped. Combine the hash values of the files in each sub-directory separately, and then use the security hash function to generate the corresponding hash value of the second directory. Compare the hash value of the second directory with the hash value of the first directory stored in each of the above sub-directories. If they are not equal, it means that the program in the software to be tested-niLmL,-, install-... ( Please read the notes on the back before filling in this page) The size of the paper is applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm) Printed on the A7 _ ^ _ B7 by the Central Working Group of the Ministry of Furnishings ___ ^ _ B7 V. Invention Explanation (5): The detection procedure was stopped due to tampering or version inconsistency. Repeat the above check for sub-directories under each layer until all sub-directories under the root directory have their relative hash values for the second directory and all After verification, the hash value of the directory under the root directory is combined under the root directory, and a second hash value of the s-record is generated using the security hash function, which is then combined with the hash value of the first root directory stored on the client. In contrast, if they are not equal, it means that the program in the software to be tested has been tampered with or the version is not consistent, and the testing process is stopped. Finally, the hash value of the second directory is signed, and the portable Storage means reads out the result of the first signature root directory of the hash value, whether the two coincide test positive, it indicates that the client do not meet the case where the program has been tampered with or discrepancies editions. Assume that the file structure of the software to be controlled is shown in Figure 1. In checking the software installation procedure, first, a hash operation is performed on the root directory of the software to be controlled, the files or directories A ~ G under each directory to obtain a hash value hs (A) ~ hs (G), and hs ( A) The value of hs (G) is stored in the electric cat system on the user side. After combining the hash values hs (A) and hs (B) in the I subdirectory, for example, taking a mutex operation and then performing a hash operation to obtain the subdirectory hash value hs (I), the same can be obtained. The sub-directory hash value hs (II) is stored in the respective sub-directory. Combine the hash values hs (I), hs (E), and hs (F) in subdirectory III, and then perform a hash operation to obtain the subdirectory hash value hs (III). Similarly, subdirectory IV After the following hash values hs (II) and hs (G) are combined, $ is then hashed to obtain the subdirectory hash value hs (IV), and these subdirectory hash values are stored in the respective children. Directory. Finally, the hash value (please read the notes on the reverse side before filling out this page) This paper size uses the Chinese national standard (CNS > Α4 size (210 × 297 mm)) The Central Bureau of Standards of the Ministry of Economic Affairs and the consumer cooperation Du printed A7 B7 V. Description of the invention (6) hs (III) and hs (IV) are combined, and then a hash operation is performed to obtain a directory hash value hs (root). Finally, the private key of the client is used. Then, the hash value hs (root) of the root directory is signed, and the result of the signature is stored in the portable storage device of the user, and then the program verification program is stored in the portable storage device, which is completed. Check the software installation process. In the program testing process, first execute the above program checking program, which checks each file in the subdirectory under the root directory of the software that the client wants to test, and uses the security hash function to generate the corresponding hash value. hs * (A) ~ hs * (G), and check one-to-one with the hash value hs (A) ~ hs (G) stored in the client. If they are not equal, the software program to be tested. The program has been tampered with or the version does not match. Otherwise, the above test program generates hs * (I) ~ hs * (IV) and hs * (root) respectively according to the process of the installation process, and then checks the hash value stored on the client one by one. If hs (I) ~ hs (IV) and hs (root) are not equal, the program of the software to be tested has been tampered with or the version does not match and the process is stopped. Finally, the hash value hs * (root ) Sign and read the signature result of the first directory from the portable storage device t, check whether the two are consistent, if not, it means that the software program to be tested has been tampered with Or the version does not match, and complete the verification process. As can be seen from the above, by examining one by one, any changes in all file structures can be detected, so that users know the client- * S1. — ≫ 1- i nn HI — ^ n alL-p ι_ϋ n-(Please read the precautions on the back before filling out this page) Whether the program you have written has been tampered with or the version does not match Standard (CNS) A4 size (210X297 mm) Cooperative Du Indian Oxygen End Private Key Kss A7 B7 V. Description of the Invention (Ί) Example 2: (Control and Control Mechanism of Plant-Based Mutual Authentication System) Please refer to circles 2A to 2C, which shows the operation process of this embodiment The simplified diagram below will explain this embodiment in conjunction with 2A ~ 2C "One of the control mechanisms of the planting base pine mutual authentication system of the present invention is mainly using the password between the server, the client and its portable storage device Mutual authentication method to prevent intruders from performing dictionary or honeypot search attacks on encrypted confidential data in portable storage devices, and thus prevent users from logging in using unsecure machines. The operation mechanism of the above-mentioned control method on the client computer system includes the following three procedures: I. Registration procedure ′ The control method for the first login use. II. Authentication process. After the user completes the registration process, log in again to use the control method. III. Password Replacement Procedure "Please refer to Figure 2A. The registration procedure includes the following steps: [a] The client uses its identification code Π3, a talk key TK (sometimes also called the communication base code), and a first verification The factor > Π and related data are combined to generate a client first sign (TK + ID + N1), and the client encrypts the client first sign with the server's public key KSP to obtain the user The client ’s first confidential C1 = EN (KSP, TK + ID + N1) sends the client ’s first confidential C1, identification ID, a registration request Reg_req, and related data to the server. ⑼ After the server-side Yiqiwen reaches the above registration request Reg_req, the server unlocks the first confidential C1 of the client to obtain the aforementioned paper size. Use Chinese national standards (CNS > A4 format (210X 297 mm)- --------- '1—Γ " -install ------ order ------ * {Please read the note f on the back before filling this page) A7 B7 Central Department of Liji Printed by the Zhuhai Bureau Shellfish Consumer Cooperative Co., Ltd. 5. Relevant information such as the talk key TK, the first verification factor N1, and the identification code ID of the invention description (δ). The server generates an encryption key SK, a second verification factor N2, and an integer η '. The server uses the encryption key sk, the integer n, the first verification unit N1, the second verification factor N2, and related data. The first signature of the server (η + N2 + N 1 + SK + Time 1 + Salt) is combined, and the first signature of the server is encrypted with the talk key TK to obtain a first secret of the server Sl = (TK, n + N2 + Nl + SK + Timel + Salt), and then send S1 back to the client, where Timel is the system time, and Salt is a salt value 'This salt value can make each output different [C] After the client finishes receiving, use the talk key TK to unlock the first secret S1 of the server, and obtain the integer η, the encryption key SK, the first verification factor N1, and the second Verification factor N2, system time Timel, and salt value Salt. The client checks whether the first verification factor (N1) is the value originally sent, and checks the system time Timel to verify whether the transmission time is within a reasonable range. After the verification is correct, the client will combine the personal password PWD with the salt value Salt. Perform a hash operation η times to obtain a password packet OTP = Hn (Salt + PWD); [d] The client uses the above-mentioned password to encapsulate OTP, the second verification factor N2, and the system time Time2 as the second signing of the client ( 0TP + N2 + Time2), using the talk key (TK) to encrypt the second signature of the client to obtain a client ’s seventh secret C2 = EN (TK, OTP + N2 + Time2), then C2 Send to the server "| >] After the server receives the above-mentioned second secret C2 from the client, the above 10-» -1 ^^ 1 — ^ 1--n ^ im I * (Please read the precautions on the back first Please fill in this page again) Order-LT. This paper size is applicable to Chinese National Standard (CNS) A4 (210X297mm). The Central Ministry of Economic Affairs, Central Bureau of Standards, Bureau X, Consumer Consumption Agency, printing A7 ______ B7 _—___ 5. Description of the invention ( ί) The talk key TK unlocks the second secret C2 and obtains the above-mentioned cryptographic packet OTP, servo And verify that the second verification factor is the value originally sent, and check the system time Time2 to verify whether the transmission time is within a reasonable range. If it is correct, store the above-mentioned cryptographic packet OTP and the integer η on the server. Benefits a registration mark Reg_yes. The server uses the above-mentioned password packet 0TP, the registration mark Reg_yes, and the system time Time3 as the second signing body of the server (OTP + Req_yes + Time3). The above-mentioned session key is used to encrypt the second signing server to obtain a server. The second secret S2 = EN (TKL, OTP + Req_yes + Time3), and then send S2 back to the client. [f] After the client unlocks the second secret S2 of the server with the talk key, and receives the registration mark Reg_yes to confirm that the registration is correct, and the system time Time3 has been checked to verify whether the transmission time is within a reasonable range, it is generated by itself A client key CK and a hash of the user password PWD are derived to derive a password key PWK = H (PWD). Using the encryption key SK and the cryptographic key PWK, the client key CK is encrypted into a client ciphertext ECK and the result is stored on the client. In addition, the above-mentioned client key CK and password key PWK are also used to encrypt the user's private data DK: encrypted into a key cipher text EDK, and stored on the portable storage device to complete the registration process. Please refer to Section 2B. After completing the registration process, when the user logs in again, the authentication process includes the following steps: [a] The client recognizes it, ID 'a third verification factor N3, talks to be used with this program The key TK1 merges to produce a third client 11 paper wave scale applicable to China «House Oak Rate (CNS) A4 specification (210X297 mm) > · 1, ---: J thm m-♦-(---- I (please read the notes on the back before filling this page) Order the Central Government, the quasi- bureau Xing X Consumer Cooperatives A7 B7 V. Invention Description (/ 〇) Signature (TK1 + ID + N3), client Encrypt the third client of the client with the public key KSP of the server, and obtain the client's third secret C3 = EN (KSP, TK2 + ID + N3), and the client's third secret C3, the above The identification code ID, a confirmation request Auth_req, and related data are transmitted to the server. [B] After receiving the confirmation request Auth_req, the server uses the server's private key Kss to unlock the third secret C3 of the client and obtain the above-mentioned talks. The key TK1, the third verification factor N3, and the identification code ID, etc. The relevant information such as the password packet OTP and the integer η corresponding to the user in the above registration process are found in the storage device. If the integer η is less than 2, the user of the client must re-register. If the integer η is not less than 2, then The server generates an integer k and m less than η and m = η -k 〇 Then the key Τα, the integer m, the third verification factor N3, and related data are combined into the third sign of the server (m + N3 + Time4 + Salt), encrypting it with the talk key TK1 to obtain the server's third secret S3 = EN (TK1, m + N3 + Time4 + Salt), and return the server's third secret S3 to the client. [C ] After the client finishes receiving, use the talk key TK1 to unlock the third secret S3 of the server, and obtain the integer m and the third verification factor N3. The client checks whether the third verification factor N3 is the original one. Send the value and check the system time Time4 to verify that the mission time is within a reasonable range. 'After the verification is correct, the personal password entered by the client will be PWD conforming to 12 I paper size, using China National Standard (CNS) A4 Specifications (210X297 mm) -i \? M · 1 ^ (please first (Please read the notes on the back and fill in this page again.) No. 6 The Ministry of Economic Affairs Central Government Bureau of Shellfish Consumer Cooperation Du printed A7 B7 V. Description of the invention (丨 丨) and add the salt value Salt and then perform m hash operations. A first packet OTPl = Hm (Salt + PWD) is obtained, and a fourth verification factor N4 is generated, wherein the above-mentioned salt value Salt is the salt value during the registration process. [d] The client uses the above-mentioned first packet 0TP1, the above-mentioned fourth verification element (N4), and related information to merge into the client-side fourth signature (0TP1 + N4 + Time5), and uses the above-mentioned talk key TK1 to the above-mentioned The client ’s fourth signature is encrypted to obtain a client ’s fourth secret C4 = EN (TK1, OTPl + N4 + Time5), and 'C4 is sent back to the temple server. [E] The server receives the above-mentioned client After the four secrets C4, use the talk key TK1 to unlock the fourth secrets to get the first packet 0TP1. The server verifies whether the fourth verification factor (N4) is the value originally sent, and checks The system time is Time4 to verify whether the transmission time is within a reasonable range. If the transmission time is correct, the server will perform k hash operations on the first packet 0TP1. The calculation result Hk (OTPl) and the password stored in the server during the registration process. The packet OTP comparison is the same. After the verification is correct, the integer m is stored on the server and replaces the original integer η. At the same time, OTP1 is stored instead of the original OTP, and then the encryption key SK and the password packet 0TP1 generated in the above registration process are replaced with Verification success The information Auth_yes is merged into the fourth servo (0TP1 + SK_ + Auth_yes + Time6), which is encrypted with the talk gun TK1, and S4 = EN (TK1, 0TP1 + SK + Auth_y «s + Time6) is then returned to user terminal. [f] The client uses the talk key TK1 to unlock the encrypted data S4 13 This paper size uses tBI_ house standard rate (CNS) Λ4 wash grid (210X297 mm) ~~ '______1; —f install ______ Order ______0. * (Please read the note $ on the back before filling in this note) The Central Samples Bureau of the Ministry of Economic Affairs printed A7 B7 V. After the invention description (G), you will get the encryption balance SK , Password packet OTP 1, and authentication success message Auth_yes, and check the system time Time6 to verify whether the transmission time is within a reasonable range. After the authentication is determined to be successful, the user password PWD is hashed to derive a password key. PWK = H (PWD), the client uses the encryption key SK and the cryptographic key PWK to decrypt the ciphertext ECK stored on the client to obtain the client's remaining balance CK in the registration process described above. Use the client key CK, cryptographic key PWK, and encryption key SK to decrypt the ciphertext ECK stored in the portable storage device to obtain the user's private data DK. This completes the verification process, and the client then The messenger can then use his private information DK to perform the desired action. Please refer to Figure 2C. When the user wants to change the password, the password replacement process includes the following steps: [a] The client ID, its fifth verification factor N5, and the talk key TK2 to be used with this program. The fifth signature of the client (TK2 + ID + N5) is generated by the merger. The client encrypts the fifth signature of the client with the public key KSP of the server, and the client ’s fifth secret C5 = EN (KSP , TK2 + ID + N5), and transmits the fifth secret C5 of the client, the identification ID, a password replacement request CP_req, and related data to the server. [b] After receiving the password replacement request CP_req, the server uses the server's private key Kss to unlock the client ’s fifth secret C5 to obtain the talk key TK2, the fifth verification factor N5, and the identification code ID. 14 This paper size is in accordance with Chinese National Standard (CNS) A4 (210X297 mm) {Please read the notes on the back before filling this page). Install A7 _ · _B7__ 5. Description of the invention (丨 3) About the data 'server and find out the integer η data corresponding to the user in the above registration process' The server generates a positive integer m = nk and integer I, Where k is also an integer, then the integers m, l, the fifth verification factor N5, and related data are combined into the server's fifth signature (m + I + N5 + N6 + Time7 + Saltl + Salt2). The server's fifth secret S5 = EN (TK2, m + I + N5 + N6 + Time7 + Salt + Saltl) is encrypted, and the server's fifth secret S5 is returned to the client. [C] The client finishes receiving Then, use the above-mentioned talk key TK2 to unlock the fifth secret S5 of the server, and obtain the integers m, I, and The fifth verification factor N5 is described. The client checks whether the above fifth verification factor N5 is the value originally sent, and checks whether the system time Tΰηβ7 is within a reasonable range. After the verification is correct, the client will merge the personal password entered by the messenger PWD and The salt value Salt 1 is hashed m times to obtain a first packet OTPl = Hm (Salt + PWD). At the same time, the new password NPWD inputted by the user is hashed one time to obtain a second packet 0 τ P 2 = Hi (Saltl + NPWD). [d] The client uses the above-mentioned first packet 0TP1, the second packet 0TP2, and the above-mentioned sixth verification factor N6, and related information to merge into the client's sixth signature (OTP 1 + OTP2 + N6 + Time8), using the above The meeting key TK2 encrypts the sixth signature of the client and obtains a sixth secret C6 = EN (TK2, OTPl + OTP2 + N6 + Time8) of the client, and then transmits C6 to the server. & [e] After receiving the client ’s sixth confidential C6, the server uses the talk key TK2 to unlock the sixth confidential C6, and obtains the 15th paper size above. ) A4 size (210X297mm) " --- n I l · n L · ^ HI * (Please read the precautions on the back before filling in this purchase) Order 6 Printed by the Central Ministry of Economic Affairs, Central Bureau of Standards and Labor, Consumer Cooperatives * A7 B7 V. Description of the invention (i) One packet, 0TP1 and the second packet, the server verifies whether the above-mentioned sixth verification factor N6 is the value originally sent, and checks whether the system time is within a reasonable range; If there is no error, the server will perform the hash calculation on the first packet 0TP1 k times. Its operation result is the same as the registration procedure t The password packet comparison stored on the server is the same. After the verification is correct, the integer I will be stored on the server instead of the original integer. n 'also stores the second packet on the server, and generates a new encryption key NSK' The encrypted Jinyu SK and the new encryption key NSK generated by the registration process, the first packet 0TP1 and the second packet 0TP2, and the replacement Success message CP_yes merged into Serve the sixth sign (0TP1 + 0TP2 + SK + NSK + CP_yes + Time9), encrypt it with the talk key and send it back to the client. [f] After the client decrypts the encrypted data with the talk key TK2, the client obtains the encryption key SK, the new encryption key NSK ', the first packet 0TP1 and the second packet 0TP2, and the message of successful replacement CP_yes. After success, and check the system time Time9 is within a reasonable range. First use PWK and SK to extract the ciphertext ECK stored on the client, and then use CK to combine the key PWK derived from the user's personal password and SK to extract the key ciphertext EDK that was originally encrypted and stored in the portable storage device. After that, the client generates a new client key (NCK) on its own. The NPKK encrypted NCK derived from the previously obtained NSK and the user's new password NPWD is stored on the client, and the DK is encrypted with NPWK, NSK, and NCK. The result is stored in the portable storage device t. One of the third embodiment: (used in the group-oriented digital f chapter for signature control), 16 paper sizes are applicable to China National Standard (CNS) A4 specification (2 丨 0X297 mm) ------ 1丨 _iT Pack ------ 1T ------ 0 (Please read the notes on the back before filling in this purchase) Printed by the Central Standards Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperative, A7 B7_V. Description of the invention (丨 6 *) An identification card security control method, which is a group-oriented digital signature system with multiple signature methods, to prevent users from unintentionally checking out documents, including the following steps: When the document is issued, the above-mentioned document is firstly signed with the private key of the client and the first signature is obtained, and then the first and second signatures are signed with the private key of the server to obtain a second signature. Sign and complete the process of signing; and in the verification process, the second signature is first unlocked with the public key of the server to obtain a verification signature, and then the verification signature is made public by the user The key is unlocked to obtain a verification file. Compare the first verification file with the original file. The same, it means that if the correct signature line is correct. In the following, an embodiment of the signature control system of the present invention is constructed under the RSA signature system. Under the group-oriented digital signature system of the multiple signature method of the RSA system, a control method for preventing users from unintentionally checking out documents includes the following steps: The public records of the client and server are up and sp, its modulus is Nu and Ns, and its corresponding private key is us and ss, respectively; during the signing process, the user ’s private key us is first used to sign the file M to obtain SIG and Mus mod. Nu, then use the server ’s private key ss to sign SIG1 to obtain SIG2 = SIG1SS mod Ns; during the verification process, when the recipient wants to verify the signature SIG2 of the document M, first use the server ’s public key sp to calculate SIG2sp. SIG1 is obtained by mod Ns, and SIGlupmodNu is calculated by using the public key of the client. M1 is a value to be verified. 17 This paper size applies the Chinese National Standard (CNS) A4 specification (2 丨 0X297 mm) * * 1 —ι—HIL --- r 、 install-* (Please read the precautions on the back before filling this page) Order the Central Samples Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperatives, printed A7 B7_ 5. Description of the invention (4) Check Ml Is it equal to file M, if it is equal, SIG2 is the correct signature, Otherwise it is not properly signed. From the above, it can be known that the signature of this mechanism must be signed by the client and then signed once by the server. Therefore, it has the function of double verification, so it will not happen due to the negligence of the messenger or the operation error. And check out the file. Embodiment 3bis: (Ship-oriented digital signature mechanism used for signature control) An identification card security control method is used under the group-oriented digital signature system of group signature to prevent users from The control method for unintentionally checking out a document is as follows: Both the server and the user of the client have only one public public key, and the server and the user of the client each have their own private key and its private key. Corresponding public key, the above-mentioned common public key is obtained from the server public key and the user public key, and the document to be checked out must be signed by the user's private key before being signed by the server. The private key can be sent only after it is signed. When verifying the signature of the checked-out document, the above-mentioned common public key must be used to decrypt the signed-out document and compare it. In the following, an embodiment of the signature control system of the present invention will be constructed using a modified system of ElGamal. An identification card security control method, which is based on the ElGamal variant system, is a group-oriented digital signature system under the group signature method to prevent users from unintentionally checking out documents. Sub-g and a large prime number P, the private key of the user is 18 This paper size applies to Chinese National Standard (CNS) A4C (210X297 mm) (Please read the precautions on the back before filling this page) Ministry of Economic Affairs _ Printed by the Central Consumers ’Cooperative of the A7 B7 V. Invention Description (β) us, and its corresponding public Jinyu is up = gus mod P, the private gilt of the temple service end is ss, and its relative public Jinyu is sp = gss mod P, and the common public key of the two is Y = (upxsp) modP. The special virtue of the above control method lies in: When the user of the client wants to check out the file (M) The client and server perform the signing process and verification process according to the following steps: During the signing process: [έ] The client and server generate random variables kl and k2 respectively; [b] The client calculates rl = gkl mod P, At the same time, the server also calculates r2 = gk2 mod P, after which the user Exchange rl and r2 with the server; [c] Both client and server calculate R = (rlxr2) mod PPP; [d] The client first verifies whether spM and (r2Rxgss) mod P are equal. If the two are equal, the user The terminal calculates Sl = (usxM-klxR) mod (P-1); and [e] The server verifies whether P is equal. If the two are equal, the server calculates S2 = (ssxM-k2xR) mod (P-1). If they are not equal, the signature program will end and the process will be restarted; otherwise, SIG = (R, S = (S1 + S2) mod P-1) will be used as the signature of document M. II. During the verification process: The common public key Υ is used to verify whether YM mod P is equal to RRxgs mod P. If they are, it means that the SIG is the correct signature of the document M, otherwise it is not the signature of the original disc. From the above, it can be known that the signature of this mechanism must be signed by the client and then signed once by the server, so it has the function of double verification, so it will not happen due to the negligence of the messenger or the operation error. , And check out the document β 19 ------: --- λ-, installed-«(Please read the precautions on the back before filling out this page) Order. 6 This paper size applies to Chinese National Standards (CNS) A4 specification (210X297 mm) A7 B7 printed by the Zhengquan Consumers Cooperative in the Ministry of Economic Affairs 5. Description of the invention (1¾) One of the fourth embodiment: (Key recovery mechanism) A security control method for identification cards The key recovery system used in the storage device is constructed, and the above system can be built in a key exchange system, which has published a public value (M), and has a first surplus recovery center (TKRC1) and a second key. In the operating environment of the recovery center (TKRC2), the control method of the above key recovery system is as follows: [a] The client and server first execute the mutual authentication procedure shown in the second embodiment. After the authentication is completed, the server Get an encryption key ( SK) and the private data (DK) on the storage device, and obtain the PWK with the password of your choice. [b] The client generates two prime numbers p and q, where pxq = N, where N is a modulus. [c] The client and the first remnant response center (TBCRC1) obtain the first shared key (SK1) by using the above key exchange system or performing the above-mentioned mutual authentication procedure, and also communicate with the second key recovery center (TKRC2) Perform the same procedure to obtain a second shared key (SK2). [d] The first and second key recovery centers (TKRC1 and TKRC2) generate a first media number (R1) and a second media number (R2), respectively, and then use the first and second numbers between them and the client, respectively. The shared key (SK1 and SK2) is encrypted and transmitted to the client after the first and second media numbers are encrypted. [e] After receiving the first and second media numbers, the user uses them to generate a public key. If the public key (PK) cannot be generated, repeat steps c, d, and e until a Up to the public key; where the above public key PK matches the following formula, PKx (f < Rl, R2)) = 1 20 This paper uses the Chinese standard (CNS) 8 secrets (21〇χ-297mm) one " ------ rI- 、 装- ---- Order ------ C * (Please read the precautions on the back before filling this page) Printed by A7 _ ^ _ B7_ of the Cooperative Work Cooperation between Shell and Consumers of the Central Bureau of Standards of the Ministry of Economic Affairs ) mod F (N), where F (N) = (pl) X (ql) or F (N) is the least common multiple of (pl) and (ql), and the private key of the client relative to PK is S = f (Rl, R2) mod F (N). The above f (Rl, R2) can be selected as R1 + R2 or RlxR2. [f] The client calculates MPK modN to obtain a generator C, and generates the above generator Child C, the public key PK 'and the modulus N are transmitted to the first golden gun recovery center (TKRC1) and the second key recovery center (TKRC2), and the public key PK and the modulus F (N) are transmitted. [G] The first key reply center (TKRC1) calculates Ml = CR1 modN and sends it to the second key reply center (TKRC2), and at the same time, the second key reply center (TKRC2) TKRC2) Calculate M2 = CR2 mod N and send it to the first key reply center (TKRC1); [h] first key reply The center (TKRC1) calculates Ml * = CR1 mod N, or Ml * = (CR1xCR2) modF (N), depending on the selected f (Rl, R2), and verifies that] Vil * is equal to M, and Second key back-* In ml 9 nn ne (Please read the notes on the back before filling this page) Set M2 * = CR2 mod Ν, or M2 * = (CR2xCR1) mod F (N) F (R1, R2) is selected, and the verification check 1 ^ 12 * is ^ equal to M. If the verification is passed, the first and second key recovery centers use their respective private keys to publicly pay The key PK and the modulus N are signed and then transmitted to the above-mentioned certification center CA. [i] After receiving the signatures of the public key PK and the modulus N by the first and second key reply centers, After the verification is passed, a certificate of PK and N is issued, and then it is transmitted back to the user of the client; 21 Paper Center (TKRC2) paper size is applicable to China National Standard (CNS) A4 specification (210X297 mm) Ministry of Economic Affairs Printed by the Central Government Bureau of Shellfisher Consumer Cooperative A7 —_B7 V. Description of the invention (20) [j] The client can use the encryption key SK, and the private data DK and PWK to encrypt The user ’s private key S and other personal private keys ”As mentioned above, when the user ’s key is lost or there is a dispute, and a third party must prove it, the first and second key recovery centers and certification centers Call out relevant information, such as R1 and R2 by S = (RlxR2) mod F (N), or S = (Rl + R2) mod F (N), the end depends on the selected f (Rl, R2), To export the client's private key S. Embodiment 4bis: (Key Recovery Mechanism) An identification card security control method, which can be used to construct a key recovery system for storage devices. The above system can be built in a key exchange system, which has been published and published. Value (M), and an operating environment with a first key recovery center (TKRC1) and a second key recovery center (TKRC2), the above-mentioned key recovery system is based on a cryptographic system that solves discrete logarithmic difficulty. For a large prime number P and a generator g, the control method is as follows: [a] The client and the server first execute a mutual authentication procedure as in the second embodiment. After the authentication is completed, the server can obtain an encryption key (SK ) And the private data (DK) on the storage device, and the PWK obtained by the password of your choice. [b] The client and the first key recovery center (TKRC1) obtain the first shared key (SK1) by using the above key exchange system or performing the above-mentioned mutual authentication procedure, and also communicate with the second key recovery center (TKRC2) Perform the same procedure to obtain a second #shared key (SK2). [c] The first key recovery center (TKRC1) generates a first medium number (R1), encrypts it with the shared key SK1 between the client and the client, and sends it to 22 paper standards. Common Chinese national standard ¥ (CNS) Λ4 Regulations ^ U10X297 Gong) — (Please read the precautions on the back before filling this page)

.1T A7 B7 經濟部中央樣隼局負4消费合作社印製 五、發明説明(y) 用戶端,並計算CU=gR1 modP,再將Cl送至第二金鑰回 復中心(TKRC2),同時,第二金鑰回復中心(TKRC2)產生 一第二媒介數(R2),利用其與用戶端間的共享金鑰SK2 加密後傳送給用戶端,並計算C2=gR2 P,再將C2 送至第一金鑰回復中心(TKRC1)。 [d] 用戶接到第〆和第二金鑰回復中心所送來之上 述第一和第二媒介數R1、R2後’藉兩者以產生一公開金 鑰PK = gf(R1,R2) mod P,則使用者相對於PK之私密金鑰 S為由f(Rl,R2)mod(P-l)而得,為上述第一和第二媒介 數R1、R2之一特定運算值,可視需要,將上述f(R1,R2) 選擇為R1+R2或RlxR2。 [e] 用戶端將PK傳送給第一金鑰回復中心 (TKRC1)、第二金瑜回復中心(TKRC2),與一認證中心 CA。 [f] 若f(Rl,R2)=RlxR2則,第一金鑰回復中心 (TKRC1)計算Ml=PKinv(R1〉modP後並比較驗證Ml是否 等於C2,同時,第二金鑰回復中心(TKRC2)計算 M2=PKinv(R2)modP後並比較驗證M2是否等於C1,其中 inv(Rl)表示(Rl)*1 modP-1 之運算。若 f(Rl,R2)=R1+R2 則第一金鑰回復中心(TKRC1)計算Ml=PKxginv(R1) mod P 後對比較Ml是否等於C2,同時TKRC2計算 M2=PKxginv(R2) mod P後並比較M2是否等於C1 » [g] 若通過驗證後,第一和第二金鎗回復中心以其各 自的私密金鑰對PK簽章後,再傳送至上述認證中心 ------:—.._ ( '裝— (請先閲讀背面之注意事項再填寫本頁) 訂 本紙张尺度適用中囷囷家標率(CNS ) A4規格(210X297公釐) 經濟部中央標準局員工消費合作社印製 A7 B7五、發明説明(〉 CA。 [h] 上述認證中心收到第一和第二金鑰回復中心對 PK之簽章後,待驗證通過後即對PK作一憑證證明後, 再回傳給用戶端。 [i] 用戶端使用加密金鑰SK,私密資料DK及PWK, 來加密私密金鑰S及用戶其它個人私密資料。 如上所述,當用戶之金鑰遺失或有爭端,而必須由 第三者舉證時,即由第一和第二金鑰回復中心及認證中 心呼叫出相關之資料,如R1和R2,即可藉S=(RlxR2) mod(P-l)、或S=(Rl+R2)mod(P-l)而導出用戶端私密金 鑰S 〇 實施例五:(回復金鑰加解密機制) 一種識別卡安全控管方法,藉此方法構成一回復金 鑰加解密系統,上述回復金鑰加解密系統之控管方法包 括: 資料傳送及驗證程序,係為正常情形下之資料傳送 程序;以及 金鑰及密文的回復程序,藉以當發文端之金鑰或明 文遺失時,能利用此一機制將之回復; 上述資料傳送及驗證程序,請參照第3A圖所示之 方塊圖,其包括如下步驟: [a]當發文端欲傳送明文資料岭.給收文單位時,發文 單位先產生一通訊基碼SK(又稱為會談金鑰),再由一發 文端加解密器ENS,以發文端之私密金鑰KGS對上述通 24 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) -----l·'丨~^-Γ'-裝------訂------Q * (請先閱讀背面之注意^項再填寫本頁) 經濟部中夹揉準局貝tir:消费合作社印装 A7 B7 _____ 五、發明説明(H) 訊基碼SK進行加密而得(SK)kgs,並以收文端之公開金 鑰PKR對上述通訊基碼SK進行加密而得(SK)PKR,將上 述通訊基碼SK與上述(SK)KGS進行特定之運算而得一發 文端密鑰,在此實施例為互斥運算,所以發文端密鑰為 SK㊉(SK)KGS。 以上述發文端密鑰對所欲傳送之明文資料Μ進行加 密而得一密文SM=(M)SKe(SK),對上述通訊基碼SK、 (SK)KGS、(SK)PKR及特定相關資料,(例如,發文端之機 關代碼IDS、收文端之機關代碼IDR、及一初始向量值 IV等)進行雜湊運算而得到一信託認證子EA。再以一家 族金鑰FK對上述對上述(SK)KGS、(SK)PKR、特定相關資 料IDR和IDS、以及信託認證子EA進行加密而得一法定 存取攔位LEAF,再將上述密文SM、法定存取欄位 LEAF、以及初始向量值IV傳送至收文端。 [b] 收文端接收上述資料後,利用家族金鑰FK解開 LEAF而得到上述(SK)KGS、(SK)PKR、信託認證子EA、以 及特定相關資料IDS、IDR、及IV。利用收文端私密金 鑰KGR解開(SK)pkr而得上述通訊基碼SK,以通訊基碼 SK將所接收之上述(SK)KGS還原而可得上述發文端密鑰 SK®(SK)kgs,再利用發文端密鑰解開密文 SM= (M)SK0(SK)K〇s而得到明文資料Μ :以及 [c] 收文端並對所接收後解得之上述通訊基碼SK、 (SK)KGS、(SK)PKR、及特定相關資料IDS、IDR、及IV進 行雜湊運算,其運算結果用以與所接收到之信託認證子 25 冬紙张尺度i用中國國家樣準(CMS ) Μ規格(210X2?7公釐) ^ "" iil.*—L_r、裝----——訂-----b (請先閲讀背面之注意事項再填寫本頁) 經濟部十央橾率局員工消費合作杜印製 A7 B7 五、發明説明(24 ) EA互相比對,若相等則表示驗證成功傳輸過程無誤。 其中上述收文端金鑰KGR是由一第一金鑰管理單 位和第二金鑰管理單位分別提供之收文端第一金鑰因子 KGR1與收文端第二金鑰因子KGR2,兩者經特定運算後 而得,另外上述發文端金餘KGS是由一第金餘管理單位 和第二金鑰管理單位分別提供之收文端第一金鑰因子 KGS1與收文端第二金鑰因子KGS2,兩者經特定運算後 而得》在此實施例中KGR = KGR1㊉KGR2, KGS = KGS1 ㊉ KGS2。 當發文端之金鑰或明文遺失時,請參照第3B圖所 示之方塊圖,上述金鑰及密文的回復程序,其包括如下 步驟: 發文端先要求上述第一金鑰管理單位及第二金鑰管 理單位取出第一金鑰因子KGS1與收文端第二金鑰因子 KGS2,由KGS1與KGS2即可經互斥運算帀得發文端金 鑰 KGS ’· 利用回復之發文端金鑰KGS,即可將(S] 得上述通訊基碼SK,再利用上述通訊基碼與(SK)kgs 進行互斥運算而得到上述發文端密鑰SKe(sf〇KGS,利用 此一發文端私密金鑰即可以將密文解開而得到明文資 料。 由上所述,利用本發明之回復金錄加解密機制,其 可在金鑰遺失之場合,輕易地將金鑰恢復,再藉以將密 文解出回復,可避免因金鑰遠失而遭致漏失資料之情形 --------: —「裝-- (請先閲讀背面之注意事項再填寫本頁) 訂 26 本紙張尺度適用中國國家標準{ CNS ) A4規格(210X297公釐) A7 B7 經濟部令央樣準局貞工消費合作杜印褽 五、發明説明(25 ) 發生。 實施例六:(所有權驗核機制) 一般所有權驗核機制’在理論上可使用資料隱藏法 技術在文件中藏入不易查覺之資訊做為所有權之證據。 然而’以文件而言所加入之隱藏資訊,確可能因為使用 軟體之不同,而改變了隱藏的資訊,而使所有權之歸屬 有所爭議。另外,亦有藉改變文件内容之語法、語意、 同義字或文句中標點等,將額外的資訊藏入原文_。然 而此類方法’其實作困難且改變文件之表達方式,可能 造成閱讀上的不順暢,所以並不切實際。 本發明之所有權機制,利用密碼技術實現電子文件 所有權驗核之機制,其可在不修改文件原文之内容的前 提下’能做到保護發文者的擁有權及文件之完整性0 擁有權機制所要處理之情形為,當一份文件被不當 使用(例如有人冒用發文者發佈不實文件)時,發文者可透 過公正程序證明該文件並非屬於發文者所有。 本發明所提出之一種所有權驗核機制,其透過密碼 學上之技巧,建立一份與其前、後各文件間之關連性, 以確保他人無法在已發出的文件間插入其他偽造之文 件。此一關連性可經由一公正當局在適當時加以揭示, 以確保發文者之所有權不被他人所冒用β 亡本發明之所有權驗核機制,可由發文端Α、收文端 B、及所有權公正機關TKC及公正機關TTP互相連動運 作。而發文端A與所有權公正機關間之所有訊息交換均 本紙張尺度適用中國國家標準(CNS ) A4規格(21 OX 2M公釐) —i I I ---t n n n .^1 I n I I --- * (請先M讀背面之注意Ϋ項再填寫本頁) 經濟部中央樣準局負工消費合作社印製 A7 B7五、發明説明(A) 經公證處理,以確保雙方文件交換之不可否認性,詳細 交換過程如下: I. 初始階段: 在第一次登入時,於發文端A隨機選取一數字N〇。 於發文端A產生所有權簽署金鑰對八。3、Απ,以及 通訊金瑜Kat。 以及,發文端A經由公證程序將八。8及KAT送交上 述所有權公正機關TKC。 II. 第一次文件傳輸: a.對第一份文件%產生一第一文件表頭 AsII^No+IDa+SD},其中 IDA 為發文 端A之身份識別碼,S〗為第一份文件之序號,As為發文 端A之文件簽署密鑰,h(·)表雜湊函數。 . b.發文端A利用所有權簽署金鑰八。3對上述第一文 件今頭MT1簽章而得第一表頭簽章Α<^{ΜΤ1},發文端合 併IDA、公正機關身份識別碼IDTTP、收文端身份識別碼 IDB、文件表頭MT1、及第一表頭簽章以通訊 金^ KAT加密,再將其與第一份文件之表頭MT1傳送至 公正機關TTP。 c.公正機關TTP收到後,令L等於上述第一文件表 頭MT1,並將IDA、IDB、AUTi}、以及L儲存。d.發文 端A將IDA+ AWTj+MU以公證程序送交收文端B。 e.收文端B將ApS{T!}及文件序號、收文方等文件識 (請先聞讀背面之注意事項再填寫本頁) 裝· ,11 h 別資訊以KBT加密後 以TTP之公開金鑰ΤΤΡΡ加密後 28 本紙張尺度適用中國國家標準(CNS > A4規格(210X297公釐) 經濟部中央橾準局員工消费合作社印製 A 7 B7五、發明説明(叫) 送交TTP。 f. TTP以其私密金鑰TTPs解開上述密文後比較步驟 e中之八如丨丁丨丨是否相同,並將比較結果以KBT加密後送 給B。 g. 若步驟f令之較結果為相同則B執行步驟h,否則 B可要求A動新執行步驟d。 h·最後收文端B儲存AoJTG。 III.第i次文件傳輸: a. 發文端A對第i份文件產生第i文件表頭MTi=IDA + Si +h(Mi)+ (Ao^hCTw),其中Si為第i份文件之序號。 b. 發文端A利用所有權簽署金鑰八。8對上述第i文件 表頭MTi簽章而得第一表頭簽章Α^{ΜΤί},發文端A合 併IDA、公正機關身份識別碼IDTTP、收文端身份識別碼 IDB、文件表頭MTi、及第i表頭簽章Αμ{Μή}後以通訊 金鑰ΚΑΤ加密,再將其與第i份文件之表頭MTi傳送至公 正機關TTP。 c. 公正機關TTP收到後,令Ti等於上述第i文件表 頭MTi與第i-Ι次文件表頭Ti.fMTw之互斥運算值 Μτ沖Tw,並將 IDA、IDB、A0S{MTi}、.以及 儲存。 d. 將T1以Ti取代,重覆第一次傳輸中之步驟d~ h, 如此來從事正常之文件傳送。 依上述機制運作之文件系#*,當收文端B提出M* 及AUMti},欲證明M*為發文端A所送出之文件,則公 正機關TTP可公佈Aop並解出MTi,再根據MTi之内容確 29 (請先閲讀背面之注意事項再填寫本頁) 本纸張尺度適用中國國家標準(CNS〉A4規格(210X297公釐) 經濟部中央標準局貝費合作社印製 A 7 B7五、發明説明(β) 定文件是否為發文端A所發出,若Μ*為事後偽造之文 件,則根據兀及MTi之關連性,ΤΤΡ可證明Μ*非由發文 端所發出,其前後文件之關連性如下: 往前關連性為Μ·π=Τί㊉Ti_i ; 往後關連性為自MTi+1中取出(Aop^h(Ti)欄位,h(Ti)= (Aop㊉ h(TiB®Aop。 由上述可知,本發明之所有權核驗機制,其透過密 碼學之技巧,建立各文件間之前後關連性。如此一來, 縱使簽章系統被破解之情形下,仍不會有被仿冒、偽簽 之危險。因為,入侵者無法得知文件間之關連性,故而 無法在已發出之文件插入其他偽造之文件。而此一機制 也藉由關連性而可輕易地驗證文件之所有權歸屬。 根據本發明之安全控管方法有: 一、 檢驗系統檔案有無遭篡改的檢查機制。 二、 植基相互認證系統的控管機制。 三、 使用於簽章控管的群體導向數位簽章機制。 四、 金鑰回復機制。 五、 回復金鑰加解密機制。 六、 所有權驗核機制。 由上述之各種控管方法,可確知本發明對於網路環 境下運作之系統可提供較佳之保密及保障,尤其對於用 戶端之使用者之防護能更具有可靠性和安全性,本發明 所提出一套識別卡安全控管方法,其對於用戶端的軟體 及存於可攜式儲存裝置的私密資料,如私密金鑰等,利 30 (請先閲讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標率(CNS ) A4規格(210X297公釐) A7 經濟部中央搮準局貝工消费合作社印製 B7五、發明説明(θ) 用密碼學加解密、電子簽章技術、以及分散機密的觀念 來加以保護,以提高入侵者破解機密而危害系統的困難 度。而對於使用者的私密金鑰遺失後金鑰回復之措施亦 提出一可行之方案。另外,亦提出一所有權驗核機制而 達到發文者擁有權及對文件完整性能有所保護之目的。 上述相關之實施例中,本發明有使用到可應用儲存 裝置之系統,而儲存裝置中的内容不外乎為: 一、 測試程式,用以測試欲測程式之版本,及程式 之正確性。 二、 個人之機密資料,包括個人私密金鑰等。 三、 公開資料,如驗證碼(Certificate)、使用者ID、 用戶相關資料、磁片編號等。 四、 測試資料,如程式雜湊值之簽章、程式版本及 曰期之簽章等。 上述各項可視所需之情形而調整。 雖然本發明已以多個較佳實施例揭露如上,然其並 非用以限定本發明,任何熟悉本項技藝者,在不脫離本 發明之精神和範圍内所提出之測試機制,均係涵括在本 發明之保護範圍内。 -----^ ! rf 裝! « (請先閱讀背面之注意事項再填寫本頁) 訂.1T A7 B7 Printed by the Central Government Bureau of the Ministry of Economic Affairs, 4 Consumer Cooperatives. 5. Invention Description (y) The client, calculates CU = gR1 modP, and sends Cl to the second key recovery center (TKRC2). At the same time, The second key recovery center (TKRC2) generates a second media number (R2), encrypts it with the shared key SK2 between the client and the client, sends it to the client, calculates C2 = gR2 P, and sends C2 to the first A key recovery center (TKRC1). [d] After receiving the first and second media numbers R1 and R2 sent by the first and second key reply centers, the user borrows both to generate a public key PK = gf (R1, R2) mod P, the user's private key S relative to PK is obtained by f (Rl, R2) mod (Pl), which is a specific operation value of the first and second media numbers R1 and R2. The f (R1, R2) is selected as R1 + R2 or RlxR2. [e] The client sends the PK to the first key response center (TKRC1), the second golden-yu response center (TKRC2), and a certification center CA. [f] If f (Rl, R2) = RlxR2, the first key recovery center (TKRC1) calculates Ml = PKinv (R1> modP and compares and verifies whether M1 is equal to C2. At the same time, the second key recovery center (TKRC2 ) Calculate M2 = PKinv (R2) modP and compare and verify whether M2 is equal to C1, where inv (Rl) represents the operation of (Rl) * 1 modP-1. If f (Rl, R2) = R1 + R2, then the first gold The key recovery center (TKRC1) calculates whether Ml = PKxginv (R1) mod P and then compares whether M1 is equal to C2, and TKRC2 calculates M2 = PKxginv (R2) mod P and compares whether M2 is equal to C1 »[g] If it passes the verification, The first and second gold gun reply centers sign the PK with their respective private keys, and then send them to the above-mentioned certification center ---: -.._ ('装 — (Please read the note on the back first) Please fill in this page for the items) The size of the paper is applicable to the standard of China Standards (CNS) A4 (210X297mm) Printed by the Consumer Cooperatives of the Central Bureau of Standards of the Ministry of Economic Affairs A7 B7 V. Description of the invention (> CA. [h] After receiving the signature of the PK from the first and second key reply centers, the above certification center will send a certificate to the PK after the verification is passed, and then send it back to the client. [I] The client uses the encryption key SK, private information DK and PWK to encrypt the private key S and other personal private information of the user. As mentioned above, when the user's key is lost or there is a dispute, it must be proved by a third party. That is, the relevant information is called by the first and second key reply centers and certification centers, such as R1 and R2, and S = (RlxR2) mod (Pl), or S = (Rl + R2) mod (Pl) And the private key S of the client is derived. Embodiment 5: (Restoring Key Encryption and Decryption Mechanism) An identification card security control method, by which the method constitutes a replying key encryption and decryption system. Management methods include: data transmission and verification procedures, which are normal data transmission procedures; and key and cipher text recovery procedures, so that when the sender ’s key or plain text is lost, this mechanism can be used to reply ; For the above data transmission and verification procedures, please refer to the block diagram shown in Figure 3A, which includes the following steps: [a] When the sending end wants to send clear text data ridge. When sending to the receiving unit, the sending unit first generates a communication base code SK (Also known as talks Key), and then the sender encrypts and decrypts ENS, and uses the sender ’s private key KGS for the above-mentioned 24 paper sizes to apply the Chinese National Standard (CNS) A4 specification (210X297 mm) ----- l · '丨 ~ ^ -Γ'-pack ------ order ------ Q * (Please read the note on the back ^ before filling in this page) The Ministry of Economic Affairs, Treasurer, Tir: Consumer cooperative seal Install A7 B7 _____ V. Description of the invention (H) The base code SK is encrypted to obtain (SK) kgs, and the above public base key PK is used to encrypt the communication base code SK to obtain (SK) PKR. The communication base code SK and the above-mentioned (SK) KGS perform a specific operation to obtain a sender key. In this embodiment, the sender key is mutually exclusive, so the sender key is SK㊉ (SK) KGS. The plaintext data M to be transmitted is encrypted with the above-mentioned sender key to obtain a ciphertext SM = (M) SKe (SK), and the above communication base codes SK, (SK) KGS, (SK) PKR and specific correlation Data (for example, the institution code IDS at the sending end, the institution code IDR at the receiving end, and an initial vector value IV, etc.) are hashed to obtain a trust authentication sub-EA. Then a family key FK is used to encrypt the above-mentioned (SK) KGS, (SK) PKR, specific related data IDR and IDS, and the trust authentication sub-EA to obtain a legal access block LEAF, and then encrypt the above ciphertext SM, legal access field LEAF, and initial vector value IV are transmitted to the receiver. [b] After receiving the above information, the receiver uses the family key FK to unlock the LEAF to obtain the (SK) KGS, (SK) PKR, trust authenticator EA, and specific related information IDS, IDR, and IV. The above-mentioned communication base code SK is obtained by decrypting the (SK) pkr with the private key KGR of the receiving end, and the received above-mentioned (SK) KGS is restored with the communication base code SK to obtain the above-mentioned sending end key SK® (SK) kgs , And then use the sender's key to unlock the ciphertext SM = (M) SK0 (SK) K〇s to obtain the plaintext data M: and [c] the receiver and the above-mentioned communication base codes SK, (SK) obtained after the reception. KGS, (SK) PKR, and specific related data IDS, IDR, and IV perform hash calculations, and the results are used to receive the trust authenticator 25 Winter paper size i Use Chinese National Standard (CMS) M specifications (210X2? 7mm) ^ " " iil. * — L_r, equipment ----—— order ----- b (Please read the notes on the back before filling this page) Ministry of Economic Affairs The consumer cooperation of the bureau staff is printed by Du A7 B7 V. Description of the Invention (24) EA is compared with each other. If they are equal, it means that the verification is successful and the transmission process is correct. The above receiving key KGR is the first receiving key factor KGR1 and the second receiving key factor KGR2 provided by a first key management unit and a second key management unit, respectively. In addition, in addition, the above-mentioned sender's remaining balance KGS is a first-end receiving key factor KGS1 and a second-end receiving key factor KGS2 provided by a first surplus management unit and a second key management unit, respectively. Resulting from the calculation "In this embodiment, KGR = KGR1㊉KGR2, KGS = KGS1 ㊉ KGS2. When the sender's key or plaintext is lost, please refer to the block diagram shown in Figure 3B. The above key and ciphertext recovery procedure includes the following steps: The sender first requests the first key management unit and the first The two key management units take out the first key factor KGS1 and the second key factor KGS2 at the receiving end. From the KGS1 and KGS2, the sender key KGS can be obtained through a mutually exclusive operation. · Using the returned sender key KGS, The above-mentioned communication base code SK can be obtained from (S), and the above-mentioned communication base code is used to perform a mutually exclusive operation with (SK) kgs to obtain the above-mentioned sender key Ske (sf0KGS). Using this sender's private key, The ciphertext can be unraveled to obtain the plaintext data. From the above, by using the recovery record encryption and decryption mechanism of the present invention, it can easily recover the key when the key is lost, and then use it to extract the ciphertext. Reply, you can avoid the situation of missing data due to the far lost key --------:-"install-(Please read the precautions on the back before filling this page) Order 26 This paper size applies to China National standard {CNS) A4 specification (210X297 mm) A7 B7 The Ministry of Economic Affairs ordered the Central Bureau of Justice and Consumers to cooperate with Yin Du. 5. The description of the invention (25) occurred. Embodiment 6: (Ownership Verification Mechanism) The general ownership verification mechanism can theoretically use the data hiding method in documents. Information that is hard to detect is hidden as evidence of ownership. However, the hidden information added in terms of documents may indeed change the hidden information due to the use of software, making the ownership of the contentious. In addition, there are also additional information hidden in the original text by changing the grammar, semantics, synonyms, or punctuation in the text of the content of the document. However, such methods are actually difficult and changing the expression of the document may cause reading problems. It is not smooth, so it is not practical. The ownership mechanism of the present invention uses the cryptographic technology to implement the ownership verification of electronic documents, which can 'protect the author's ownership and Document Integrity 0 The ownership mechanism deals with situations when a document is used improperly (for example In the case of false documents), the author can prove through impartial procedures that the document does not belong to the author. An ownership verification mechanism proposed by the present invention uses cryptographic techniques to establish a document with its front and back. To ensure that others cannot insert other forged documents between the documents that have been sent. This relevance can be revealed by an impartial authority when appropriate to ensure that the author's ownership is not misused by others β The ownership verification mechanism of the present invention can be operated by the sending end A, the receiving end B, and the impartiality authority TKC and the impartiality authority TTP. All information exchanges between the issuing end A and the impartiality authority are based on this paper Standard (CNS) A4 specification (21 OX 2M mm) —i II --- tnnn. ^ 1 I n II --- * (please read the note on the back before filling in this page) The central sample of the Ministry of Economy A7 B7 printed by the Bureau ’s Consumer Cooperatives V. Invention Description (A) Notarized to ensure the non-repudiation of document exchange between the two parties, the detailed exchange process is as follows: I. Initial stage: When logging in for the first time, randomly select a number 0 at the sending end A. A signature key pair eight was generated at the sending end A. 3. Απ, and communication Jin Yu Kat. And, the sending end A will go through the notary procedure. 8 and KAT are sent to TKC. II. The first file transfer: a. Generate a first file header AsII ^ No + IDa + SD} for the first file%, where IDA is the identification code of the sender A, and S is the first file The serial number, As is the document signing key of sender A, and h (·) represents a hash function. b. Issuer A uses ownership to sign key eight. 3 First head of the above-mentioned first document is obtained from the first MT1 signature A < ^ {ΜΤ1}, and the issuing end merges IDA, the impartial authority IDTTP, the receiving end IDB, the document header MT1, And the first head seal is encrypted with the communication gold ^ KAT, and then it and the head MT1 of the first document are transmitted to the fair authority TTP. c. After receiving the TTP of the impartial agency, let L equal the above-mentioned first document header MT1, and store IDA, IDB, AUTi}, and L. d. Sending end A sends IDA + AWTj + MU to receiving end B by notarization procedure. e. Receiver B recognizes ApS {T!}, the document serial number, the recipient, and other documents (please read the precautions on the back before filling out this page), install, 11h, do not encrypt the information with KBT, and use the TTP public money. Key TTPP encrypted 28 This paper size applies Chinese national standard (CNS > A4 specification (210X297 mm)) Printed by the Consumers Cooperative of the Central Bureau of Standards of the Ministry of Economic Affairs A 7 B7 V. Description of the invention (called) Submit to TTP. F. TTP uses its private key TTPs to decrypt the above cipher text to compare whether the eighth in step e are the same, and send the comparison result to KBT after encrypting it. G. If the comparison result in step f is the same Then B executes step h, otherwise B may request A to perform new step d. H. The final receiver B stores AoJTG. III. The i-th file transfer: a. The sender A generates the i-th file header for the i-th file MTi = IDA + Si + h (Mi) + (Ao ^ hCTw), where Si is the serial number of the i-th document. B. The sender A uses the ownership to sign the key 8. Eighth, the above-mentioned i-file header MTi signature The first head seal A ^ {ΜΤί} is obtained, and the sender A merges IDA, the impartial authority IDTTP, and the receiver ID The IDB, the document header MTi, and the i-th header signature Αμ {Μή} are encrypted with the communication key KAT, and then transmitted to the fairness agency TTP with the i-th document header MTi. C. The fairness agency TTP receives After that, let Ti be equal to the mutually exclusive operation value Mτ of the i-th file header MTi and the i-th file header Ti.fMTw and then tw, and store IDA, IDB, AOS {MTi}, and store. D Replace T1 with Ti, repeat steps d ~ h in the first transmission, so as to engage in normal file transmission. The file system operating according to the above mechanism is # *, when the receiver B proposes M * and AUMti}, Prove that M * is the document sent by the sender A, then the fair agency TTP can announce the Aop and extract the MTi, and then confirm the content of the MTi 29 (Please read the precautions on the back before filling this page) This paper size applies to China National Standard (CNS> A4 Specification (210X297mm) Printed by the Central Bureau of Standards, Ministry of Economic Affairs, Befel Cooperative, A 7 B7 V. Description of Invention (β) Whether the document is issued by the originator A, if M * is a forged document after the fact , According to the connection between Wu and MTi, TTP can prove that M * is not issued by the sender, The relatedness is as follows: The previous relationship is M · π = Τί㊉Ti_i; the subsequent relationship is taken from the MTi + 1 (Aop ^ h (Ti) field, h (Ti) = (Aop㊉ h (TiB®Aop. By It can be seen from the above that the ownership verification mechanism of the present invention establishes the relevance between the files through the techniques of cryptography. In this way, even if the signature system is cracked, there is still no danger of being counterfeited or forged. Because the intruder cannot know the relationship between the documents, it is impossible to insert other forged documents into the issued documents. And this mechanism can also easily verify the ownership of documents through its relevance. The security control method according to the present invention includes: 1. An inspection mechanism to check whether a system file has been tampered with. Second, the control mechanism of the foundation-based mutual authentication system. 3. A group-oriented digital signature mechanism used for signature control. Fourth, the key recovery mechanism. 5. Reply key encryption and decryption mechanism. 6. Ownership verification mechanism. From the above-mentioned various control methods, it can be ascertained that the present invention can provide better confidentiality and protection for the system operating under the network environment, especially the protection of the user at the user end can be more reliable and secure. A set of security control methods for identification cards. For software on the client side and private data stored in portable storage devices, such as private keys, etc., 30 (please read the precautions on the back before filling this page). Applicable to China National Standards (CNS) A4 specifications (210X297 mm) A7 Printed by B7 Consumers Cooperative of Central Bureau of Standards of the Ministry of Economic Affairs 5.Brief description of the invention (θ) Use cryptographic encryption and decryption, electronic signature technology, and decentralized confidentiality To protect them to increase the difficulty for intruders to crack secrets and compromise the system. It also proposes a feasible solution for the key recovery measures after the user's private key is lost. In addition, an ownership verification mechanism is also proposed to achieve the purpose of the author's ownership and to protect the integrity of the document. In the above related embodiments, the present invention has a system using an applicable storage device, and the content of the storage device is nothing more than: 1. A test program, which is used to test the version of the program to be tested, and the correctness of the program. 2. Personal confidential information, including personal secret keys. 3. Public information, such as Certificate, user ID, user-related information, disk number, etc. 4. Test data, such as the signature of the hash value of the program, the version of the program and the signature of the date. The above items can be adjusted as needed. Although the present invention has been disclosed as above with several preferred embodiments, it is not intended to limit the present invention. Anyone familiar with the art may put forward the testing mechanism without departing from the spirit and scope of the present invention. Within the scope of the present invention. ----- ^! rf equipment! «(Please read the notes on the back before filling this page) Order

•P 31 本紙張尺度適用中國國家標隼(CNS ) A4規‘(210X297公釐)• P 31 This paper size applies to China National Standard (CNS) A4 Regulations ‘(210X297 mm)

Claims (1)

經濟部中央揉準局員工消費合作社印製 1·一種識別卡安全控管方法,其包含二個程序:檢 驗軟體安裝程序,以及程式偵試程序; 其中之檢驗軟體安裝程序包括如κ步驟: 將用戶端電腦系統中欲控管之軟體的根目錄下各子 目錄底下之每一檔案,利用安全雜湊函數以產生相對應 之第一檔案雜湊值,並儲存於該用戶端電腦系統中; 分別將上述各子目錄中之第一檔案雜湊值加以結 合,再利用安全雜湊函數產生相對應之第一目錄雜湊值, 並將該第一-目錄雜湊值分别儲存於上述各子目錄中; 如此重覆,對該根目錄下的各層下子目錄作相同之 動作,以得到各相對應之檔案雜湊值及目錄雜凑值並 分別儲存於用戶端電腦系統及各子目錄中,直到位柃該 根S錄下所有之子目錄均有其挺對忒目錄雜湊值,再於 該根目錄下,將該根—目錄下之目錄雜湊值加以結合,並 利用安全雜湊函數產生一第一根耳錄雜湊值; 利用用戶端的私密金餘雨將此第一根目錄雜湊值加 以簽>,並將此簽章結果及一程式檢驗程式存在一可攜 式儲存裝置_(即識別卡)中; 面程式偵試程序則激行前述可攜式儲存裝置中之程 式檢驗程式’以證驗該用戶端之程式有否遭篡改或是版 本不、符之情形; 該檢驗程式之步驟如下: 將用戶端電腦系統欲偵試之軟體的根目錄下之子目 錄中每一檔案,利用安全雜湊函數產生相對應之第二檔 I____32 ^ 本紙張尺纽财賴家辦(c叫Α4ίί^ (21GX297公董 - ^------ (請先聞讀背面之注意事項再魂寫本頁) 訂— • —^n HH ·Printed by the Consumer Cooperatives of the Central Bureau of the Ministry of Economic Affairs 1. A method for security control of identification cards, which includes two procedures: inspection software installation procedures and program detection procedures; the inspection software installation procedures include the following steps: Each file under each sub-directory in the root directory of the software to be controlled in the client computer system uses a secure hash function to generate a corresponding first file hash value and stores it in the client computer system; The first file hash values in each of the above sub-directories are combined, and then a corresponding hash value of the first directory is generated by using a secure hash function, and the first-directory hash value is stored in each of the above-mentioned sub directories; , Do the same for the sub-directories under each level of the root directory to obtain the corresponding file hash value and directory hash value and store them in the client computer system and each sub-directory, until the root S-record is located. All subdirectories under it have their own hash values, and then under that root directory, the hash values of the directories under the root directory are combined. , And use the secure hash function to generate a first otal hash value; use the client ’s private Jin Yuyu to sign this first directory hash value >, and have the signature result and a program verification program available In the portable storage device (ie, identification card); the face-to-face program test procedure imposes the aforementioned program verification program in the portable storage device to verify whether the client program has been tampered with or has an incorrect version. Situation: The steps of the inspection program are as follows: Each file in the sub-directory under the root directory of the software to be tested by the client computer system is generated by the security hash function corresponding to the second file I____32 ^ This paper rule Office (c called Α4ίί ^ (21GX297 Public Director-^ ------ (Please read the notes on the back before writing this page)) Order — • — ^ n HH · 經濟部中央揉準局員工消費合作社印製 1·一種識別卡安全控管方法,其包含二個程序:檢 驗軟體安裝程序,以及程式偵試程序; 其中之檢驗軟體安裝程序包括如κ步驟: 將用戶端電腦系統中欲控管之軟體的根目錄下各子 目錄底下之每一檔案,利用安全雜湊函數以產生相對應 之第一檔案雜湊值,並儲存於該用戶端電腦系統中; 分別將上述各子目錄中之第一檔案雜湊值加以結 合,再利用安全雜湊函數產生相對應之第一目錄雜湊值, 並將該第一-目錄雜湊值分别儲存於上述各子目錄中; 如此重覆,對該根目錄下的各層下子目錄作相同之 動作,以得到各相對應之檔案雜湊值及目錄雜凑值並 分別儲存於用戶端電腦系統及各子目錄中,直到位柃該 根S錄下所有之子目錄均有其挺對忒目錄雜湊值,再於 該根目錄下,將該根—目錄下之目錄雜湊值加以結合,並 利用安全雜湊函數產生一第一根耳錄雜湊值; 利用用戶端的私密金餘雨將此第一根目錄雜湊值加 以簽>,並將此簽章結果及一程式檢驗程式存在一可攜 式儲存裝置_(即識別卡)中; 面程式偵試程序則激行前述可攜式儲存裝置中之程 式檢驗程式’以證驗該用戶端之程式有否遭篡改或是版 本不、符之情形; 該檢驗程式之步驟如下: 將用戶端電腦系統欲偵試之軟體的根目錄下之子目 錄中每一檔案,利用安全雜湊函數產生相對應之第二檔 I____32 ^ 本紙張尺纽财賴家辦(c叫Α4ίί^ (21GX297公董 - ^------ (請先聞讀背面之注意事項再魂寫本頁) 訂— • —^n HH · 六、申請專利範圍 Ϊ雜檢查該第二播案雜凑值與儲存於用戶端之 播案雜凑值是否相等,若不相等則停止此程序; 各子目該:„以如上述安裝程序之考程,而分別將 中之第二播案雜凑值加以結合,再利用安全雜 生相㈣之第二目錄雜凑值’並將其與分別館 存於各子目錄中之第一目雜换 則停止此程序; ㈣凑值加以比較,若不相等 目錄錄重覆上述之檢查動作’直到位於根 :下:有之子目錄均有其相對之目錄雜凑值且均通過 於根一目錄下將根目錄下之目錄雜湊值加以結 將盆驗2用*全雜溱函數產生—第二根目錄雜凑值, 相等則停止此程序;目錄雜凑值相比較,若不 ^前述第二根目錄雜湊值加以簽章’並自上述可攜 置中讀出前述第-根目錄凑值之簽章結果,驗 是!相符合’若不符合則表示該用戶端之 遭墓改或疋版本不符之情形。 =種識別卡安全”方法,此安全控管方法包含 备冊程序;認證程序;以及更換密碼程序三個程序; 其中之註冊程序包括如下步驟: ^述用戶端利用其識別碼㈣、-會談錢(ΤΚ)、一 ::證因子(Ν1)、及相關資料’合併產生一用戶端第 餘簽體進用戶:對該用戶端第—簽體以飼服端之公開金 餘(¾進仃加*,而得用戶端第_密件(ci),將該用 經濟部中央標準局員工消費合作社印裝 A8 ' 1 Β8 C8 D8 七、申請專利範圍 端第一密件(Cl)、識別碼(ID)、一註冊請求(Reg_req), 及相關資料傳送至伺服端; [b] 伺服端接收到上述註冊請求(Regjeq)後,以伺服 端私密金鑰Kss解開上述用戶端第一密件C1而獲得前述 之會談金鑰(TK)、第一驗證因子(N1)、及識別碼(ID)等相 關資料,伺服端並產生一加密金鑰(SK)、一第二驗證因 子(N2)、及一整數η,伺服端以上述之加密金鑰(SK)、整 數η、第一驗證因子(Ν1)、第二驗證因子(Ν2)、以及相關 資料合併產生一伺服端第一簽體,以前述會談金錄(ΤΚ) 對該伺服端第一簽體加密而得一伺服端第一密件(S1),再 將其回傳給用戶端; [c] 用戶端完成接收後,以上述之會談金鑰(ΤΚ)解開 該伺服端第一密件(S1),而得上述整數η、上述加密金鑰 (SK)、上述第一驗證因子(Ν1)與第二驗證因子(Ν2),用戶 端檢查上述第一驗證因子(Ν1)是否為原先所送之值,驗 證正確後用戶端將使者個人密碼(PWD)進行η次雜湊運 算而得一密碼封包(ΟΤΡ); [d] 用戶端以上述密碼封包(ΟΤΡ)、上述第二驗證因 子(N2)、及相關之資料為用戶端第二簽體,利用上述會 談金鑰(TK)對上述用戶端第二簽體進行加密而得一用戶 端第二密件後,將其傳送給伺服端; [e] 伺服端接收到上述用戶端第二密件後,以上述之 會談金鑰(TK)解開上述第二密件,而得上述之密碼封包 (OTP),伺服端並驗證上述第二驗證因子是否為原先所送 34 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) — II - ----·-「裝— I (請先Η讀背面之注意事項再填寫本頁) 、?τ d.. 經濟部中央揉準局貝工消費合作社印製 A8 , 1 B8 C8 _______D8 六、申請專利範圍 之值,若正確無誤則將上述之密碼封包(οτρ)、以及整數 η儲存於伺服端’並產生一註冊標記(Reg_yes),伺服端 利用上述密碼封包(OTP)、註冊標記(Reg_yes)為伺服端第 二簽體,以上述會談金鑰對上述伺服端第二簽體進行加 密而得一伺服端第二密件,再將其回傳給用戶端; [f]用戶端以會談金鑰解開上述伺服端第二密件,而 接收上边註冊標記(Reg_yes)確認註冊無誤後,即自行產 生一用戶端金餘(CK)並且利用使用者密碼(pwD)導出一 密碼金鑰(PWK),再使用上述加密金鑰(sk)與密碼金鑰 (PWK)將上述用戶端金鑰(CK)加密成為用戶端密文(ECK) 並將其結果存於用戶端上,另外亦使用上述用戶端金鑰 (CK)與密碼金鑰(PWK)對使用者之私密資料(DK)加密成 為一密:,文,並將之存於可攜式儲存裝置上,而完成註冊 之程序; 其中之認證程序包括如下步驟: [i] 用戶端將其識別碼(ID),一第三驗證因子(N3)、 與此程序所要使用之會談金鑰(TK1)合併產生一用戶端 第三簽體,用戶端對該用戶端第三簽體以伺服端之公開 金鑰(KSP)進行加密,而得用戶端第三密件(C3),並將該 用戶端第三密件(C3)、上述識別碼(ID)、一確認請求 (Auth_req),及相關資料傳送至伺服端; [ii] 伺服端接收到確認請求(Auth_re.q)後,以伺服端 私密金餘?:ss解開上述用戶端第三密件C3而獲得前述之 會談金鑰(TK1)、第三驗證因子(N3)、及識別碼(ID)等相 35 本紙張尺度適财關家標CNS ) A4g ( 21GX297公釐) I n n n n In —4 I n I n n n ^ I n I I (請先閱讀背面之注意事項再填寫本頁)Printed by the Consumer Cooperatives of the Central Bureau of the Ministry of Economic Affairs 1. A method for security control of identification cards, which includes two procedures: inspection software installation procedures and program detection procedures; the inspection software installation procedures include the following steps: Each file under each sub-directory in the root directory of the software to be controlled in the client computer system uses a secure hash function to generate a corresponding first file hash value and stores it in the client computer system; The first file hash values in each of the above sub-directories are combined, and then a corresponding hash value of the first directory is generated by using a secure hash function, and the first-directory hash value is stored in each of the above-mentioned sub directories; , Do the same for the sub-directories under each level of the root directory to obtain the corresponding file hash value and directory hash value and store them in the client computer system and each sub-directory, until the root S-record is located. All subdirectories under it have their own hash values, and then under that root directory, the hash values of the directories under the root directory are combined. , And use the secure hash function to generate a first otal hash value; use the client ’s private Jin Yuyu to sign this first directory hash value >, and have the signature result and a program verification program available In the portable storage device (ie, identification card); the face-to-face program test procedure imposes the aforementioned program verification program in the portable storage device to verify whether the client program has been tampered with or has an incorrect version. Situation: The steps of the inspection program are as follows: Each file in the sub-directory under the root directory of the software to be tested by the client computer system is generated by the security hash function corresponding to the second file I____32 ^ This paper rule Office (c called Α4ίί ^ (21GX297 Public Director-^ ------ (Please read the precautions on the back before writing this page)) Order — • — ^ n HH 6. Check the scope of patent application Whether the hash value of the second broadcast case is the same as the hash value of the broadcast case stored in the client. If they are not the same, stop this procedure. Each subheading should be: „Take the test procedure of the installation procedure as above, and Hash value Combining, using the second directory hash value of the security miscellaneous phase, and stopping the procedure with the first directory hash stored separately in each subdirectory; ㈣ compare the values, if they are not equal Repeat the above-mentioned check action until it is located at the root: Bottom: some subdirectories have their relative directory hash values, and all of the directory hash values under the root directory are added to the root directory. Full hash function generation—the second root directory hash value, stop this program if equal; the directory hash value is compared, if not ^ the second root directory hash value is signed, and read from the above portable The result of the signing of the value of the first-root directory is verified! It is consistent! If it does not match, it indicates that the client has been altered or the version is inconsistent. = A kind of identification card security method, this security control method The registration procedure includes three procedures: the registration procedure; the authentication procedure; and the password replacement procedure. The registration procedure includes the following steps: ^ The client uses its identification code ㈣,-talk money (TK), 1 :: certificate factor (N1), And related information ' Birth of the first sign of the client to the user: For the first sign of the client, the public account of the server is added (¾), and the client ’s first secret (ci) is obtained, which is used by the Ministry of Economic Affairs. Printed by the Consumer Standards Cooperative of the Central Bureau of Standards A8 '1 Β8 C8 D8 VII. The first confidential document (Cl), identification code (ID), a registration request (Reg_req), and related information are transmitted to the server; ] After receiving the above registration request (Regjeq), the server uses the server's private key Kss to unlock the client's first secret C1 to obtain the aforementioned talk key (TK), first verification factor (N1), and identification. Code (ID) and other related information, the server generates an encryption key (SK), a second verification factor (N2), and an integer η. The server uses the encryption key (SK), integer η, and A verification factor (N1), a second verification factor (N2), and related data are combined to generate a first signature of the server. The first signature of the server is encrypted with the aforementioned talk record (TK) to obtain a server. The first secret (S1), and then return it to the client; [c] End of the client After receiving, use the talk key (TK) to unlock the first secret (S1) of the server, and obtain the integer η, the encryption key (SK), the first verification factor (N1), and the second verification. Factor (N2), the client checks whether the first verification factor (N1) is the value originally sent, and after the verification is correct, the client will perform η hash operations on the personal password (PWD) of the messenger to obtain a password packet (ΟΤΡ); [d] The client uses the password packet (0TP), the second verification factor (N2), and related information as the second signature of the client, and uses the talk key (TK) to the second signature of the client. Encrypt to obtain a second secret of the client and send it to the server; [e] After receiving the second secret of the client, the server uses the talk key (TK) to unlock the second secret. The above-mentioned password packet (OTP) is obtained, and the server verifies that the above-mentioned second verification factor is the original sent 34 paper sizes are applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm) — II----- · -「装 — I (Please read the notes on the back first Please fill in this page again),? Τ d .: Printed by the Central Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperatives, printed A8, 1 B8 C8 _______D8 6. The value of the scope of patent application, if it is correct, the above password will be enclosed (οτρ) And the integer η is stored in the server 'and generates a registration mark (Reg_yes). The server uses the above-mentioned password packet (OTP) and registration mark (Reg_yes) as the second sign of the server, and uses the above-mentioned talk key to the above server. The second signature is encrypted to obtain a second secret of the server, which is then returned to the client; [f] The client unlocks the second secret of the server with the meeting key, and receives the registration mark (Reg_yes) above After confirming that the registration is correct, it will generate a client-side balance (CK) on its own and use the user password (pwD) to derive a password key (PWK), and then use the aforementioned encryption key (sk) and password key (PWK) to The client key (CK) is encrypted into the client ciphertext (ECK) and the result is stored on the client. In addition, the client key (CK) and password key (PWK) are used to keep the user private. Data (DK) encryption becomes a secret: Document, and save it on a portable storage device to complete the registration process; the authentication process includes the following steps: [i] the client terminal identifies it (ID), a third verification factor (N3), Combined with the talk key (TK1) to be used in this program to generate a client third signature, the client encrypts the client third signature with the server's public key (KSP), and the client first The third secret (C3), and transmits the third secret (C3) of the client, the above identification code (ID), a confirmation request (Auth_req), and related data to the server; [ii] the server receives the confirmation request ( Auth_re.q) to the server ’s private balance? : ss The third secret C3 of the client is unlocked to obtain the above-mentioned talk key (TK1), third verification factor (N3), and identification code (ID), etc. 35 paper standards are suitable for financial and household mark CNS) A4g (21GX297 Mm) I nnnn In —4 I n I nnn ^ I n II (Please read the notes on the back before filling this page) A8 , · B8 C8 ---------D8 六、申請專利範圍 關資料’伺服端並找出使用者於上述註冊程序中所對應 之密碼封包(OTP)、以及整數η等相關資料,若整數η小 於2則用戶端之使用者須重新諄冊,若整數η不小於2, 則飼服端產生一小於η的整數 k及m而m=n-k,再將會 談金鑰TK1、整數m、第三驗證因子"3)及相關資料合 併為伺服端第三簽體(S3),以會談金鑰(τκΐ)對其加密而 得伺服端第三密件,並將伺服端第三密件回傳給用戶端; [iii] 用戶端完成接收後’以上述之會談金錄(Τκι)解 開上述伺服端第三簽章(S3),而得上述整數m、上述第三 驗證因子(N3),用戶端檢查上述第三驗證因子(N3)是否為 原先所送之值,驗證正確後用戶端將使者輸入之個人密 碼(PWD)進行m次雜湊運算而得一第一封包(〇τρι),並 產生一第四驗證因子(Ν4); [iv] 用戶端以上述第一封包(〇τρί)、上述第四驗證因 子(Ν4)、及相關之資料合併為用戶端第四簽體,利用上 述會談金鑰(ΤΚ1)對上述用戶端第四簽體進行加密而得 一用戶端第四密件後,將其傳送給伺服端; [V]伺服端接收到上述用戶端第四密件後’以上述之 會談金鑰(ΤΚ1)解開上述第四密件,而得上述之第一封包 (οτρι),伺服端並驗證上述第四驗證因子(Ν4)是否為原 先所送之值,若正確無誤則伺服端對上述第一封包(OTP】) 進行k次雜湊算’其運算結果與註冊程序㈣存於词服 端之密碼封包比對是否相同,驗證正確後即錯存整數m 於飼服端而取代原先之整數n’同時料上述第一封包 36 { CNS ) A4m- (Tw^297^~)--—_____ -----,.--:—裝-- (請4?閲讀背面之注$項再填寫本頁) --eJHI I I 1 -I J Ηά-------- • —i n · 經濟部中央標準局員工消費合作社印裝 A8 ’ B8 C8 D8 々、申請專利範圍 (0TP1)取代原來的密碼封包,之後將上述註冊程序中產 生之加密金鑰(SK)、第一封包(0TP1)、及驗證成功之訊 息合併為伺服第四簽體,將其以會談金鑰加密後回傳給 用戶端; [vi]用戶端以會談金鑰(TK1)解開上述加密資料,分 別得到加密金鑰(SK)、第一封包(0ΊΤ1)、及驗證成功之 訊息,確定驗證成功後,用戶端使用上述加密金鑰(SK) 與密碼金鑰(PWK)對存於存於用戶端上之密文(ECK)解 密以得到上述之註冊程序中之用戶端金鑰(CK),使用該 用戶端金鑰(CK)、密碼金鑰(PWK)和加密金鑰(SK),對存 於可攜式儲存裝置中之密文加以解密而得到使用者之私 密資料(DK),完成認證; 其中之更換密碼程序包括如下步驟: [A] 用戶端將其識別碼(ID),一第五驗證因子(N5)、 與此程序所要使用之會談金鑰(TK2)合併產生一用戶端 第五簽體,用戶端對上述用戶端第五簽體以伺服端之公 開金鑰(KSP)進行加密,而得用戶端-第五密件(C5),並將 上述用戶端第五密件(C5)、上述識別碼(ID)、一密碼更換 請求(CP_req),及相關資料傳送至飼服端; [B] 伺服端接收到密碼更換請求(CP_req)後,以伺服 端私密金鑰Kss解開上述用戶端第五密件C5而獲得上述 之會談伞鑰(TK2) '第五驗證因子(N5)、及識別碼(ID)等 相關資料,伺服端並找出使用者於上述註冊程序中所對 應之整數η資料,伺服端再產生一正整數m=n-k、及整 37 本紙張尺度適用中國國家標隼(CNS ) A4規格(210X297公釐) In .^n n I In 1-— I -rf i I - -- I (請先閱讀背面之注意事項再填寫本頁) 訂 -叫線 經濟部中央標準局員工消費合作社印褽 々、申請專利範圍 數I,其中k也為整數,再將整數m、I、第五驗證因子 (N5)及相關資料合併為伺服端第五簽體(S5),以會談金鑰 (TK2)對其加密而得伺服端第五密件,並將伺服端第五密 件回傳給用戶端; [C]用戶端完成接收後,以上述之會談金鑰(TK2)解 開上述伺服端第五密件(S5),_而得上述整數m、I、上述 第五驗镫因子(N5),用戶端檢查上述第五驗證因子(N5) 是否為原先所送之值,驗證正確後用戶端將使者輸入之 個.人密瑪(PWD)進行m次雜湊運算_而得一第一封包 (0TP1),並產生一第六驗證因子(N6),同時對使用者所 輸_入之新密碼,NPWD進行I次雜湊運算,而得一第二封 i 包(0TP2) [P]用戶端以上述第一封包(OTP 1)、第二封包(0TP2) 上述第六驗證因子(N6)、及相關之資料合併為用戶端第 六簽體,利用上述會談金鑰(TK2)對上述用戶端第六簽體 進行加密而得一用戶端第六密件後,將其傳送給伺服端; [E]伺服端接收到上述用戶端第六密件後,以上述之 會談金鑰(TK2)解開上述第六密件,而得上述之第一封包 (0TP1)和第二封包,伺服端並驗證上述第六驗證因子(N6) 是否為原先所送之值,若正確無誤則伺服端對上述第一 封包(0TP1)進行k次雜湊算,其運算結果與註冊程序中 儲存於伺服端之密碼封包比對是否相同,驗證正確後即 儲存整數I於伺服端而取代原先之整數η,也將第二封包 儲存於伺服端,並產生一新加密金餘NSK,將註冊程序 38 • m nn mi · (請先閲讀背面之注意事項再填寫本頁) in 裝— nn nn m - 訂--- T -旅--- 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 韶 '* C8 _________ D8 六、申請專: ' 產生之加密金鑰SK和新加密金鑰(NSK)、以及第—封包 (0TP1)與第一封包(〇τρ2)、及更換成功之訊息cp yes 合併為伺服第六簽鱧,將其以會談金鑰加密後回傳給用 戶端; [F]用戶端以會談金鑰(TK2)解開上述加密資料後, 而分別得到加密金鑰(SK)、新加密金鑰NSK,第一封包 (0TP1)和第二封包(〇τρ2)、及更換成功之訊息, 確定更換成功後,先以PWK及SK解出存於用戶端的 IECK’再用CK合#使用者的個人密碼所導出的金鑰^^£ 乂及SK解出原先加密存於可攜式儲存裝置中的密餘密 文EDK’之後用戶端即自行產生一用戶端新金鑰(NCK), 以先前獲得之NSK使用者之新密碼NPWD所導出的 NPWK加密儲存於用戶端,再以NpWK、NSK及加 密DK而將結果存於可攜式儲存裝置中。 3·如申請專利範圍第2項所述之安全控管方法,其 中在所有程序裡’彳g服端產生的所有簽體巾包括有系統 時間以供用戶端收到每個簽體所對應之密件時可用以 驗證傳輸時間是否在合理之範圍内,而用戶端產生的所 有簽體中亦包括有系統時間,以供祠服端收到簽體所對 應之密件時可用以驗證傳輸時間是否在合理之範圍内, 藉以防止密件於傳送途中遭人攔截篡改。 4.如申請專利範圍第2或3項所述之安全控管方 法’其中在所有程序中,飼服端產生加鹽值且合併入簽 體中傳送給用戶端,用戶端騎使用者密碼和加鹽值之 ——-^_ -------.Γ「‘裝-- (锖先Η讀背面之注意事項再填寫本頁) 7 In' 1 H.^----- .HI I I · .I— » ί . 經濟部中央標隼局員工消費合作社印裝 六、申請專利範圍 合併值進行雜湊運算而產生各個程序中之各個密碼封 包。 5. —種識別卡安全控管方法,其包括如下步驟: 當要簽出文件時,以用戶端使用者之私密金鑰先行 對上述文件簽章而得一第一簽章’再以彳司服端之私密金 鑰對上述第一簽章再行簽章而得到一第二簽章,而i完成 簽章之過程;以及 在驗證過程中,將上述第二簽章先以伺服端之公開 金鑰解開而得一驗證簽章,再將上述驗證簽章以使用者 之公開金鑰解開而得一驗證文件,比較上述第一驗證文 件與上述原先送出之文件是否相同,若正確則表示簽章 係為正確無誤。 6. —種識別卡安全控管方法,其包括如下步驟: 用戶端與伺服端之公開金鑰分別為up及sp,其模 數為Nu和Ns,而其相對應之之私密金錄分別為us和ss ; 在簽章過程時,首先以用戶端的私密金鑰us對文件Μ簽 章而得SIG1=MUS mod Nu,再用伺服端的私密金鑰sp對 SIG1 簽章而得 SIG2=SIG1-SS mod Ns ; 在驗證過程時,收文者要驗證文件Μ之簽章SIG2 時,先甩伺服端的公開金鑰sp計算SIG2sp mod Ns而解 得SIG1,再y用戶端之公開金鑰up計算SIGlup mod Nu 而解得一待驗證值Ml ; 檢查Ml與文件Μ是否相等,若相等則SIG2才是 正確的簽章,否則不是正確簽章。 40 本紙張尺度適用中國國家標準(CNS ) Α4規格(210Χ297公釐) (請先閱讀背面之注意事項再填寫本頁) Γ >11 Η.^ 經濟部中央梯準局貝Η消費合作社印製 7.-種朗卡安全控管方法,其包括下列步驟:飼服端與用戶端使用者兩者對外只有—共通公開金 繪伺服端與用戶端使用者各有其私密金錄和與其私密 鑰相對應之么開金餘,上述共通公開金餘係由飼服端 公開金餘與❹者公開金鑰轉,㈣簽出之文件須先 ’使用者之私後金餘簽過後,再由飼服端之私密金输簽 過才可送出’ ^要驗證所簽出文件之簽章時則須使用上 述共通公開金鑰對所簽出《文件解密後加以比對即可。. ,8·-種識別卡安全控管方法,其使用—生成子荩及 質數P用戶端使用者之私密金錄 us,與其相對應 之公開金料Up=gUS mOd p,以及舰端私密金翁Μ, 其相對之公開金輸為Spf m〇dp,和兩者對外之共通公 開金餘為Y=(Upxsplm〇d p,此安全控管方法當用戶端之 '使用者欲簽出文件(M)時,用戶端與舰端需料簽章過 程及驗證過程; 其中之簽章過程時包括如下步驟: [a]用戶端與伺服端分別產生隨機變數kl及k2 ; —用戶端計算rl=gH m〇d p,同時伺服端也計算 /2一#2 m〇d P,之後用戶端與伺服端互相交換rl及r2 ; ⑷用戶端與伺服端均計! R=〇r 1 xr2)m〇d P,· [d]用戶端先驗證spM與(r2RxgSS)m〇d p是否相等若 兩者相專則用戶端計算Sl=(usxM-klxR) mod (P-1);以及 [eJ飼服端驗證jx考否相等若兩 者相等則伺服端計算S2=(ssxM-k2xR)mod (ΪΜ),若不 ^------1Τ---- (請先聞讀背面之注意事項再填寫本頁) 叫線---------- • I I I · • —i II . 41A8, · B8 C8 --------- D8 VI. The patent application scope is related to the 'server' and find out the user's corresponding password packet (OTP) and the integer η and other related information in the above registration process. If the integer η is less than 2, the user of the client must re-register. If the integer η is not less than 2, the feeding end generates an integer k and m less than η and m = nk, and then the key TK1 and the integer will be discussed. m, the third verification factor " 3) and the related information are combined into the server's third signature (S3), which is encrypted with the talk key (τκΐ) to obtain the server's third secret, and the server's third secret Post back to the client; [iii] After the client finishes receiving, 'unlock the third signature (S3) of the server with the above-mentioned talk record (Tκι), and obtain the integer m and the third verification factor (N3 ), The user terminal checks whether the third verification factor (N3) is the value originally sent, and after the verification is correct, the user terminal performs m hash operations on the personal password (PWD) entered by the messenger to obtain a first packet (〇τρι) And generate a fourth verification factor (N4); [iv] the client sends the above first packet ( 〇τρί), the above-mentioned fourth verification factor (N4), and related information are combined into the fourth signing body of the client, and the fourth signing body of the user end is encrypted by using the talk key (TK1) to obtain a first After the four secrets are sent, it is sent to the server; [V] After receiving the fourth secret from the client, the server uses the talk key (TK1) to unlock the fourth secret to obtain the first packet ( οτρι), the server verifies whether the fourth verification factor (N4) is the value originally sent. If it is correct, the server performs hash calculations on the first packet (OTP) k times. Its operation results and registration procedures是否 Is the password packet comparison stored on the word server end the same? After the verification is correct, the integer m is incorrectly stored on the server side instead of the original integer n '. At the same time, the above first packet 36 {CNS) A4m- (Tw ^ 297 ^ ~) --—_____ -----, .--:-install-- (Please 4? Read the note on the back and fill in this page) --eJHI II 1 -IJ Ηά ------- -• —in · Printed A8 'B8 C8 D8 by the Consumer Cooperatives of the Central Bureau of Standards of the Ministry of Economic Affairs, patent application scope (0 TP1) replaces the original password packet, and then combines the encryption key (SK), the first packet (0TP1), and the message of successful verification generated in the above registration process into the server's fourth signature, which is encrypted with the talk key [Vi] The client unlocks the encrypted data with the talk key (TK1), and obtains the encryption key (SK), the first packet (0ΊΤ1), and the message of successful verification to confirm the successful verification. After that, the client uses the encryption key (SK) and password key (PWK) to decrypt the cipher text (ECK) stored on the client to obtain the client key (CK) in the registration process. Use the client key (CK), cryptographic key (PWK), and encryption key (SK) to decrypt the ciphertext stored in the portable storage device to obtain the user's private data (DK), complete Authentication; the password replacement procedure includes the following steps: [A] The client combines its identification code (ID), a fifth verification factor (N5), and the talk key (TK2) to be used with this program to generate a client. Fifth sign, the client is fifth to the above client The server uses the server's public key (KSP) to encrypt, and obtains the client-fifth secret (C5), and the client's fifth secret (C5), the identification code (ID), and a password replacement request ( CP_req), and related data are transmitted to the feeding service; [B] After receiving the password change request (CP_req), the server uses the server's private key Kss to unlock the fifth secret C5 of the client to obtain the above-mentioned talk umbrella key. (TK2) 'Fifth verification factor (N5), identification code (ID) and other related data, the server finds the integer η data corresponding to the user in the above registration process, and the server generates a positive integer m = nk, and the whole 37 This paper size is applicable to China National Standard (CNS) A4 (210X297 mm) In. ^ nn I In 1-— I -rf i I--I (Please read the precautions on the back before (Fill in this page) Order-Called by the Consumer Standards of the Central Standards Bureau of the Ministry of Economic Affairs, and printed the number of patent applications I, where k is also an integer, then the integer m, I, the fifth verification factor (N5) and related information are combined For the server's fifth sign (S5), add it with the talk key (TK2) Get the server's fifth secret and send the server's fifth secret to the client; [C] After the client finishes receiving, use the talk key (TK2) to unlock the server's fifth secret (S5 ), To obtain the integer m, I, and the fifth test factor (N5), the user terminal checks whether the fifth verification factor (N5) is the value originally sent. After the verification is correct, the user terminal will enter the number . PWD performs m hash operations _ to obtain a first packet (0TP1), and generates a sixth verification factor (N6). At the same time, the user enters a new password, NPWD, once. Hash operation to obtain a second i packet (0TP2) [P] The client combines the above first packet (OTP 1), second packet (0TP2), the sixth verification factor (N6), and related data into The sixth signing body of the client uses the above-mentioned talk key (TK2) to encrypt the sixth signing body of the client to obtain a sixth secret of the client and send it to the server; [E] The server receives the above After the client ’s sixth secret, use the talk key (TK2) to unlock the sixth secret to obtain the first secret. For one packet (0TP1) and the second packet, the server verifies whether the sixth verification factor (N6) is the value originally sent. If it is correct, the server performs hash calculation on the first packet (0TP1) k times. The result of the calculation is the same as the password packet stored on the server in the registration process. After the verification is correct, the integer I is stored on the server instead of the original integer η. The second packet is also stored on the server and a new one is generated. Encryption gold NSK, registration process will be 38 • m nn mi · (Please read the notes on the back before filling this page) in Pack — nn nn m-Order --- T-Travel --- This paper size applies to China Standard (CNS) A4 specification (210X297 mm) Shao '* C8 _________ D8 VI. Application Special:' The generated encryption key SK and new encryption key (NSK), and the first packet (0TP1) and the first packet ( 〇τρ2), and the message of successful replacement cp yes is merged into the sixth sign of the server, which is encrypted with the talk key and sent back to the client; [F] The client uses the talk key (TK2) to unlock the encrypted data. And then get the encryption key (SK) , The new encryption key NSK, the first packet (0TP1) and the second packet (〇τρ2), and the message of successful replacement. After confirming the successful replacement, the IECK 'stored in the user's terminal is first solved with PWK and SK, and then combined with CK. # User's personal password derived key ^^ £ 乂 and SK extracts the original encrypted cipher text EDK 'stored in the portable storage device' after the client generates a new client key (NCK ), The NPWK derived from the previously obtained new password NPWD of the NSK user is encrypted and stored in the client, and then the result is stored in the portable storage device with NpWK, NSK and encrypted DK. 3. The security control method as described in item 2 of the scope of patent application, wherein in all procedures, all signature towels produced by the server include system time for the client to receive the corresponding signature of each signature. It can be used to verify that the transmission time is within a reasonable range, and all the signatures generated by the client also include the system time, so that the temple server can use it to verify that the transmission time is within To a reasonable extent, in order to prevent the confidentiality of interception and tampering during transmission. 4. The security control method described in item 2 or 3 of the scope of the patent application, wherein in all the procedures, the feeding end generates a salt value and is incorporated into the signature and transmitted to the user end. The user end rides the user password and Add salt value --- ^ _ -------. Γ 「'装-(锖 Read the precautions on the back before filling this page) 7 In' 1 H. ^ -----. HI II · .I— »ί. Printed by the Consumer Cooperatives of the Central Bureau of Standards of the Ministry of Economic Affairs. 6. The combined value of the scope of patent applications is hashed to generate each password packet in each program. 5. —A security control method for identification cards , Which includes the following steps: When a document is to be checked out, the above-mentioned document is firstly signed with the private key of the client user, and then a first signature is obtained, and then the first private key of the client is used to sign the first The signature is then signed to obtain a second signature, and i completes the signature process; and during the verification process, the second signature is first unlocked with the public key of the server to obtain a verification signature , And then unlock the verification signature with the user ’s public key to obtain a verification document. Verify that the document is the same as the one originally sent, and if it is correct, it means that the signature is correct. 6. —A method for security control of the identification card, which includes the following steps: The public keys of the client and server are up respectively. And sp, whose modulus is Nu and Ns, and their corresponding private gold records are us and ss, respectively; in the signing process, first, the user's private key us is used to sign the file M to obtain SIG1 = MUS mod Nu, then use the server ’s private key sp to sign SIG1 to obtain SIG2 = SIG1-SS mod Ns; during the verification process, when the recipient wants to verify the signature S of the document M, the server ’s public key sp is thrown first Calculate SIG2sp mod Ns to solve SIG1, and then calculate the SIGlup mod Nu of the client's public key up to calculate a value M1 to be verified; check whether M1 and file M are equal. If they are equal, SIG2 is the correct signature. Otherwise, it is not properly signed. 40 This paper size is in accordance with Chinese National Standard (CNS) Α4 size (210 × 297 mm) (Please read the precautions on the back before filling out this page) Γ > 11 Η. ^ Central Government Bureau of the Ministry of Economic Affairs Printed by Behr Consumer Cooperative 7.- A Langka security control method, which includes the following steps: both the feeding server and the user of the client are only available to the public-the common public gold painting server and the user of the client have their own private records and their privacy The corresponding common open balance is transferred from the public balance of the feeding service and the public key of the person. The signed documents must be signed by the user ’s private balance before the The private end of the feeding service can only be sent after signing the sign. ^ To verify the signature of the checked out document, you must use the common public key described above to decrypt the signed document and compare it. .8. A kind of identification card security control method, which uses-generates the private gold record us of the user and prime P client user us, the corresponding open gold material Up = gUS mOd p, and the ship-side private gold Weng M, the relative open gold loss is Spf mOdp, and the common public gold balance of the two is Y = (Upxsplm〇dp. This security control method is used when the user of the client wants to check out a file (M ), The client and the ship need to sign and verify the process; the signature process includes the following steps: [a] The client and the server generate random variables kl and k2, respectively; — rl = gH calculated by the client m〇dp, at the same time the server also calculates / 2 # 2 m〇d P, after which the client and server exchange rl and r2 with each other; ⑷ both client and server are calculated! R = 〇r 1 xr2) m〇d P, · [d] The client first verifies whether spM and (r2RxgSS) m〇dp are equal. If the two are specialized, the client calculates Sl = (usxM-klxR) mod (P-1); and [eJ feed-side verification The jx test is equal. If the two are equal, the server calculates S2 = (ssxM-k2xR) mod (ΪΜ), if not ^ ------ 1T ---- (please read the precautions on the back before filling in this Page) called ---------- • I I I · • -i II. 41 章 經濟部中央揉準局負工消费合作社印裝 A8 B8 C8 D8 '中請專利範園 相等則結束簽章程式重頭進行;否則 SiG=(R’ .S=(Sl+S2) mod IM)即作為對文件M之簽 而其中之驗證過程包括如下步驟: 以共通公鑰Y驗證mod技㈣rRxGs m〇d P相等,若相則表示SIG為文件M之正確簽章,否則不 是正確的簽章。, 9.一種識別卡安全控管方法,使用一金鑰交換系 统、-公開值(M),藉以回復金鑰,其包括如下步騾〆、 刚戶端與伺服端先執行—相互認證之程序,認證 完成後健端可得-加密金錄(SK)及—料裝置上之私 密資料(DK),並由自己所選之密碼而獲得pwK ; [b]用戶端產生兩大質數p和q,其中㈣=n,n為 一模數; 用戶端與一第一金鑰回復中吩(TKRci)利用金鑰 父換系統或是執行前述相互認證之程序而獲得一第一共 享金镑(ski) ’同時亦與—第二金錄回復中心(tkrc2)進 行相同之程序而獲得—第二共享金餘(SK2); [d] 第與第二金餘里歲東―心(XKRC1和TKRC?)分 別產生第一媒介笔iM)和第二媒介數(R2),再分別利用 其與用戶端間之第一和第二共享金餘(SK1和SK2),而對 上述之第與第二媒介數加密後,傳送給用戶端; [e] 用戶端接到上述第一和第二媒介數後,藉兩者以 產生一公開金鑰(PK),若無法產生公開金鑰(ρκ)則重覆 42 本紙張尺度適The Central Government Bureau of the Ministry of Economic Affairs of the Central Government Bureau of Work and Consumer Cooperatives printed A8, B8, C8, and D8. In the case that the patents are equal to each other, the signing procedure is ended; otherwise, SiG = (R '.S = (Sl + S2) mod IM) The verification process as the signature of the document M includes the following steps: The common public key Y is used to verify that the mod technology rRxGs m 0d P is equal. If they are the same, the SIG is the correct signature of the document M, otherwise it is not the correct signature. 9. An identification card security control method, using a key exchange system,-public value (M), in order to recover the key, which includes the following steps, the client and the server first execute-a process of mutual authentication After the authentication is completed, the secure terminal can obtain the encrypted data (SK) and the private data (DK) on the device, and obtain the pwK by the password of your choice; [b] The client generates two prime numbers p and q , Where ㈣ = n, n is a modulus; the client and a first key reply TKRci use the key parent exchange system or perform the aforementioned mutual authentication procedure to obtain a first shared gold pound (ski ) 'At the same time with-Second Golden Record Response Center (tkrc2) to perform the same procedure to obtain-the second shared gold Yu (SK2); [d] The second and second Jin Yuli Sui Dong-Xin (XKRC1 and TKRC? ) Generate the first media pen iM) and the second media number (R2) respectively, and then use the first and second shared funds balances (SK1 and SK2) between it and the client, respectively, to the above first and second media The number is encrypted and transmitted to the client; [e] After receiving the first and second media numbers, the client uses the two to generate a Open key (PK), if the public key can not be generated (ρκ) repeat the appropriate scale sheet 42 A8 BS C8 D8 金鑰回復中心對公 申請專利範圍 步驟[C]、[d]、[e]直到可以得出一公開金鑰為止; [f] 用戶端計算MPK mod N而得一生成子C,並將上 述生成子C、公開金鑰PK、及模數N傳送給上述第一金 鑰回復中心(TK民C1),及第二金餘回復中心(TKRC2),並 將上述公開金鑰PK、模數N傳送至一認證中心CA ; [g] 第一金鑰回復中心(TKRC1)計算M1=CR1 mod N 後’並將其傳送給第二金鑰回復中心(TKR(p2),同時,第 二金鑰回復中心(TKRC2)計算M2=CR2 mod N,並將其傳 ^ '' 送給第一金鑰回復中e(TKRCl); [h] 第一金錄回復中心(TKRC1)計算Mi * =0^1 mod N 或Ml* =(CR1x CR〇mod F(N) ’並驗證檢查Ml*是否等於 M,同時,第二金鑰回復中心(TKRC2)計算M2* = CR2 mod N或=(CR2x CR1)mod—E(N) ’並驗證檢查m2*是否等 殄Μ,若通過驗證,則第其中一和第二金鑰回復中心分 別利用其各自之的私密金瑜對公開金声ΡΚ及模數Ν簽 章後再將其傳送至上述認證中心CA ; [i] 上述認證中心收到-第一和第二 開金鑰PK及模數_ F之簽章後,待驗^通過後即對ρκ及 N作一憑證證明,再回傳給用戶端之使用者; [j] 用戶端則可使用加密金餘sk,私密資料dk及 PWK加密用戶之私密金鑰s及其他個人私密金錄。 10.如申請專利範圍第9項所述之安全控管方法,其 中之相互認證之程序包括如下步驟: [I]用戶端將其識別碼(ID),一第一驗證因子(N1)、 43 本紙張尺度適用中國國家標準(CNS ) A4洗格(210X297公釐) ----1.--..—「裝------訂------^.旅 (請先閲讀背面之注意事項再填寫本頁) 經濟部中央標準局貝工消費合作社印製 經濟部中央榡準局貝工消費合作社印製 一械 與此程序所要使用之會談金餘(TK1)合併產生-用戶端 第-簽體’用戶端對該用戶端第_簽體以祠服端之公開 金錄(Ksp)進行加密,而得用戶端第一密件(C1),並將該 用戶端第一松件(C1)、用戶端識別碼(ID)、一確認請求 (Amhjeq) ’及相關資料傳送至伺服端; [π]伺服端接收到確認請求(Auth_req)後,以伺服端 私密金鑰Kss解開上述用戶端第一密件C1而嚷得前述之 會-炎金錄(TK1)、第-驗證因子(N1)、及用戶端識別碼(ID) 等相關資料,伺服端並找出使用者於註冊程序時所對應 之密碍封包(OTP)、以及整數n等相關資料,若整數n小 於2則用戶端之使用者須重新註冊,若整數η不小於2, 則伺服端產生一小於η的整數k及m而m=n_k,吾將會 談金鑰τκι、整數m、第—驗證因子(N1)及相關資料合 併為伺服端第一簽體(S1),以會談金鑰(TK1)對其加密而 得伺服端第一密件,並―將伺服端第一密件回傳給用戶端; [in]用戶端完成接收後,以上述之會談金餘(τκι)解 開上述伺服端第一簽章(S1),而得上述整數m、上述第一 驗證因子(N1),用戶端檢查上述第一驗證因子(N1)是否為 原先所送之值,驗證正確後甩戶端將使者輸入之個人密 碼(PWD)雄行m次雜凑運算而得一第一封包(οτρι),並 產生一暮二、驗證因子(N2); UV]用戶端以上述第一封包(0TP1)、上述第二驗證 因子(Ν2)、及相關之資料合併為用戶端第二簽體,利用 上述會談金鑰(ΤΚ1)對上述用戶端第二簽體進行加密而 44 从適用中國國家榇準(CNS > ( 210X297公釐A8 BS C8 D8 The key recovery center applies steps [C], [d], and [e] to the public application patent until a public key can be obtained; [f] The client calculates MPK mod N to obtain a generator C And send the generator C, the public key PK, and the modulus N to the first key recovery center (TKMin C1) and the second surplus balance center (TKRC2), and send the public key PK The modulus N is transmitted to a certification center CA; [g] The first key recovery center (TKRC1) calculates M1 = CR1 mod N 'and transmits it to the second key recovery center (TKR (p2), at the same time, The second key reply center (TKRC2) calculates M2 = CR2 mod N and sends it ^ '' to the first key reply e (TKRCl); [h] the first gold record reply center (TKRC1) calculates Mi * = 0 ^ 1 mod N or Ml * = (CR1x CR〇mod F (N) 'and verify that Ml * is equal to M. At the same time, the second key recovery center (TKRC2) calculates M2 * = CR2 mod N or = (CR2x CR1) mod-E (N) 'and verify that m2 * is waiting for 殄 M. If the verification is passed, the first and second key recovery centers use their respective private Jin Yu to publicly announce the golden sound PKK. and After the number N is signed, it is transmitted to the above-mentioned certification center CA; [i] After the above-mentioned certification center receives the signatures of the first and second keys PK and modulus _ F, it will be verified after passing ^ ρκ and N are used as a certificate, and then transmitted back to the user of the client; [j] The client can use the encrypted balance sk, private information dk, and PWK to encrypt the user's private key s and other personal private records. 10. The security control method as described in item 9 of the scope of patent application, wherein the mutual authentication procedure includes the following steps: [I] The client terminal identifies it (ID), a first verification factor (N1), 43 This paper size is applicable to Chinese National Standard (CNS) A4 Washing (210X297 mm) ---- 1 .--..— "Packing ------ Order -------- ^. Travel (please first (Please read the notes on the back and fill in this page) Printed by the Central Standards Bureau of the Ministry of Economic Affairs, Printed by the Shellfish Consumer Cooperative, Printed by the Central Economy and Quarantine Bureau of the Ministry of Economic Affairs, printed by the Shellfish Consumer Cooperative, merged with the talk Jinyu (TK1) to be used in this program- The client-item of the client's client encrypts the client's first_item with the public gold record (Ksp) of the temple server, and can be used The client ’s first confidential document (C1), and send the client ’s first loose document (C1), the client identification code (ID), a confirmation request (Amhjeq), and related data to the server; [π] the server receives After confirming the request (Auth_req), the server ’s private key Kss is used to unlock the first client ’s first secret C1 to obtain the aforementioned meeting-Yanjinlu (TK1), first-authentication factor (N1), and client identification Code (ID) and other related data, the server and find out the corresponding corresponding packet (OTP) and the relevant data such as integer n. If the integer n is less than 2, the user of the client must re-register If the integer η is not less than 2, the server generates an integer k and m less than η and m = n_k. I will talk about the key τκι, the integer m, the first verification factor (N1), and related data to be merged into the server. A signing body (S1), which is encrypted with the talk key (TK1) to obtain the first secret of the server, and ―return the first secret of the server to the client; [in] After the client finishes receiving, use the above The talk Jin Yu (τκι) unlocked the first signature (S1) on the server, and got the integer m, the above The first verification factor (N1). The client checks whether the first verification factor (N1) is the value originally sent. After the verification is correct, the personal password (PWD) entered by the client will perform m hash operations. Obtain a first packet (οτρι), and generate a second, verification factor (N2); UV] The client combines the first packet (0TP1), the second verification factor (N2), and related information into a user Second signing party, using the talk key (TK1) to encrypt the second signing party of the client, and 44 from the applicable Chinese national standard (CNS > (210X297 mm A8 B8 C8 D8 經濟部中央揉準局員工消費合作社印製 六、申請專利範圍 得一用戶端第二密件後,將其傳送給伺服端; [V] 伺服端接收到上述用戶端第二密件後,以上述之 會談金鑰(TK1)解開上述第二密件,而得上述之第一封包 (0TP1),伺服端並驗證上述第二驗證因子(N2)是否為原 先所送之值,若正確無誤則伺服端對上述第一封包(0TP1) 進行k次雜湊算,其運算結果與註冊程序中儲存於伺服 端之密碼封包比對是否相同,驗證正確後即儲存整數m 於伺服端而取代原先之整數η,同時儲存上述第一封包 (0ΤΡ1)取代原來的密碼封包,之後將上述註冊程序中產 生之加密金鑰(SK)、第一封包(0ΤΡ1)、及驗證成功之訊 息合併為伺服第二簽體,將其以會談金鑰加密後回傳給 用戶端; [VI] 用戶端以會談金鑰(ΤΚ1)解開上述加密資料 後,而分別得到加密金鑰(SK)、第一封包(0ΤΡ1)、及驗 證成功之訊息,確定驗證成功後,用戶端使用上述加密 金鑰(SK)與密碼金鑰(PWK)對存於存於用戶端上之密文 (ECK)解密以得到上述之註冊程序中之用戶端金鑰 (CK) ’使用上述用戶端金鑰(CK)、密碼金鑰(PWK)和加 密金鑰(SK)對存於可攜式儲存裝置中之密鑰密文(EDK) 解密而得到使用者之私密資料(DK),如此即完成認證之 過程,之後用戶端之使者即可以利用其私密資料(DK)執 行欲進行之動作》 11.如申請專利範圍第9項所述之安全控管方法,其 中之公開金鑰ΡΚ符合下列之式子,PKx(f(Rl,R2)) = 1 45 (請先閎讀背面之注意事項再填寫本頁) T 裝. 訂 線 本紙張尺度適用中國國家揉準(CNS ) A4規格(210X297公董) 經濟部中央標準局員工消費合作、社,2-製 A8 1 B8 C8 __D8 _ — 六、申請專利範圍 mod F(N),其中 F(N)=(p-l) X (q-l)或 f(N)為(p-l)、(q-O 之最小公倍數,而用戶端相對於PK之私密金鑰為S = f(Rl,R2) mod F(N)。 12. 如申請專利範圍第11項所述之控管方法,其中 之 f(Rl,R2)為 R1+R2 或 R1XR2。 13. —種識別卡安全控管方法,使用一金鑰交換系 統,一公開值(M),以及第一金鑰回復中心(TKRC1)及第 二金鑰回復中心(TKRC2),並具一大質數p及產生子g ’ 藉以回復金鑰,此安全控管方法包括如下步驟: [a] 用戶端與伺服端先執行一相互認證之程序,認證 完成後伺服端可得一加密金鑰(SK)及一儲存裝置上之私 密資料(DK),並由自己所選之密碼而獲得之pwK ; [b] 用戶端與第一金鑰回復中心(TKRC1)利用上述金 鑰交換系統或是執行上述相互認證之程序而獲得一第一 共享金鑰(SK1),同時亦與第二金鑰回復中心(TKRC2)進 行相同之程序而獲得一第二共享金鑰(SK2); [c] 第一金鑰回復中心(TKRC1)產生一第一媒介數 (R1),利用其與用戶端間的共享金鑰SK1加密後傳送給 用戶端,並計算C1 =gR1 mod P,再將C1送至第二金餘回 復中心(TKRC2),同時,第二金鑰回復中心(TKRC2)產生 一第二媒介數(R2),利用其與用戶端間的共享金錄SK2 加密後傳送給用戶端,並計算C2=gR2 m〇d P,再將C2 送至第一金鑰回復中心(TKRC1); [d] 用戶接到第一和第二金鑰回復中心所送來之上 46 尺度適用中6國家橾i_(CNS )八4麟·( 210X297公釐1 ' '— --------裝------訂------旅 (請先聞讀背面之注意事項再填寫本頁) 經濟部中央標準局員工消費合作社印製 A8 B8 C8 D8 χ、申請專利耗圍 述第一和第二媒介數R1、R2後,藉兩者以產生一公開金 鑰PK = gf(R1’R2) mod Ρ,則使用者相對於公開金鑰ΡΚ之 私密金鑰S為由f(Rl,R2) mod (P-1)而得,f(Rl,R2)為 上述第一和第二媒介數R1、R2之一特定運算值; [e] 用戶端將公開余鑰PK傳送給第一金鑰回復中心 (TKRC1)、第二金鑰回復中心(TKRC2),與一認證中心 CA ; [f] 若第一金鑰回復中心(TKRC1)計算Ml=PKinv(R1) mod P後並比較驗證,ΜΙ是否等於C2,同時,第二金鑰 回復中心(TKRC2)計算M2=PKlinv(R2) mod Ρ後並比較驗 證M2是否等於C1,其中inv(Rl)表示(Rl)·1 mod P-1 之運算; [g] 若通過驗證後,第一和第二金鑰回復中心以其各 自的私密金鑰對公開金鑰PK簽章後,再傳送至上述認證 中心CA ; [h] 上述認證中心收到第一和第二金鑰回氣土心對 公開金鑰PK之簽章後,待驗證通過後即對公開金鑰PK 作一憑證證明後,再回傳給用戶端;以及 [i] 用戶端使用加密金鑰SK,私密資料DK及PWK, 來加密私密金鑰S及用戶其容個人私密資料。 14.如申請專利範圍第13項所述之安全控管方法, 其中之相互認證之程序包括如下步驟: .[I]用戶端將其識別碼(ID),一第一驗證因子(N1)、 與此程序所要使用之會談金鑰(TK1)合併產生一用戶端 47 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) —I— —i-i ^^1 1 ........ t -i-i .......I ------ 1 II in ί- i I------ I - - - (請先閱讀背面之注意事項再填寫本頁) Α8 Β8 C8 D8 經濟部中央揉準局貝工消費合作社印製 申請專利範圍 一簽體,用戶端對該用戶端第一簽體以伺服端之公開 金鑰(KSP)進行加密★而得用戶端第一密件(C1),並將該 用戶端第一密件(C1)、用戶端識別碼(ID)、一確認請求 (Anth一re_q) ’及相關資料傳送至伺服端; [H]伺服端接收到確認請求(Auth_req)辣,以伺服端 私挽金緣kss解開上述用戶端第一密件C1而獲得前述之 會-炎金餘(TK1)、第-1課因子(N1)、及用戶端識別瑪(ID) 等相關>料,飼服端並、找出使甩者於註冊程序時所對應 之密碼封包(OTP)、以及整數n等相關資料,若整數η小 於2則用戶端之使用者須重新註冊,若整數η不小於2, 則伺服端產类-小於η的整數M m而m=n_k,再將會 談金餘τκι、㈣m'第一驗證因子(N1)及相關資料合 2為伺服端第一簽體(S1),以會談金鑰(TK1)對其加密而 得伺服端第-密件’並將伺服端第一密件回傳給用戶端; 间用戶端完成接收後,以上述之會談金錄(ΤΚ1)解 開上述伺服端第-簽章⑻)’而得上述整數m、上述第一 驗證因子(N1),用戶端檢查上述第—驗證因子(ni)是否為 原先所送之值,驗證正確後心端將使者輸人之個人密 瑪(PWD)進行次雜凑運算而得—第—封包(QTpi),並 產生一第二驗證因子(N2); [IV]用戶端—议上述第一封包(〇τρι)、上述第二驗噔 因手(Ν2)、及相關之資料合併為用戶端第二簽體,利用 上述會談金鑰(TK1)對上述用戶端第二簽體進行加密而 得一用户端第二密件後,將其傳送給伺服端; -----------Γ「裝------訂-----叫線------ (請先閲讀背面之注意事項再填寫本頁) -- i HI I I · 48A8 B8 C8 D8 Printed by the Consumer Cooperatives of the Central Bureau of the Ministry of Economic Affairs, Consumer Cooperatives 6. After applying for a patent, a second confidential copy of the client is sent to the server; [V] The server receives the second confidential copy of the client Use the above talk key (TK1) to unlock the second secret to obtain the first packet (0TP1). The server will verify that the second verification factor (N2) is the value originally sent. If it is correct, If there is no error, the server performs hash calculation on the first packet (0TP1) k times. The result of the calculation is the same as the password packet stored in the server during the registration process. After the verification is correct, the integer m is stored in the server instead of the original one. The integer η, and store the first packet (0TP1) to replace the original password packet, and then combine the encryption key (SK), the first packet (0TP1), and the message of successful verification generated in the registration process into a servo number The second signing body encrypts it with the talk key and sends it back to the client; [VI] The client decrypts the encrypted data with the talk key (TK1) and obtains the encryption key (SK) and the first message respectively (0TP1), and the message of successful verification. After confirming that the verification is successful, the client uses the encryption key (SK) and password key (PWK) to decrypt the cipher text (ECK) stored on the client to obtain the above. The client key (CK) in the registration process' uses the client key (CK), password key (PWK), and encryption key (SK) described above to pair the key cipher text stored in the portable storage device (EDK) decryption to obtain the user's private information (DK), so that the authentication process is completed, and then the messenger of the client can use its private information (DK) to perform the desired action. The security control method described in the above item, wherein the public key PK conforms to the following formula, PKx (f (Rl, R2)) = 1 45 (Please read the precautions on the back before filling this page) T Pack. The paper size of the book is applicable to the Chinese National Standard (CNS) A4 (210X297 public directors), the staff of the Central Standards Bureau of the Ministry of Economic Affairs, Consumer Cooperatives, 2-A8 1 B8 C8 __D8 _ — VI. Patent application scope mod F (N ), Where F (N) = (pl) X (ql) or f (N) is (pl), (qO Small common multiple, and the client's private key relative to PK is S = f (Rl, R2) mod F (N). 12. The control method as described in item 11 of the scope of patent application, where f (Rl, R2) is R1 + R2 or R1XR2. 13. A security control method for identification cards, using a key exchange system, a public value (M), and a first key recovery center (TKRC1) and a second key recovery Center (TKRC2), and has a large prime number p and a generator g 'to recover the key. This security control method includes the following steps: [a] The client and server first perform a mutual authentication process. After the authentication is completed, the server The client can obtain an encryption key (SK) and a private data (DK) on the storage device, and obtain the pwK from the password of his choice; [b] The client and the first key recovery center (TKRC1) use The above-mentioned key exchange system may perform the above-mentioned mutual authentication procedure to obtain a first shared key (SK1), and also perform the same procedure with the second key recovery center (TKRC2) to obtain a second shared key ( SK2); [c] The first key recovery center (TKRC1) generates a first media number (R1) Use the shared key SK1 between it and the client to encrypt it and send it to the client, calculate C1 = gR1 mod P, and send C1 to the second surplus response center (TKRC2). At the same time, the second key response center (TKRC2) TKRC2) generates a second media number (R2), uses the shared gold record SK2 between it and the client to encrypt it and sends it to the client, calculates C2 = gR2 m〇d P, and sends C2 to the first key to reply Center (TKRC1); [d] The user received the first and second key response centers and sent them to the above 46 scales applicable to 6 countries 橾 i_ (CNS) 8 4 Lin · (210X297 mm 1 ''-- ------ Equipment ------ Order ------ Brigade (Please read the notes on the back before filling out this page) Printed by the Employees' Cooperative of the Central Standards Bureau of the Ministry of Economic Affairs A8 B8 C8 D8 χ 2. After applying for a patent, the first and second media numbers R1 and R2 are used to generate a public key PK = gf (R1'R2) mod ρ by using both, then the user ’s private gold relative to the public key PK The key S is obtained by f (Rl, R2) mod (P-1), and f (Rl, R2) is a specific operation value of the first and second media numbers R1 and R2; [e] the client will disclose The key PK is transmitted to the first gold Key recovery center (TKRC1), second key recovery center (TKRC2), and a certification center CA; [f] If the first key recovery center (TKRC1) calculates Ml = PKinv (R1) mod P and compares and verifies, Whether ΙΙ is equal to C2. At the same time, the second key recovery center (TKRC2) calculates M2 = PKlinv (R2) mod P and compares and verifies whether M2 is equal to C1, where inv (Rl) means (Rl) · 1 mod P-1 [G] If the verification passes, the first and second key recovery centers sign the public key PK with their respective private keys, and then send them to the above-mentioned certification center CA; [h] the above-mentioned certification center receives After the first and second keys have returned the signature of the public key PK, after the verification is passed, the public key PK will be certificated and then returned to the client; and [i] the user The client uses the encryption key SK, private data DK and PWK to encrypt the private key S and the user's private personal data. 14. The security control method as described in item 13 of the scope of patent application, wherein the procedure of mutual authentication includes the following steps: [I] The client terminal identifies it (ID), a first verification factor (N1), Combined with the talk key (TK1) to be used in this program, a client 47 is produced. This paper size applies the Chinese National Standard (CNS) A4 specification (210X297 mm) —I— —ii ^^ 1 1 ...... .. t -ii ....... I ------ 1 II in ί- i I ------ I---(Please read the notes on the back before filling this page) Α8 Β8 C8 D8 The Central Government Bureau of the Ministry of Economic Affairs printed the application scope of the patent scope. The client encrypted the first sign of the client with the server's public key (KSP). A secret (C1), and send the client's first secret (C1), the client's identification code (ID), a confirmation request (Anth_re_q) 'and related data to the server; [H] the server receives The confirmation request (Auth_req) is hot, and the server ’s first private key kss is used to unlock the first secret C1 of the client to obtain the aforementioned meeting-Yan Jinyu (TK1), Lesson -1 (N1), and client ID (ID) and other related materials, feed the server and find out the corresponding password packet (OTP) and integer n, etc. If the integer η is less than 2, the user of the client must re-register. If the integer η is not less than 2, the server class-an integer M m less than η and m = n_k, and then we will talk about Jinyu τκι, ㈣m 'first verification. The factor (N1) and related data are combined into the server's first signature (S1), which is encrypted with the talk key (TK1) to obtain the server's first-password 'and the server's first-password is returned to the client. After the client finishes receiving, use the above-mentioned talk gold record (TK1) to unlock the above-mentioned server end-signature ⑻) 'to obtain the integer m and the first verification factor (N1), and the client checks the above- Verify whether the factor (ni) is the value originally sent. After the verification is correct, the heart will get the person ’s personal PWD (PWD) to perform a hash operation. The first packet (QTpi) is generated, and a second verification is generated. Factor (N2); [IV] Client—Negotiate the above first packet (〇τρι), the above second verification factor (N2), and Relevant information is combined into the second signing body of the client, and the second signing body of the client is encrypted by using the above-mentioned talk key (TK1) to obtain a second secret of the client, which is then transmitted to the server; --- -------- Γ 「Install ------ Order ----- Call the line ------ (Please read the precautions on the back before filling this page)-i HI II · 48 六、申請專利範圍 經濟部中央標準局員工消費合作社印製 [V] 伺服端接收到上述用戶端第二密件後,以上述之 會談金鑰(TK1)解開上述第二密件,而得上述之第一封包 (0TP1),伺服端並驗證上述第二驗證因子(N2)是否為原 先所送之值,若正確無誤則伺服端對上述第一封包(0TP1) 進行k次雜湊算,其運算結果與註冊程序中儲存於伺服 端之密碼封包比對是否相同,驗證正確後即儲存整數m 於伺服端而取代原先之整數η,·同時儲存上述第一封包 (0ΤΡ1)取代原來的密碼封包,之後將上述註冊程序中產 生之加密金鑰(SK)、t第一封包(0丁?1)^、及驗證成功之訊 息合併為伺服第二簽體,將其以會談金鑰加密後回傳給 用戶端; [VI] 用戶端以會談'金鑰(TK1)解開上述加密資料 後,而分別得到加密金鑰(SK)、第一封包(0TP1)、及驗 證成功之訊息,確定驗證成功後,用戶端使I上述加密 金鑰(SK)與密碼金鑰(PWK)對存於存於用戶端上之密文 (ECK)解密以得到上述之註冊程序中之用戶端金錄 (CK),使用上述用戶端金餘(CK)—密碼金鑰(PWK)和加 密金鑰(SK)對存於可攜式键存裝黑束之密鑰密文(EDK) 解密而得到使用者之私密資料如此即完成屬證之 過程,之後用戶端之使者即可以利甩其私密資料(DK)執 行欲進行之動作。 15. 如申請專利範圍第13項所述之安全控管方法, ... .......—. 其中之 f(Rl,R2)為 R1+R2 或 RlxR2。 16. —種識別卡安全控管方法,此安全控管方法包括 49 (請先閱讀背面之注意事項再填寫本頁) Γ 裝. 、?τ Τ 本紙張尺度逋用中國國家標準(CNS ) Α4規格(210Χ297公釐) 經濟部中央標隼局員工消費合作社印裝 AS B8 C8 D8 ^、申請專利範圍 有一資料傳送及驗證程序,其係為正常情形下之資料傳 送程序;以及一金鑰及密文的回復程序,其係當發文端 之金鑰或明文遺失時,能利用此一程序將之回復; 其中之資料傳送及驗證程序包括如下步驟: [a]當發文端欲傳送明文資料Μ給收文單位時,發文 單位先產生一通訊基碼SK,再以發文端之私密金鑰KGS 對該通訊基碼SK進行加密而得(SK)KC3S,並以收文端之 公開金鑰PKR對該通訊基碼進行加密而得(SK)PKR, 將上述通訊基碼SK與上述(SK)Kcjs進行特定之運算而得 一發文端密鑰,以該發文端密鑰對所欲傳送之明文資料 Μ進行加密而得一密文SM,對上述通訊基碼SK、 (SK)KC3S、(SK)PKIl及特定相關資料進行雜湊運算而得到一 信託認證子EA,以一家族金鑰FK對上述(SK)KGS、 (SK)PKe、.特定相酿資料、以及信託認證子EA進行加密 而帶一法定存取欄位LEAF,再將密文SM、法定存取欄 位LEAF、以及特定相關資料傳送至收文餐; _〇?]收文端接收密文SM、法定存取欄位LEAF、以及 特定相關資料後,利用家族金鑰解開LEAF而得到前述 (SK)KGS、(SKVKR、信託認證子EA、以及特定相關資料, 利用收文端私密金鑰KGR解開(SK)PKR而得上述通訊基 〆· $ SK,以通訊基碼SK將所接收之上述(SK)KGS澤原而可 得_前述發文端密鑰,再利用該發文端密鑰解開密文SM 而得到明文資料Μ ;以及 [c]收文端並對所接收之通訊基碼SK、(SK)KGS、 50 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) (請先閱讀背面之注意事項再填寫本頁) •裝--- 訂------^線- • .....Ill— . - -- In 1^1 - 8 I - I -1 六、申請專利範圍 (SK)PKR、及特定相關資料進行雜湊運算,其運算結果用 以與所接收到之信託認證子EA互相比對,若相等則表示 驗證成功傳輸過程無誤; 而其中上述.收文端金鑰KGR,是由一第一金鑰管理 單位和第二金鑰管理單位分別提供之收文踹第一金鑰因 % .... 子ρίκΐ與t文端_、第二金鑰因子KGR2,兩者經特定運算 ..而得,而上述發文端金錄KGS,是由一第金錄管理單位 和第二金鑰管理單位分別提供之收-文端第一金鑰因子 .KGS1與收文端-第二金鑰因子KGS2,兩者經特定運算而 得, 其中之金鑰及密文的回復程序5包括如下步驟: 發文端先要求上述第一金鑰管理單位及第二金鑰 管理單位取出第一金鑰因子KGS1與收文.端第二金鑰 因子KGS2,由KGS1與KGS2即可經運算而得發文端 金鑰KGS ; 經濟部中央標準局員工消費合作社印製 (請先閲讀背面之注意事項再填寫本頁) 利用回復之發文端金鑰KGS,即可將(SK)KGS解開而 得上述通訊基碼sk,再利用該通訊基碼sk與 行特定之運算而得到上述發文端密鑰,利用此一發文端 密金鑰即可以將密文解開而得,到明文資料。 17. 如申請專利範第16項所述之安全控管方法,其 中之發文端私密金鑰KGS係由KGS1©KGS2而得,而收 文端私密金鑰KGR係由KGR1㊉KGR2而得,㊉表示互斥 運算。 18. 如申請專利範第16項所述之安全控管方法,其 本紙張尺度適用中國國家標準(CNS ) A4規格(2丨0X297公釐) A8 B8 C8 D8 經濟部中央標準局員工消費合作社印製 六、申請專利範圍 中之特定相關資料可為發文端之機關代碼IDS、收文端 1之哉關枚:每IDR、及任意初始向量值之組合群體。’ 19.一種所有權驗核機制,此所有權驗核機制包括了 初始階段、第一次文件傳輸及第i次文件傳輸; 其中之初始階段包括如下步驟: 奔第一次登入時,於發文端A隨機選取一數字N。;. 然後,於發文端A產生所有權簽署金鑰對A。,和 Aop ’以及通訊金鑰κΑΤ ;最後 芦文端Α經由公證程序將Aos及ΚΑΤ送交所有權公 正機M TKC ; 其中之第一次文件傳輸包括如下步驟: (a) 對第一份文件產生一第一文件表頭MT1,該表 頭MT1至少包括發文端,A之身份識別碼IDa、第一份文 件之序號S,、义及分別利用發裏端A之文件簽署密鑰As 加密之相關資料’或經雜湊函數h(·)處理過之相關資料; (b) 發文端A利用所有權簽署金餘八。3對上述第一文 件表頭MT1簽章而得第一表頭.簽章A〇s{mti},發文端合 併1 IDA、公正機關TTP身份識別碼IDTTP、收文崎B身份 識別碼IDb、文件表頭Μτι、及第一表頭簽章Aqs{Mti} '後私通訊金鑰κΑΤ加密,再將其與第一份文件之表頭&τι /傳瑪至公正機關TTP ; (c) 公正機關TTP收到後,令T!等於上述第一文件 表頭MT1 ’並將IDa、IDb、、{丁|}’、以及凡儲存; ⑷發文端A將IDA+ 等相關資料以公證 (請先閲铕背面之注意事項再填寫本頁) τ -裝. .^.4 本紙張从逋用中國國家標率(CNS)以胁(2丨〇><297公着) 經濟部中央標隼局貝工消费合作社印震 A8 B8 C8 D8 六、申請專利範圍 程序送交收文端B ; (e) 收文端B將AcjTJ及文件序號、收發文方等文 件識別資訊以KBT加密後,以公正诚關χχρ之公開金鑰 TTPp加密後’送交公正機關ΤΤρ ; (f) 公正機關ΤΤΡ以其私密金鑰TTPS鮮開上述密文 後比較步驟(e)中之入。8{丁1}是否相同,並將比較結果以 KBT加密後送給B ;. " ' (g) 若步驟(f)中之較結果為相同則B執行步驟(h),否 則B要求A重新執行步雜(d);以及 (h) 最後’收文哆B儲夯AjTJ ; 其中之第i次文件傳輸包括如下步驟: (¾發文端A對第i份文件產生第丨文件表頭 MflDA+Si+hCMiH (Α〇ρ·(ΤΜ) ’ 其中 Si 為第 i 份文件之 序號; (Π)發文端A利用所有權簽署金綠對上述第i文 件表頭MTi簽章而得第一表頭簽章A。,],發文端a 合併ida、公正機關身份識別碼IDttp、收文端身份識別 碼IDB、文件表頭MTi、及第i表頭簽章A〇s{MTi}後以通 訊i . « 金鑰κΑΤ加密,再將其與第i份文件之表頭傳送至公 正機關TTP ; " (ΙΠ)公正機關TTP收到後,+ T|等於上述第i文件 表頭Μτί埤g w :欠文件表頭Ti i,Ti i之互斥運算值 MTieTM,並將 IDa、IDb、A。具ι}、以及 Ti健存; (請先閲讀背面之注意事項再填寫本頁) -裝- 訂 線 53 端A所送 MTi,再根 Α8 Β8 C8 D8 、申請專利範園 (IV)將T1以Ti取代,重覆第一次文件傳輸中之步 驟(4)~(h),如此來從事王常之文件傳送。 20·如申請專利範第19項所述之所有權驗核機制’ 其中當收f端这..提A M*及'A0S{MTi} ’欲證明為發友 出之文件·,則公正機關TTP可公佈Aop以解出 據MTi之内容確定文件,是否為發文端A所發 出’若M*為事後偽造之文件,則根據ΤΓ及MTi之關連、性, TTP可證明M*非由發文端所發齿,其中前後文件之關連 性之判斷如下: 往前瀾連性為…MTi=Ti㊉; /往後關連性為自-MTm中取出(A^liCT;))欄位. h(Ti)= (A^hd))㊉Αορ。 :—*ΓΊ裝-------訂-----f線 (請先聞讀背面之注意事項再填寫本頁) 經濟部中央標準局員工消费合作社印装 54 本紙張尺度逋用中國國家標準(CNS ) A4規格(210X297公釐〉6. Scope of Patent Application Printed by the Consumer Cooperative of the Central Bureau of Standards of the Ministry of Economic Affairs [V] After receiving the second secret from the client, the server uses the talk key (TK1) to unlock the second secret. For the first packet (0TP1), the server verifies whether the second verification factor (N2) is the value originally sent. If it is correct, the server performs hash calculations on the first packet (0TP1) k times. Is it the same as the password packet stored on the server in the registration process? After the verification is correct, the integer m is stored on the server instead of the original integer η. At the same time, the first packet (0TP1) is stored instead of the original password packet. Combining the encryption key (SK), the first packet (0 ?? 1) ^ generated during the above registration process, and the message of successful verification into a second server, which is encrypted with the meeting key and sent back to the server. Client; [VI] After decrypting the encrypted data with the talk key (TK1), the client obtains the encryption key (SK), the first packet (0TP1), and the message of successful authentication. After confirming that the authentication is successful, ,use The client enables the above-mentioned encryption key (SK) and cryptographic key (PWK) to decrypt the cipher text (ECK) stored on the client to obtain the client gold record (CK) in the registration process described above, using The above client end (CK)-password key (PWK) and encryption key (SK) decrypt the key cipher text (EDK) stored in the portable key storage black beam and obtain the user's private information. That is, the certificate process is completed, and then the messenger of the client can take advantage of his private information (DK) to perform the desired action. 15. According to the security control method described in item 13 of the scope of the patent application, ............, where f (Rl, R2) is R1 + R2 or RlxR2. 16. —A security control method for identification cards. This security control method includes 49 (please read the precautions on the back before filling out this page). Γ.. Ττ This paper uses Chinese National Standard (CNS) Α4 Specifications (210 × 297 mm) AS B8 C8 D8 printed by the Consumer Cooperatives of the Central Bureau of Standards of the Ministry of Economic Affairs. The scope of patent application includes a data transmission and verification procedure, which is a normal data transmission procedure; and a key and secret. The procedure for replying to the text is that when the key or the plaintext of the sender is lost, this procedure can be used to reply it; the data transmission and verification procedure includes the following steps: [a] When the sender wants to send the plaintext data to When the receiving unit, the sending unit first generates a communication base code SK, and then encrypts the communication base code SK with the private key KGS of the sending end to obtain (SK) KC3S, and uses the public key PKR of the receiving end to communicate with the communication. The base code is encrypted to obtain (SK) PKR. The communication base code SK and the (SK) Kcjs are used to perform a specific operation to obtain a sender key. The sender key is used to pair the plaintext data M to be transmitted. Encryption is performed to obtain a ciphertext SM. A hash operation is performed on the communication base codes SK, (SK) KC3S, (SK) PKI1 and specific related data to obtain a trust authentication sub-EA, and a family key FK is used to perform the above (SK ) KGS, (SK) PKe, .Special phase brewing data, and trust authentication sub-EA are encrypted with a legal access field LEAF, and then the ciphertext SM, legal access field LEAF, and specific related data are transmitted to Received meal; _〇?] After receiving the ciphertext SM, legal access field LEAF, and specific related information, the receiving end uses the family key to unlock LEAF to obtain the aforementioned (SK) KGS, (SKVKR, Trust Authenticator EA, And specific related information, use the private key KGR of the receiver to unlock the (SK) PKR to get the above communication base $ $ SK, and use the communication base code SK to receive the above (SK) KGS Zeyuan and get _ Key, and then use the sender's key to unlock the ciphertext SM to obtain the plaintext data M; and [c] the receiver and the received communication base code SK, (SK) KGS, 50 This paper standard applies the Chinese National Standard (CNS ) A4 size (210X297mm) (Please read the note on the back first Please fill in this page for matters) • Install --- Order ------ ^ Line- • ..... Ill—.--In 1 ^ 1-8 I-I -1 SK) PKR and specific related data are hashed. The result of the calculation is used to compare with the received trust authenticator EA. If they are equal, it means that the verification is successful and the transmission process is correct; and the above-mentioned. Receiver key KGR, It is a receipt provided by a first key management unit and a second key management unit, respectively. The first key factor% .... 子 ρίκΐ and t text end_, the second key factor KGR2, both of which are specified Operation. And, the above-mentioned sending end gold record KGS is a receiving-document first key factor .KGS1 and receiving end-second gold respectively provided by a first record management unit and a second key management unit. The key factor KGS2 is obtained through a specific operation. The key and ciphertext recovery procedure 5 includes the following steps: The sender first requests the first key management unit and the second key management unit to retrieve the first key. The factor KGS1 and the received message. The second key factor KGS2 can be calculated from KGS1 and KGS2 to obtain the sending key KGS. Printed by the Consumer Cooperative of the Central Standards Bureau of the Ministry of Economic Affairs (please read the precautions on the back before filling out this page). Using the reply key KGS, you can unlock (SK) KGS to get the above communication base code sk, The communication base code sk and line-specific operations are then used to obtain the above-mentioned sender's key, and the sender's secret key can be used to decrypt the ciphertext to obtain the plaintext data. 17. The security control method described in item 16 of the patent application, wherein the private key KGS at the sending end is obtained from KGS1 © KGS2, and the private key KKG at the receiving end is obtained from KGR1㊉KGR2, where ㊉ indicates mutual exclusion Operation. 18. As for the security control method described in item 16 of the patent application, the paper size is applicable to the Chinese National Standard (CNS) A4 specification (2 丨 0X297 mm) A8 B8 C8 D8 Printed by the Employees' Cooperative of the Central Standards Bureau of the Ministry of Economic Affairs System 6. The specific relevant information in the scope of the patent application can be the organization code IDS of the issuing end, and the serial number of receiving end 1: each IDR, and any combination of initial vector values. '19. An ownership verification mechanism, which includes the initial stage, the first file transfer, and the i-th file transfer; the initial stage includes the following steps: At the first login, at the sender A Pick a number N at random. ;. Then, at the sending end A, the ownership signing key pair A is generated. , And Aop 'and the communication key κΑΤ; finally, Aluwen end A sends Aos and κΑΤ to the proprietary justice machine M TKC through a notarization procedure; the first file transmission includes the following steps: (a) generating the first file A first document header MT1. The header MT1 includes at least the sending end, the ID of the A, the serial number S of the first document, the meaning, and the related use of the document signing key As for encryption at the sending end A. Data 'or related data processed by the hash function h (·); (b) The sender A uses the ownership to sign the remaining eight. 3 Sign the first document header MT1 to get the first header. The signature A0s {mti}, the sender merges 1 IDA, the fair authority TTP identification code IDTTP, the receiving text B identification ID IDb, the document Header Mτι and the first head seal Aqs {Mti} 'The private communication key κΑΤ is encrypted, and then it is encrypted with the head of the first document & τι / Chuanma to the fair authority TTP; (c) justice After receiving the TTP from the agency, make T! Equal to the above-mentioned first document header MT1 'and store IDa, IDb,, {丁 |}', and Fan; ⑷ Issue end A will notarize the relevant information such as IDA + (please read first (Notes on the back of the page, please fill in this page again) τ -Package.. ^. 4 This paper is from the Chinese National Standards (CNS) to threaten (2 丨 〇 > < 297) by the Central Bureau of Standards, Ministry of Economic Affairs Beigong Consumer Cooperative Co., Ltd. Yinzhen A8 B8 C8 D8 VI. The patent application procedure is sent to receiver B; (e) Receiver B encrypts the file identification information such as AcjTJ and the document serial number, the sender and receiver, etc. with KBT, and conducts impartiality. The public key TTPp of χχρ is encrypted and 'sent to the impartial authority TTρ; (f) the impartial authority TTP opens with its private key TTPS Comparison to the step (e) into the ciphertext. 8 {丁 1} is the same, and send the comparison result to B after being encrypted by KBT ;. " '(g) If the comparison result in step (f) is the same, then B executes step (h), otherwise B requires A Re-execute steps (d); and (h) Finally, 'Received 哆 B storage ram AjTJ; the i-th file transfer includes the following steps: (¾ sender A generates the 丨 file header MflDA + for the ith file. Si + hCMiH (Α〇ρ · (ΤΜ) 'where Si is the serial number of the i-th document; (Π) Issuer A uses the ownership to sign the golden green to sign the first i-header MTi and obtain the first heading signature Chapter A.,], the sender a merges ida, the impartial agency ID IDpp, the receiver ID ID, the document header MTi, and the i header to sign A0s {MTi} to communicate i. « The key κΑΤ is encrypted, and then it is transmitted with the header of the i-th document to the fair authority TTP; " (ΙΠ) After the fair authority TTP receives, + T | equals the above-mentioned i-th document header Μτί 埤 gw: Table header Ti i, Ti i mutually exclusive calculation value MTieTM, and IDa, IDb, A. With ι}, and Ti Jian; (Please read the precautions on the back before filling (Page)-Binding-MTi sent by end A of the order 53, and then root A8, B8, C8, D8, and patent application (IV) Replace T1 with Ti, repeating steps (4) ~ (h) in the first file transfer ), So as to engage in the transfer of Wang Changzhi's documents. 20. The ownership verification mechanism as described in item 19 of the patent application model, where when receiving the f-end this ... mention AM * and 'A0S {MTi}' Document, the fair authority TTP may publish Aop to find out whether the document is determined based on the content of MTi, whether it is a document issued by sender A. If M * is a forged document afterwards, according to the relationship and nature of TTi and MTi, TTP may Prove that M * is not sent by the sender. The judgment of the relevance of the previous and following documents is as follows: The forward connectivity is ... MTi = Ti㊉; / The subsequent connectivity is taken from -MTm (A ^ liCT;)) Field. H (Ti) = (A ^ hd)) ㊉Αορ. :-* ΓΊ 装 ------- Order ----- f line (please read the precautions on the back before filling in this page) Printed on 54 paper sizes used by the Consumer Cooperatives of the Central Standards Bureau of the Ministry of Economic Affairs China National Standard (CNS) A4 specification (210X297 mm>
TW86110567A 1997-07-25 1997-07-25 Method for security control using token card TW384591B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW86110567A TW384591B (en) 1997-07-25 1997-07-25 Method for security control using token card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW86110567A TW384591B (en) 1997-07-25 1997-07-25 Method for security control using token card

Publications (1)

Publication Number Publication Date
TW384591B true TW384591B (en) 2000-03-11

Family

ID=21626845

Family Applications (1)

Application Number Title Priority Date Filing Date
TW86110567A TW384591B (en) 1997-07-25 1997-07-25 Method for security control using token card

Country Status (1)

Country Link
TW (1) TW384591B (en)

Similar Documents

Publication Publication Date Title
US6925182B1 (en) Administration and utilization of private keys in a networked environment
US6073237A (en) Tamper resistant method and apparatus
CN104796265B (en) A kind of Internet of Things identity identifying method based on Bluetooth communication access
CN109067801A (en) A kind of identity identifying method, identification authentication system and computer-readable medium
CN1889432B (en) Password remote authentication method based on smart card, smart card, server and system
US11838405B1 (en) Blockchain delegation
CN109040139A (en) A kind of identity authorization system and method based on block chain and intelligent contract
WO1999033221A1 (en) Secure proxy signing device and method for use
CN106789041A (en) A kind of credible block chain method of decentralization certificate
JPH11512841A (en) Document authentication system and method
CN103544452A (en) Signature generation and verification system and signature verification apparatus
CN102750496A (en) Secure access authentication method for removable storage media
CN113824564A (en) Online signing method and system based on block chain
JPS6256043A (en) Electronic trading method
CN114692218A (en) Electronic signature method, equipment and system for individual user
Patel Information security: theory and practice
GB2434724A (en) Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
CN119026095B (en) Copyright protection and traceability method based on physical unclonable function watermark and blockchain
EP4231583A1 (en) Methods and arrangements for establishing digital identity
CN111091380B (en) Block chain asset management method based on friend hidden verification
Kumar An Enhanced Remote User Authentication Scheme with Smart Card.
CN100566250C (en) A kind of point to point network identity identifying method
JP2018133739A (en) Secret key replication system, terminal, and secret key replication method
CN110838918B (en) Anti-quantum certificate issuing method and system based on public key pool and signature offset
CN110519223B (en) Anti-quantum computing data isolation method and system based on asymmetric key pair

Legal Events

Date Code Title Description
GD4A Issue of patent certificate for granted invention patent
MK4A Expiration of patent term of an invention patent