Μ濟部中央橾隼局負工瀉费合作杜印氧 Α7 Β7 五、發明説明(ί ) 本發明係有關於一套識別卡(token card)安全控管方 法,特別係有關於利用密碼學加解密、數位電子簽章技術、 以及分散機密的觀念來加以保護網路作業環境下安全性及 可靠度之控管方法。此種識別卡可以是軟式磁片、IC卡、 ZIP或M0等等屬於可攜式之所有儲存裝置(儲存媒體)。 由於網際網路之商業應用日益普及與盛行,網路辦 公室與電子銀行也隨著快速發展,而其電子資訊傳送之 正確性則端輥密碼元件,以及其安全控管機制連作之高 度保密性來保障所有人之權益β 就網路作業環境而言,使用者必須藉其各別之識別 裝置、登錄機器、操作軟體、及一般協定等之統合運作, 而可以讓使用者在其用戶端成功地登錄並完成驗證。而 使用者在接取(access)網路時,卻也是最容易洩露其本身 之機密’所以在網路系統下,用戶端往往是防護最少的 部份’而容易為入侵者所截取而用以破解系統》 此外,由於在網路上資料之互通有無,所以使用者 在其登錄端(用戶端)所使用之軟體,也常遭受到電腦病毒 之潛在威脅》目前對於軟體的保護,除以防毒軟體來防 止程式被侵入,並無明顯的方法可以偵測軟體是否已為 病毒所篡改。 在儲存媒體(儲存裝置)方面,一般於學理上之討論皆 假設儲杳媒體是非常安全的,如利用1C卡或簽章卡,但 是此類設備其價格較高,且須購買額外之設備,所以短 期内無法大量推廣》而磁片是一便宜且普及的儲存媒 本紙ilUUl適用中國國家橾牟(CNS } A4洗格( 210X297公釐) 111.— —J-lk—^ ,裝--— II—訂------""Cj (請先聞讀背面之注意事項再填寫本頁) 經濟部中央標準局員工消费合作杜印製 A7 B7 五、發明説明(么) 體,但是其安全性低,目前有以PKCS#5方式用以增加 磁片安全之方法,然而其卻往往容易被字典攻擊法所破 解。 而現行之網路安全機制中,用以確保安全性的秘密 金鑰若因種種因素而遺失的話,將會使得加密的資料無 法獲得,徒增困擾。所以在網路安全傳輸上,金鑰之回 復系統是有其必要性。 在網路文件交換環境中,文件之效力可能相當的 久,在科技快速進展的現代,電子文件被篡改和冒名之 可能性相當大。所以設計一套電子公文擁有權的驗核機 制,使得即使在簽章金鑰被破解的情形下,仍然不會有 被偽簽的危險,以提供發文端必要之保護,是有其必要 性的。 有鑑於此,本發明針對上述網路應用所可能遭遇之 問題,提出一套識別卡安全控管方法,其包括以下部份: 一、 檢驗系統中檔案有無遭篡改的檢查機制,用以 偵測系統内檔案有無遭受入侵者亦或病毒侵入。 二、 植基相互認證系統的控管機制,用以防制入侵 者對已加密之資料進行字典或蠻橫找尋攻擊法,並進而 防止使用者在使用不安全的機器上進行登入。 三、 使用於簽章控管的群體導向數位簽章機制,藉 由使用者完成與伺服端認證後,文件由使用者簽過後, 須再經由伺服端簽過,用以防止使用者在無意下,或操 作錯誤下簽出文件。 (請先閲讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家橾準(CNS〉A4規格(2丨0X297公釐) 五、發明説明(3 A7 B7 四、 金鑰回復機制,當使用者金鑰遺失或有爭端發 生時,而需由公正之第三者舉證時,可藉以導出金鑰。 五、 回復金鑰加解密機制。 六、 所有權驗核機制,用以確保他人無法仿冒,或 是在已發出的文件間插入其他偽造的文件。 為讓本發明之上述目的、特徵、和優點能更明顯易 懂,下文特針對上述各部份之控管方式,舉出較佳實施 例,並配合所附圖式,做詳細說明如下。 圈示之簡單說明: 第圖示一軟體之目錄架構圖 - ^1-, -I HI 11^1 an nn mu t Jn (請先閲讀背面之注意事項再填寫本f ) 經濟部中央揉準局貝工消费合作社印製 第2A〜顯示本發明第二實施例之動作過程簡圖。 第3Α〜3Β圖係回復金鑰加丨解密機制,分別為資料 傳送及驗證程序和金鑰及密文回復程序。 實施例一:(檢驗系統襠案有無遭篡改的檢査機制) 一種識別卡安全控管方法,用以偵測並防止用戶端 電腦系統中之檔案遭受入侵者篡改或病毒損害,此控管 方法在用戶端電腦系統上之運作機制包含如下兩個程 序:檢驗軟體安裝程序;以及程式偵試程序。 檢驗軟體安裝程序包括如下之步驟: 對於欲控管之軟體的根目錄下各子目錄底下之每一 檔案及目錄,利用"安全雜湊函數"以產生相對應之第一 檔案雜湊值,並儲奇於用戶端電腦系統上; 分別將各該子目錄中之每一第一檔案雜湊值加以結 訂 本紙張尺度通用中國國家標準(CNS ) A4規格(2丨OX 25>7公釐} 經濟部中央標準局貝π消费合作社印製 A7 B7 五、發明説明(中) 合,再利用安全雜湊函數產生相對應之第一目錄雜湊 值,並將此第一目錄雜凑值分別儲存於各該子目錄中。 如此重覆,一層層對該根目錄下的各層下子目錄作相同 之動作,以得到各相對應之檔案雜湊值及目錄雜湊值, 並分別儲存於用戶端電腦系統及各子目錄中,直到位於 該根目錄下所有之子目錄均有其相對之目錄雜湊值,再 於此根目錄下,將此根目錄下之所有目錄雜湊值加以結 合,並利用安全雜湊函數產生一第一根目錄雜湊值;利 用用戶端的私密金鑰而將上述根目錄雜湊值加以簽章, 並將上述簽章結果儲存於用戶之一可攜式儲存裝置(即 識別卡)中;並將程式檢驗程式儲存於該可攜式儲存裝置 中,此時可將該儲存裝置設成唯讀,而完成此檢驗軟體 安裝程序。 而程式偵試程序則包括以下步驟: 執行一程式檢驗程式;該檢驗程式將用戶端欲偵試 之軟體的根目錄下子目錄中每一檔案,利用安全雜湊函 數產生相對應之第二檔案雜湊值,並檢查其與儲存於用 戶端之上述第一檔案雜湊值是否相等,若不相等則表示 欲偵試之軟體中的程式有遭竄改或是版本不符而停止此 偵試程序;否則上述檢驗程式再以如前述安裝程序之過 程,而分別將各子目錄中之檔案雜湊值加以結合,再利 用安全雜湊函數產生相對應之第二目錄雜湊值,並將該 第二目錄雜湊值與分別儲存於上述各子目錄中第一目錄 雜湊值加以比較,若不相等則表示欲偵試之軟體中的程 --—niLmL, -、裝-- ·· (請先閲讀背面之注意事項再填寫本頁) 訂 本紙張尺度適用中國國家標準(CNS ) Α4規格(210X297公釐) 鑪濟部中央揉準局貝工消费合作社印装 A7 ___^_B7 五、發明説明(5 ) 式有遭竄改或是版本不符而停止此偵試程序。 對各層下子目錄重覆上述之檢查動作,直到位於根 目錄下所有之子目錄均有其相對之第二目錄雜湊值且均 通過驗證,再於根目錄下將上述根目錄下之目錄雜湊值 加以結合,並再利用安全雜湊函數產生一第二根s錄雜 湊值,將其與儲存於用戶端之第一根目錄雜湊值相比 較,若不相等則表示欲偵試之軟體中的程式有遭竄改或 是版本不符而停止此偵試程序》最後對第二根目錄雜湊 值加以簽章,並自上述可攜式儲存裝置中讀出第一根目 錄湊值之簽章結果,驗正兩者是否相符合,若不符合則 表示用戶端之程式有遭篡改或是版本不符之情形。 假設欲控管之軟體的檔案結構如第1圖所示。於檢 驗軟體安裝程序♦,首先對欲控管之軟體的根目錄下, 各目錄底下之檔案或目錄A〜G進行雜湊運算而得雜湊 值hs(A)~hs(G),並將hs(A)〜hs(G)值存於用戶端之電猫系 統中。將I子目錄下之雜湊值hs(A)和hs(B)相結合後, 例如是取互斥運算,再對其進行雜湊運算而得子目錄雜 湊值hs(I),同理也可得子目錄雜湊值hs(II),再將這些子 目錄雜湊值存於各自之子目錄中。 將子目錄III下之雜湊值hs(I)、hs(E)、和hs(F)相結 合後,再對其進行雜湊運算而得子目錄雜湊值hs(III), 同理將子目錄IV下之雜湊值hs(II)、和hs(G)相結合後,$ 再對其進行雜湊運算而得子目錄雜凑值hs(IV),亦將這, 些子目錄雜湊值存於各自之子目錄中。最後,將雜湊值 (請先聞讀背面之注意事項再填寫本頁) 本紙張尺度遑用中國國家搮隼(CNS > Α4规格(210Χ 297公釐) 經濟部中央樣準局負工消费合作杜印製 A7 B7 五、發明説明(6 ) hs(III)、和hs(IV)相結合後,再進行雜湊運算而得一根目 錄雜湊值hs(root)。 最後,以用戶端的私密金鑰而將上述根目錄雜湊值 hs(root)加以簽章,並將上述簽章結果儲存於用戶之可攜 式儲存裝置中,·再將程式檢驗程式儲存於上述可攜式儲 存裝置中,則完成檢驗軟體安裝程序。 於程式偵試程序中,先執行上述程式檢驗程式,該 檢驗程式將用戶端欲偵試之軟體根目錄下子目錄中每一 檔案,利用安全雜凑函數產生相對應之雜湊值 hs*(A)~hs*(G),並分別一對一檢查其與儲存於用戶端之 雜湊值hs(A)〜hs(G)是否相等,若不相等則欲偵試之軟體 的程式有遭篡改或是版本不符而停止此程序。 否則上述偵試程式再以如安裝程序之過程,而分別 產生hs*(I)〜hs*(IV)、以及hs*(root),再分別一對一檢查 其與儲存於用戶端之雜湊值hs(I)〜hs(IV)、hs(root)是否相 等若不相等則欲偵試之軟體的程式有遭篡改或是版本不 符而停止程序。最後,對上述根目錄雜湊值hs*(root)加 以簽章,並自上述可攜式儲存裝置t讀出第一根目錄湊 值之簽章結果,驗正兩者是否相符合,若不符合則表示 欲偵試之軟體之程式有遭篡改或是版本不符之情形,而 完成驗證之程序。 由上可知,經由逐身之檢查,可將所有所有檔案結 構上之任何變動均查覺出來,故而讓使用者得知用戶端 -* S1. —>1- i nn HI —^n alL-p ι_ϋ n - (請先閲讀背面之注意事項再填寫本頁) 訂 的程式是否有遭篡改或是版本不符之情 形發生 本紙浪尺度適用中國國家揉準(CNS ) A4規格(210X297公釐) M濟部t央橾率局貞X消费合作杜印氧 端私密金鑰Kss A7 B7 五、發明説明(Ί ) 實施例二:(植基相互認證系統的控管機制) 請參照第2A〜2 C圓,其表不本實施例動作過程之 簡圖’下文將配合第2A〜2C來說明本實施例》 本發明之一種植基松互認證系統的控管機制,主要 係利用伺服端、用戶端及其可攜式儲存裝置間之密碼相 互認證方法,藉以防止入侵者對可攜式儲存裝置中已加 密之機密資料進行字典或蜜橫找尋攻擊法,並進而防止 用戶使用不安全的機器進行登入。 上述控管方法在用戶端電腦系統上之運作機制包含 如下三個程序: I. 註冊程序’初次登錄使用時之控管方法。 II. 認證程序,使用者完成註冊程序後,再次登錄使 用時之控管方法。 III. 更換密碼程序》 請參照第2A圖,註冊程序包括如下步輝: [a]用戶端利用其識別碼Π3、一會談金鑰ΤΚ(有時亦 稱為通訊基碼)、一第一驗證因子>Π、及相關資料,合併 產生一用戶端第一簽體(TK+ID+N1),用戶端對該用戶端 第一簽體以伺服端之公開金鑰KSP進行加密,而得用戶 端第一密件C1=EN(KSP,TK+ID+N1),將該用戶端第一 密件C1、識別碼ID、一註冊請求Reg_req,及相關資料 傳送至伺服端。 ⑼伺服端伊彳文到上述註冊請求Reg_req後,以伺服 解開上述用戶端第一密件C1而獲得前述 本纸浪尺度遄用中國國家標準(CNS > A4说格(210X 297公釐) ----------'1—Γ"-裝------訂------ * {請先閲讀背面之注f項再填寫本頁) A7 B7 鲤濟部中央橾準局貝工消費合作社印製 五、發明説明(δ ) 之會談金鑰TK、第一驗證因子N1、及識別碼ID等相關 資料。 伺服端產生一加密金鑰SK、一第二驗證因子N2、 及一整數η’伺服端以上述之加密金鑰sk、整數n、第 一驗證闼子Ν1、第二驗證因子Ν2、以及相關資料合併 產生一伺服端第一簽體(η+Ν2+Ν 1 +SK+Time 1 +Salt),以上 述會談金鑰TK對上述伺服端第一簽體加密而得一伺服 端第一密件 Sl=(TK,n+N2+Nl+SK+Timel+Salt),再將 S1 回傳給用戶端,其中Timel為系統時間,而Salt為一加 鹽值’此加鹽值可使之每次輸出不同的值》 [c] 用戶端完成接收後,以上述之會談金鑰TK解開 上述伺服端第一密件S1,而得上述整數η、上述加密金 鑰SK、上述第一驗證因子Ν1與第二驗證因子Ν2,系 統時間Timel、及加鹽值Salt。用戶端檢查上述第一驗證 因子(N1)是否為原先所送之值,並檢查系統時間Timel 以驗證傳輸時間是否在合理之範圍内,驗證正確後用戶 端將使者個人密碼PWD合併加鹽值Salt進行η次雜凑運 算而得一密碼封包OTP=Hn(Salt+PWD); [d] 用戶端以上述密碼封包OTP、上述第二驗證因子 N2、及系統時間 Time2 為用戶端第二簽艘 (0TP+N2+Time2),利用上述會談金鑰(TK)對上述用戶端 第二簽體進行加密而得一用戶端第七密件C2=EN(TK, OTP+N2+Time2)後,將C2饵傳送給伺服端》 |>]伺服端接收到上述用戶端第二密件C2後,以上 10 -» -1 ^^1 —^1 -- - n^i m I * (請先閱讀背面之注意事項再填寫本頁) 訂- LT. 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 艟濟部中央搮準局貝X消费含作社印装 A7 ______B7_—___ 五、發明説明(ί) 述之會談金鑰TK解開上述第二密件C2,而得上述之密 碼封包OTP,伺服端並驗證上述第二驗證因子是否為原 先所送之值,並檢查系統時間Time2以驗證傳輸時間是 否在合理之範圍内,若正確無誤則將上述之密碼封包 OTP、以及整數η储存於伺服端,益產生一註冊標記 Reg_yes。伺服端利用上述密碼封包ΟΤΡ、註冊標記 Reg_yes、及系統時間Time3為伺服端第二簽體(OTP + Req_yes + Time3),以上述會談金鑰對上述伺服端第二簽 艘進行加密而得一伺服端第二密件S2 = EN(TKL, OTP + Req_yes + Time3),再將S2回傳給用戶端。 [f]用戶端以會談金鑰解開上述伺服端第二密件 S2,而接收上述註冊標記Reg_yes確認註冊無誤,且已 檢查系統時間Time3以驗證傳輸時間是否在合理之範 圍内後,即自行產生一用戶端金鑰CK並且對使用者密 碼PWD進行雜湊運而導出一密碼金鑰PWK=H(PWD)。 使用上述加密金鑰SK與密碼金鑰PWK,將上述用戶端 金鑰CK加密成為用戶端密文ECK並將其結果存於用戶 端上。另外亦使用上述用戶端金鑰CK與密碼金鑰PWK 對使用者之私密資料DK:加密成為一密鑰密文EDK,並 將其存於可攜式儲存裝置上,而完成註冊之程序。 請參照第2B面,完成註冊程序後,使用者再次登 入使用·時,認證程序包括如下步驟: [a]用戶端將其識別,ID ’ 一第三驗證因子N3、與 此程序所要使用之會談金鑰TKl合併產生一用戶端第三 11 本紙浪尺度適用中國«家櫟率(CNS ) A4规格( 210X297公釐) > ·1, ---:J thm m -♦ -( --- - I (請先w讀背面之注意事項再填寫本頁) 訂 經濟部中央梂準局興X消费合作社印裂 A7 B7五、發明説明(/〇 ) 簽體(TK1+ID+N3),用戶端對上述用戶端第三簽體以伺 服端之公開金鑰KSP進行加密,而得用戶端第三密件 C3=EN(KSP,TK2+ID+N3),並將上述用戶端第三密件 C3、上述識別碼ID、一確認請求Auth_req,及相關資料 傳送至伺服端。 [b] 伺服端接收到確認請求Auth_req後,以伺服端私 密金鑰Kss解開上述用戶端第三密件C3而獲得上述之會 談金鑰TK1、第三驗證因子N3、及識別碼ID等相關資 料,伺服端並由儲存裝置中找出使用者於上述註冊程序 中所對應之密碼封包OTP、以及整數η等相關資料。若 整數η小於2則用戶端之使用者須重新註冊,若整數η 不小於2,則伺服端產生一小於η的整數k及m而m = η -k 〇 再將會談金鑰Τία、整數m、第三驗證因子N3及相 關資料合併為伺服端第三簽體(m + N3 + Time4 + Salt), 以會談金鑰TK1對其加密而得伺服端第三密件S3 = EN(TK1,m+N3+Time4+Salt),並將伺服端第三密件S3 回傳給用戶端。 [c] 用戶端完成接收後,以上述之會談金鑰TK1解開 上述伺服端第三密件S3,而得上述整數m、上述第三驗 證因子N3,用戶端檢查上述第三驗證因子N3是否為原 先所送之值,並檢查系統時間Time4以驗證傳教時間是 .否在合理之範圍内。 ' 驗證正確後用戶端將使者輸入之個人密碼PWD合 12 I纸張尺度遑用中國國家標準(CNS ) A4規格(210X297公釐) -i \? m· 1 ^ (請先閲讀背面之注意事項再填寫本頁) 訂 .6 經濟部中央橾率局貝工消费合作杜印裝 A7 B7 五、發明説明(丨丨) 併加鹽值Salt後再進行m次雜凑運算而得一第一封包 OTPl=Hm(Salt+PWD),並產生一第四驗證因子N4,其中 上述加鹽值Salt即為註冊程序時之加鹽值。 [d] 用戶端以上述第一封包0TP1、上述第四驗證固 子(Ν4)、及相關之資料合併為用戶端第四簽體 (0TP1+N4+Time5),利用上述會談金鑰TKl對上述用戶 端第四簽體進行加密而得一用戶端第四密件 C4=EN(TK1,OTPl+N4 + Time5)後’將 C4 回傳送給 祠服端® [e] 伺服端接收到上述用戶端第四密件C4後,以上 述之會談金鑰TK1解開上述第四密件’而得上述之第一 封包0TP1,伺服端並驗證上述第四驗證因子(N4)是否為 原先所送之值,並檢查系統時間Time4以驗證傳輸時間 是否在合理之範圍内,若正確無誤則伺服端對上述第一 封包0TP1再進行k次雜湊算,其運算結果Hk(OTPl)與 註冊程序中儲存於伺服端之密碼封包OTP比對是否相 同,驗證正確後即儲存整數m於伺服端而取代原先之整 數η,同時儲存0TP1取代原來之OTP,之後將上述註冊 程序中產生之加密金鑰SK、密碼封包0ΤΡ1、及驗證成 功之訊息 Auth_yes 合併為伺服第四簽體 (0TP1+SK_+Auth_yes+Time6),將其以會談金鎗 TK1 加密 後得 S4=EN(TK1 , 0TP1+SK+Auth_y«s+Time6)後再回傳 給用戶端。 [f] 用戶端以會談金鑰TK1解開上述加密資料S4 13 本纸張尺度逋用tBI_家標率(CNS ) Λ4洗格(210X297公釐)~~ ' ______1;—f 裝______訂______0. * (請先閩讀背面之注$項再填寫本霣) 經濟部中央樣準局負工消费合作社印製 A7 B7 五、發明説明(G ) 後,而分別得到加密金餘SK、密碼封包OTP 1、及驗證 成功之訊息Auth_yes,並檢查系統時間Time6以驗證傳 輸時間是否在合理之範圍内,待確定驗證成功後,即對 使用者密碼PWD進行雜湊運而導出一密碼金鑰 PWK=H(PWD),用戶端使用上述加密金鑰SK與密碼金 鑰PWK對存於用戶端上之密文ECK解密以得到上述之 註冊程序中之用戶端金餘CK。 使用上述用戶端金鑰CK、密碼金鑰PWK和加密金 鑰SK對存於可攜式儲存裝置中之密文ECK解密而得到 使用者之私密資料DK,如此即完成證驗之過程,之後用 戶端之使者即可以利用其私密資料DK執行欲進行之動 作。 請參照第2C圖,當使用者欲更改密碼時,其更換 密碼程序包括如下步驟: [a] 用戶端將其識別碼ID,一第五驗證因子N5、與 此程序所要使用之會談金鑰TK2合併產生一用戶端第五 簽體(TK2+ID+N5),用戶端對上述用戶端第五簽體以伺 服端之公開金鑰KSP進行加密,而得用戶端第五密件 C5=EN(KSP, TK2+ID+N5),並將上述用戶端第五密件 C5、上述識別碼ID、一密碼更換請求CP_req,及相關資 料傳送至伺服端。 [b] 伺服端接收到密碼更換請求CP_req後,以伺服 端私密金鑰Kss解開上述用戶端第五密件C5而獲得上述 之會談金鑰TK2、第五驗證因子N5、及識別碼ID等相 14 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) {請先閲讀背面之注意事項再填寫本頁) 裝· ,ΤΓ .6. 經濟部t央棣準局貝工消费合作社印装 A7 _ ·_B7__ 五、發明説明(丨3 ) 關資料’伺服端並找出使用者於上述註冊程序中所對應 之整數η資料’伺服端再產生一正整數m=n-k、及整數I, 其中k也為整數,再將整數m、l、第五驗證因子N5及 相關資料合併為伺服端第五簽體(m+I+N5+N6+Time7+ Saltl+Salt2),以會談金鑰TK2對其加密而得伺服端第五 密件 S5=EN(TK2,m+I+N5+N6+Time7+ Salt+Saltl),並 將伺服端第五密件S5回傳給用戶端》 [c] 用戶端完成接收後,以上述之會談金鑰TK2解開 上述伺服端第五密件S5,而得上述整數m、I、上述第五 驗證因子N5,用戶端檢查上述第五驗證因子N5是否為 原先所送之值,且檢查系統時間Τΰηβ7是否在合理之範 圍内,驗證正確後用戶端將使者輸入之個人密碼PWD合 併加鹽值Salt 1進行m次雜湊運算而得一第一封包 OTPl=Hm(Salt+PWD),同時對使用者所輸入之新密 碼NPWD進行I次雜湊運算,而得一第二封包 Ο τ P 2 = Hi(Saltl + NPWD)。 [d] 用戶端以上述第一封包0TP1、第二封包0TP2, 及上述第六驗證因子N6、及相關之資料合併為用戶端第 六簽體(OTP 1 +OTP2+N6+Time8),利用上述會談金鑰TK2 對上述用戶端第六簽體進行加密而得一用戶端第六密件 C6=EN(TK2,OTPl+OTP2+N6+Time8)後,將 C6 回傳送 給伺服端。 & [e] 伺服端接收到上述用戶端第六密件C6後,以上 述之會談金鑰TK2解開上述第六密件C6,而得上述之第 15 本紙張尺度逋用中國國家樣準(CNS ) A4規格(210X297公釐) " --- n I l· n L· ^ HI * (請先閱讀背面之注意事項再填寫本買) 訂 6 經濟部中央揉準局負工消费合作社印*. A7 B7 五、發明説明(綷) 一封包0TP1和第二封包,伺服端並驗證上述第六驗證 因子N6是否為原先所送之值,且檢查系統時間 是否在合理之範圍内;若正媒無誤則伺服端對上述第一 封包0TP1進行k次雜湊算’其運算結果與註冊程序t 儲存於伺服端之密碼封包比對是否相同’驗證正確後即 儲存整數I於伺服端而取代原先之整數n’也將第二封包 儲存於伺服端,並產生一新加密金鑰NSK’將註冊程序 產生之加密金瑜SK和新加密金鑰NSK、以及第一封包 0TP1與第二封包0TP2、及更換成功之訊息CP_yes合併 為伺服第六簽體(0TP1 + 0TP2 + SK + NSK + CP_yes + Time9 ),將其以會談金鑰加密後回傳給用戶端。 [f]用戶端以會談金鑰TK2解開上述加密資料後,而 分別得到加密金鑰SK、新加密金鑰NSK’第一封包0TP1 和第二封包0TP2、及更換成功之訊息CP_yes,確定更 換成功後,且檢查系統時間Time9是在合理之範圍内後。 先以PWK及SK解出存於用戶端的密文ECK,再用 CK合併使用者的個人密碼所導出的金鑰PWK以及SK 解出原先加密存於可攜式儲存裝置中的密鑰密文EDK, 之後用戶端即自行產生一用戶端新金鑰(NCK),利用先前 獲得之NSK與使用者之新密碼NPWD而導出的NPWK 加密NCK儲存於用戶端上,再以NPWK、NSK及NCK 加密DK而將結果存於可攜式儲存裝置t。 實施例三之一:(使用於簽章控管的群醴導向數位f章, 制) 16 本紙张尺度適用中國國家標準(CNS ) A4規格(2丨0X297公釐) ------1丨_i-T 裝------1T------0 (請先Μ讀背面之注意事項再填寫本買) 經濟部中央標準局貝工消費合作社印製 A7 B7_五、發明説明(丨6* ) 一種識別卡安全控管方法,為多重簽章方式之群導 向數位簽章系統下,用以防止用戶在無意下簽出文件之 控管方法,其包括如下步驟:當要簽出文件時,以用戶 端使用者之私密金鑰先行對上述文件簽章而得一第一簽 章,再以伺服端之私密金鑰對上述第一簽章再行簽章而 得到一第二簽章,而完成簽章之過程;以及在驗證過程 中,將上述第二簽章先以伺服端之公開金鑰解開而得一 驗證簽章,再將上述驗證簽章以使用者之公開金鑰解開 而得一驗證文件,比較上述第一驗證文件與上述原先送 出之文件是否相同,若正確則表示簽章係為正確無誤。 下文中以RSA簽章系統下建構本發明簽聿控管系 統之實施例。 於RSA系統之多重簽章方式之群導向數位簽章系 統下,用以防止用戶在無意下簽出文件之控管方法,其 包括如下步驟: 用戶端與伺服端之公開金錄分別為up及sp,其模 數為Nu和Ns,而其相對應之之私密金鑰分別為us和ss; 在簽章過程時,首先以用戶端的私密金鑰us對文件 Μ簽章而得SIG卜Mus mod Nu,再用伺服端的私密金鑰 ss 對 SIG1 簽章而得 SIG2=SIG1SS mod Ns ; 在驗證過程時,收文者要驗證文件Μ之簽章SIG2 時,先用伺服端的公開金鑰sp贫算SIG2sp mod Ns而解 得SIG1,号以用戶端之公開金鑰up計算SIGlupmodNu 而解得一待驗證值Ml ; 17 本紙張尺度適用中國國家揉準(CNS ) A4規格(2丨0X297公釐) * *1 ϋι—HIL---r 、裝-- * (請先閲讀背面之注意事項再填寫本頁) 訂 經濟部中央樣準局貝工消费合作社印裝 A7 B7_ 五、發明説明(4) 檢查Ml與文件Μ是否相等,若相等則SIG2才是 正確的簽章,否則不是正確簽章。 由上述可知,本機制其文件之簽出須先經由用戶端 簽章後,再經由伺服端簽過一次,所以具有雙重驗證之 功能,所以不會發生因使者疏忽下或操作錯誤之情形 下,而簽出文件。 實施例三之二:(使用於簽章控管的群艘導向數位簽 章機制) 一種識別卡安全控管方法,為在群體簽章方式之群 導向數位簽章系統下,用以防止用戶在無意下簽出文件 之控管方法,其方法為: 伺服端與用戶端使用者兩者對外只有一共通公開金 鑰,伺服端與用戶端使用者各有其私密金鑰和與其私密 金鑰相對應之公開金鑰,上述共通公開金鑰係由伺服端 公開金鑰與使用者公開金鑰而得,而欲簽出之文件須先 經使用者之私密金鑰簽過後,再由伺服端之私密金鑰簽 過才可送出,當要驗證所簽出文件之簽章時則須使用上 述共通公開金鑰對所簽出之文件解密後加以比對即可。 下文將以ElGamal之變型系統建構本發明簽章控管 系統之實施例。 一種識別卡安全控管方法,植基於ElGamal之變型 系統彳為在群體簽章方式之群導向數位簽章系統下,用 以防止用戶在無意下簽出文件之控管方法,上述系統存 在一生成子g及一大質數P,用戶端使用者之私密金鑰為 18 本紙張尺度適用中國國家標準(CNS ) A4C格(210X297公釐) (請先閲讀背面之注意事項再填寫本頁) 經濟部_央樣準局員工消费合作社印製 A7 B7五、發明説明(β) us,而其相對應之公開金瑜為up=gus mod P,祠服端私密 金鍮為ss,而其相對之公開金餘為sp=gss mod P,而兩者 對外之共通公開金鑰為Y=(upxsp)modP,上述控管方法 之特德^在於:當用戶端之使用者欲簽出文件(M)時,用戶 端與伺服端依下列步驟進行簽章過程及驗證過程: 簽章過程時: [έ]用戶端與伺服端分別產生隨機變數kl及k2 ; [b] 用戶端計算rl=gkl mod P,同時伺服端也計算 r2=gk2 mod P,之後用戶端與伺服端互相交換rl及r2 ; [c] 用戶端與伺服端均計算R=(rlxr2) mod Ρ ; [d] 用戶端先驗證spM與(r2Rxgss)mod P是否相等,若 兩者相等則用戶端計算Sl=(usxM-klxR)mod (P-1);及 [e] 伺服端驗證P是否相等,若 兩者相等則伺服端計算S2=(ssxM-k2xR) mod (P-1),若不 相等則結束簽章程式重頭進行;否則SIG=(R,S = (S1+S2) mod P-1)即作為對文件Μ之簽章。 II.在驗證過程時: 以共通公開金鑰Υ驗證YM mod Ρ是否與RRxgs mod P相等,若相則表示SIG為文件Μ之正確簽章,否則不 是正碟的簽章。 由上述可知,本機制其文件之簽出,須先經由用戶 端簽章後,再經由伺服端簽過一次,所以具有雙重驗證 之功能,所以不會發生因使者疏忽下或操作錯誤之情形 下,而簽出文件β 19 ------:---λ—、裝-- « (請先閱讀背面之注意事項再填寫本頁) 訂 .6 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 經濟部中夬樣準局貞工消费合作社印裝 A7 B7 五、發明説明(1¾) 實施例四之一:(金鑰回復機制) 一種識別卡安全控管方法,可藉以建構成使用於儲 存裝置之金鑰回復系統,上述系統可建置於一金鑰交換 系統其已公佈一公開值(M),以及具有第一金餘回復中心 (TKRC1)及第二金鑰回復中心(TKRC2)之作業環境下,上 述金鑰回復系統之控管方法如下步驟: [a] 用戶端與伺服端先執行如第二實施例所示,相互 認證之程序,認證完成後伺服端可得一加密金鑰(SK)及 儲存裝置上之私密資料(DK),並由自己所選之密碼而獲 得 PWK。 [b] 用戶端產生兩大質數p和q,其中pxq=N,N為 一模數。 [c] 用戶端與第一金餘回復中心(TBCRC1)利用上述金 鑰交換系統或是執行上述相互認證之程序而獲得一第一 共享金鑰(SK1),同時亦與第二金鑰回復中心(TKRC2)進 行相同之程序而獲得一第二共享金鑰(SK2)。 [d] 第一與第二金鑰回復中心(TKRC1和TKRC2) 分別產生一第一媒介數(R1)和第二媒介數(R2),再分別利 用其與用戶端間之第一和第二共享金鑰(SK1和SK2),而 對上述之第一與第二媒介數加密後’傳送給用戶端。 [e] 用戶端接到上述第一和第二媒介數後,藉兩者以 產生一公開金鑰,若無法產生上述公開金鑰(PK)則 重覆步驟c、d、e直到可以得出一公開金鑰為止;其中 上述公開金鑰PK符合下列之式子,PKx(f<Rl,R2)) = 1 20 本^張尺度逋用中國®^準(CNS )八4祕(21〇χ—297公釐〉一 " ------rI-、裝------訂------C * (請先閲讀背面之注意事項再填寫本頁) 經濟部中央橾準局貝工消费合作杜印製 A7 _^_B7_五、發明説明(θ) mod F(N),其中 F(N)=(p-l) X (q-l)或 F(N)為(p-l)和(q-l) 之最小公倍數,而用戶端相對於PK之私密金鑰為S = f(Rl,R2) mod F(N)。而上述f(Rl,R2)可依需要選擇為 R1+R2 或 RlxR2。 [f] 用戶端計算MPK modN而得一生成子C,並將上 述生成子C、公開金鑰PK'及模數N傳送給上述第一金 鎗回復中心(TKRC1),及第二金鑰回復中心(TKRC2),並 將上述公開金鑰PK、模數F(N)傳送至一認證中心CA。 [g] 第一金鑰回復中心(TKRC1)計算Ml =CR1 modN 後,並將其傳送給第二金鑰回復中心(TKRC2),同時,第 二金鑰回復中心(TKRC2)計算M2=CR2 mod N,並將其傳 送給第一金鑰回復中心(TKRC1); [h] 第一金鑰回復中心(TKRC1)計算Ml* = CR1 mod N、或 Ml* =(CR1xCR2)modF(N)其端視所選擇之 f(Rl , R2) 而定,並驗證檢查]Vil*是否等於Μ,同時,第二金鑰回 - * In ml 9 nn n e (請先閲讀背面之注意事項再填寫本頁) 訂 算 M2* = CR2 mod Ν、或 M2* =(CR2xCR1)mod F(N)其端視所選擇之f(Rl,R2)而定, 並驗證檢查1^12*是^等於M,若通過驗證,則其中第一 和第二金鑰回復中心分別利用其各自之的私密金鑰對公 開金鑰PK及模數N簽章後再將其傳送至上述認證中心 CA。 [i]上述認證中心收到第一和第二金鑰回復中心對公 開金鑰PK及模數N之簽章後,待驗證通過後即對PK及 N作一憑證證明,再回傳給用戶端之使用者; 21 復中心(TKRC2)計 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) 經濟部中央揉攀局貝工消费合作社印装 A7 —_B7 五、發明説明(2〇) [j]用戶端則可使用加密金鑰SK,私密資料DK及 PWK加密用戶之私密金鑰S及其他個人私密金鑰》 如上所述,當用戶之金鑰遺失或有爭端,而必須由 第三者舉證時,即由第一和第二金鑰回復中心及認證中 心呼叫出相關之資料,如R1和R2藉S=(RlxR2)mod F(N)、或 S=(Rl+R2)mod F(N)其端視所選之 f(Rl,R2)而 定,以導出用戶端私密金鑰S。 實施例四之二:(金鑰回復機制) 一種識別卡安全控管方法,可藉以建構成使用於儲 存裝置之金鑰回復系統,上述系統可建置於一金鑰交換 系統其已公佈一公開值(Μ),以及具有第一金鑰回復中心 (TKRC1)及第二金鑰回復中心(TKRC2)之作業環境下,上 述金鑰回復系統其植基於解離散對數困難度的密碼系統 已存在一大質數Ρ及產生子g,其控管方法如下步驟: [a] 用戶端與伺服端先執行一如第二實施例之相互 認證之程序,認證完成後伺服端可得一加密金鑰(SK)及 儲存裝置上之私密資料(DK),並由自己所選之密碼而獲 得之PWK。 [b] 用戶端與第一金鑰回復中心(TKRC1)利用上述金 鑰交換系統或是執行上述相互認證之程序而獲得一第一 共享金鑰(SK1),同時亦與第二金鑰回復中心(TKRC2)進 行相同之程序而獲得一第二#享金鑰(SK2)。 [c] 第一金鑰回復中心(TKRC1)產生一第一媒介數 (R1),利用其與用戶端間的共享金鑰SK1加密後傳送給 22 本紙張尺度通用中國國家標¥ ( CNS ) Λ4規梢^U10X297公嫠) — (請先W讀背面之注意事項再填寫本頁) 裝·The Ministry of Economic Affairs, the Central Government Bureau of the Ministry of Economic Affairs, cooperation in charge of work-relief, Du Yin oxygen A7 B7 V. Description of the invention (ί) The present invention relates to a set of security control methods for a token card, and particularly relates to the use of cryptography to increase Decryption, digital electronic signature technology, and the concept of decentralized confidentiality to control the security and reliability of the network operating environment. Such identification cards can be all kinds of portable storage devices (storage media) such as soft magnetic disks, IC cards, ZIP or M0. Due to the increasing popularity and prevalence of commercial applications of the Internet, Internet offices and e-banks have also developed rapidly, and the correctness of electronic information transmission is the end-roller cipher element and the high degree of confidentiality of its security control mechanism. Protecting the rights and interests of everyone β As far as the network operating environment is concerned, users must rely on the integrated operation of their respective identification devices, registration machines, operating software, and general agreements to allow users to successfully operate on their clients Sign in and complete verification. And when users access the network, they are also the most likely to reveal their own secrets. “So in a network system, the client is often the least protected part,” which is easily intercepted and used by intruders. "Breaking the System" In addition, due to the availability of data on the Internet, users of software used in their login (client) are often subject to the potential threat of computer viruses. "Current software protection, divided by anti-virus software There is no obvious way to detect if the software has been tampered with by a virus. In terms of storage media (storage devices), the theoretical discussion generally assumes that storage media is very secure, such as using a 1C card or a signature card, but such equipment is more expensive and requires additional equipment. Therefore, it cannot be promoted in a large amount in the short term. ”And magnetic disk is a cheap and popular storage medium. The paper ilUUl is applicable to the Chinese National Mou (CNS) A4 Washer (210X297 mm) 111. — —J-lk — ^, installed --- II—Order ------ " " Cj (please read the notes on the back before filling out this page) Staff Consumer Cooperation of the Central Bureau of Standards of the Ministry of Economic Affairs Du printed A7 B7 V. Description of the invention (?) However, its security is low. At present, there are methods to increase the security of magnetic disks by using PKCS # 5. However, it is often easy to be cracked by dictionary attacks. In the current network security mechanism, the secret to ensure security is If the key is lost due to various factors, it will make the encrypted data unavailable and increase troubles. Therefore, the key recovery system is necessary for the secure transmission of the network. In the network file exchange environment, Document validity For a long time, in the modern fast-moving technology, the possibility of tampering and impersonation of electronic documents is quite high. Therefore, a set of verification mechanism for the ownership of electronic documents is designed so that even if the signature key is cracked, it is still There is no danger of being spoofed, in order to provide the necessary protection of the sending end, it is necessary. In view of this, the present invention proposes a set of identification card security control methods for the problems that may be encountered in the above-mentioned network applications. It includes the following parts: 1. The inspection mechanism to check whether the files in the system have been tampered with, to detect whether the files in the system have been invaded by intruders or viruses. 2. The control mechanism of the plant-based mutual authentication system is used to: Prevent intruders from using dictionary or brute-forcing attacks on encrypted data, and then prevent users from logging in on unsecure machines. 3. A group-oriented digital signature mechanism used for signature control, by After the user completes the authentication with the server, after the document is signed by the user, it must be signed by the server to prevent the user from inadvertently or Check out the document if you make a mistake. (Please read the precautions on the back before filling out this page.) This paper size applies to the Chinese National Standard (CNS> A4 specification (2 丨 0X297 mm). 5. Description of the invention (3 A7 B7. 4. The key recovery mechanism can be used to derive the key when the user's key is lost or there is a dispute and a fair third party needs to prove it. 5. The key recovery and decryption mechanism. 6. The ownership verification mechanism, To ensure that others cannot counterfeit or insert other forged documents between the issued documents. In order to make the above-mentioned objects, features, and advantages of the present invention more obvious and understandable, the control methods of the above-mentioned parts are specifically targeted below. The preferred embodiment will be described in detail with the accompanying drawings as follows. A brief description of the circle is shown below: The first diagram shows the directory structure of the software-^ 1-, -I HI 11 ^ 1 an nn mu t Jn (please read the precautions on the back before filling in this f). 2A ~ printed by the Central Government Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperative, shows the operation process of the second embodiment of the present invention. Figures 3A ~ 3B are the reply key encryption and decryption mechanisms, which are the data transmission and verification procedures, and the key and ciphertext recovery procedures, respectively. Embodiment 1: (Check mechanism for checking whether the crotch case of the system has been tampered with) An identification card security control method is used to detect and prevent the files in the client computer system from being tampered with by intruders or damaged by viruses. This control method is used in The operating mechanism on the client computer system includes the following two procedures: checking software installation procedures; and program testing procedures. Checking the software installation procedure includes the following steps: For each file and directory under each subdirectory under the root directory of the software to be controlled, use the "security hash function" to generate a corresponding first file hash value, and Stored on the client computer system; set the hash value of each first file in each sub-directory separately and set the paper size Common Chinese National Standard (CNS) A4 Specification (2 丨 OX 25 > 7 mm} Economy Printed by the Central Bureau of Standards of the People ’s Republic of China Consumer Cooperative A7 B7 5. Description of the invention (middle), and then use the security hash function to generate the corresponding first directory hash value, and store the first directory hash value in each Subdirectories: Repeat this way, the same actions are performed on the subdirectories under each level of the root directory to obtain the corresponding file hash value and directory hash value, and store them in the client computer system and each subdirectory. Until all the sub-directories in the root directory have their relative directory hash values, and then in this root directory, the hash values of all directories in the root directory are combined. And use a secure hash function to generate a first root directory hash value; use the private key of the client to sign the root directory hash value, and store the signature result on one of the user ’s portable storage devices ( (Identification card); and store the program verification program in the portable storage device. At this time, the storage device can be set as read-only to complete the verification software installation process. The program detection process includes the following steps : Run a program verification program; the verification program will use the secure hash function to generate a corresponding second file hash value for each file in the sub-directory under the root directory of the software the client wants to test, and check that it is stored with the client Whether the hash values of the first files are equal. If they are not equal, it means that the program in the software to be tested has been tampered with or the version is not consistent, and the testing process is stopped. Combine the hash values of the files in each sub-directory separately, and then use the security hash function to generate the corresponding hash value of the second directory. Compare the hash value of the second directory with the hash value of the first directory stored in each of the above sub-directories. If they are not equal, it means that the program in the software to be tested-niLmL,-, install-... ( Please read the notes on the back before filling in this page) The size of the paper is applicable to the Chinese National Standard (CNS) A4 specification (210X297 mm) Printed on the A7 _ ^ _ B7 by the Central Working Group of the Ministry of Furnishings ___ ^ _ B7 V. Invention Explanation (5): The detection procedure was stopped due to tampering or version inconsistency. Repeat the above check for sub-directories under each layer until all sub-directories under the root directory have their relative hash values for the second directory and all After verification, the hash value of the directory under the root directory is combined under the root directory, and a second hash value of the s-record is generated using the security hash function, which is then combined with the hash value of the first root directory stored on the client. In contrast, if they are not equal, it means that the program in the software to be tested has been tampered with or the version is not consistent, and the testing process is stopped. Finally, the hash value of the second directory is signed, and the portable Storage means reads out the result of the first signature root directory of the hash value, whether the two coincide test positive, it indicates that the client do not meet the case where the program has been tampered with or discrepancies editions. Assume that the file structure of the software to be controlled is shown in Figure 1. In checking the software installation procedure, first, a hash operation is performed on the root directory of the software to be controlled, the files or directories A ~ G under each directory to obtain a hash value hs (A) ~ hs (G), and hs ( A) The value of hs (G) is stored in the electric cat system on the user side. After combining the hash values hs (A) and hs (B) in the I subdirectory, for example, taking a mutex operation and then performing a hash operation to obtain the subdirectory hash value hs (I), the same can be obtained. The sub-directory hash value hs (II) is stored in the respective sub-directory. Combine the hash values hs (I), hs (E), and hs (F) in subdirectory III, and then perform a hash operation to obtain the subdirectory hash value hs (III). Similarly, subdirectory IV After the following hash values hs (II) and hs (G) are combined, $ is then hashed to obtain the subdirectory hash value hs (IV), and these subdirectory hash values are stored in the respective children. Directory. Finally, the hash value (please read the notes on the reverse side before filling out this page) This paper size uses the Chinese national standard (CNS > Α4 size (210 × 297 mm)) The Central Bureau of Standards of the Ministry of Economic Affairs and the consumer cooperation Du printed A7 B7 V. Description of the invention (6) hs (III) and hs (IV) are combined, and then a hash operation is performed to obtain a directory hash value hs (root). Finally, the private key of the client is used. Then, the hash value hs (root) of the root directory is signed, and the result of the signature is stored in the portable storage device of the user, and then the program verification program is stored in the portable storage device, which is completed. Check the software installation process. In the program testing process, first execute the above program checking program, which checks each file in the subdirectory under the root directory of the software that the client wants to test, and uses the security hash function to generate the corresponding hash value. hs * (A) ~ hs * (G), and check one-to-one with the hash value hs (A) ~ hs (G) stored in the client. If they are not equal, the software program to be tested. The program has been tampered with or the version does not match. Otherwise, the above test program generates hs * (I) ~ hs * (IV) and hs * (root) respectively according to the process of the installation process, and then checks the hash value stored on the client one by one. If hs (I) ~ hs (IV) and hs (root) are not equal, the program of the software to be tested has been tampered with or the version does not match and the process is stopped. Finally, the hash value hs * (root ) Sign and read the signature result of the first directory from the portable storage device t, check whether the two are consistent, if not, it means that the software program to be tested has been tampered with Or the version does not match, and complete the verification process. As can be seen from the above, by examining one by one, any changes in all file structures can be detected, so that users know the client- * S1. — ≫ 1- i nn HI — ^ n alL-p ι_ϋ n-(Please read the precautions on the back before filling out this page) Whether the program you have written has been tampered with or the version does not match Standard (CNS) A4 size (210X297 mm) Cooperative Du Indian Oxygen End Private Key Kss A7 B7 V. Description of the Invention (Ί) Example 2: (Control and Control Mechanism of Plant-Based Mutual Authentication System) Please refer to circles 2A to 2C, which shows the operation process of this embodiment The simplified diagram below will explain this embodiment in conjunction with 2A ~ 2C "One of the control mechanisms of the planting base pine mutual authentication system of the present invention is mainly using the password between the server, the client and its portable storage device Mutual authentication method to prevent intruders from performing dictionary or honeypot search attacks on encrypted confidential data in portable storage devices, and thus prevent users from logging in using unsecure machines. The operation mechanism of the above-mentioned control method on the client computer system includes the following three procedures: I. Registration procedure ′ The control method for the first login use. II. Authentication process. After the user completes the registration process, log in again to use the control method. III. Password Replacement Procedure "Please refer to Figure 2A. The registration procedure includes the following steps: [a] The client uses its identification code Π3, a talk key TK (sometimes also called the communication base code), and a first verification The factor > Π and related data are combined to generate a client first sign (TK + ID + N1), and the client encrypts the client first sign with the server's public key KSP to obtain the user The client ’s first confidential C1 = EN (KSP, TK + ID + N1) sends the client ’s first confidential C1, identification ID, a registration request Reg_req, and related data to the server. ⑼ After the server-side Yiqiwen reaches the above registration request Reg_req, the server unlocks the first confidential C1 of the client to obtain the aforementioned paper size. Use Chinese national standards (CNS > A4 format (210X 297 mm)- --------- '1—Γ " -install ------ order ------ * {Please read the note f on the back before filling this page) A7 B7 Central Department of Liji Printed by the Zhuhai Bureau Shellfish Consumer Cooperative Co., Ltd. 5. Relevant information such as the talk key TK, the first verification factor N1, and the identification code ID of the invention description (δ). The server generates an encryption key SK, a second verification factor N2, and an integer η '. The server uses the encryption key sk, the integer n, the first verification unit N1, the second verification factor N2, and related data. The first signature of the server (η + N2 + N 1 + SK + Time 1 + Salt) is combined, and the first signature of the server is encrypted with the talk key TK to obtain a first secret of the server Sl = (TK, n + N2 + Nl + SK + Timel + Salt), and then send S1 back to the client, where Timel is the system time, and Salt is a salt value 'This salt value can make each output different [C] After the client finishes receiving, use the talk key TK to unlock the first secret S1 of the server, and obtain the integer η, the encryption key SK, the first verification factor N1, and the second Verification factor N2, system time Timel, and salt value Salt. The client checks whether the first verification factor (N1) is the value originally sent, and checks the system time Timel to verify whether the transmission time is within a reasonable range. After the verification is correct, the client will combine the personal password PWD with the salt value Salt. Perform a hash operation η times to obtain a password packet OTP = Hn (Salt + PWD); [d] The client uses the above-mentioned password to encapsulate OTP, the second verification factor N2, and the system time Time2 as the second signing of the client ( 0TP + N2 + Time2), using the talk key (TK) to encrypt the second signature of the client to obtain a client ’s seventh secret C2 = EN (TK, OTP + N2 + Time2), then C2 Send to the server "| >] After the server receives the above-mentioned second secret C2 from the client, the above 10-» -1 ^^ 1 — ^ 1--n ^ im I * (Please read the precautions on the back first Please fill in this page again) Order-LT. This paper size is applicable to Chinese National Standard (CNS) A4 (210X297mm). The Central Ministry of Economic Affairs, Central Bureau of Standards, Bureau X, Consumer Consumption Agency, printing A7 ______ B7 _—___ 5. Description of the invention ( ί) The talk key TK unlocks the second secret C2 and obtains the above-mentioned cryptographic packet OTP, servo And verify that the second verification factor is the value originally sent, and check the system time Time2 to verify whether the transmission time is within a reasonable range. If it is correct, store the above-mentioned cryptographic packet OTP and the integer η on the server. Benefits a registration mark Reg_yes. The server uses the above-mentioned password packet 0TP, the registration mark Reg_yes, and the system time Time3 as the second signing body of the server (OTP + Req_yes + Time3). The above-mentioned session key is used to encrypt the second signing server to obtain a server. The second secret S2 = EN (TKL, OTP + Req_yes + Time3), and then send S2 back to the client. [f] After the client unlocks the second secret S2 of the server with the talk key, and receives the registration mark Reg_yes to confirm that the registration is correct, and the system time Time3 has been checked to verify whether the transmission time is within a reasonable range, it is generated by itself A client key CK and a hash of the user password PWD are derived to derive a password key PWK = H (PWD). Using the encryption key SK and the cryptographic key PWK, the client key CK is encrypted into a client ciphertext ECK and the result is stored on the client. In addition, the above-mentioned client key CK and password key PWK are also used to encrypt the user's private data DK: encrypted into a key cipher text EDK, and stored on the portable storage device to complete the registration process. Please refer to Section 2B. After completing the registration process, when the user logs in again, the authentication process includes the following steps: [a] The client recognizes it, ID 'a third verification factor N3, talks to be used with this program The key TK1 merges to produce a third client 11 paper wave scale applicable to China «House Oak Rate (CNS) A4 specification (210X297 mm) > · 1, ---: J thm m-♦-(---- I (please read the notes on the back before filling this page) Order the Central Government, the quasi- bureau Xing X Consumer Cooperatives A7 B7 V. Invention Description (/ 〇) Signature (TK1 + ID + N3), client Encrypt the third client of the client with the public key KSP of the server, and obtain the client's third secret C3 = EN (KSP, TK2 + ID + N3), and the client's third secret C3, the above The identification code ID, a confirmation request Auth_req, and related data are transmitted to the server. [B] After receiving the confirmation request Auth_req, the server uses the server's private key Kss to unlock the third secret C3 of the client and obtain the above-mentioned talks. The key TK1, the third verification factor N3, and the identification code ID, etc. The relevant information such as the password packet OTP and the integer η corresponding to the user in the above registration process are found in the storage device. If the integer η is less than 2, the user of the client must re-register. If the integer η is not less than 2, then The server generates an integer k and m less than η and m = η -k 〇 Then the key Τα, the integer m, the third verification factor N3, and related data are combined into the third sign of the server (m + N3 + Time4 + Salt), encrypting it with the talk key TK1 to obtain the server's third secret S3 = EN (TK1, m + N3 + Time4 + Salt), and return the server's third secret S3 to the client. [C ] After the client finishes receiving, use the talk key TK1 to unlock the third secret S3 of the server, and obtain the integer m and the third verification factor N3. The client checks whether the third verification factor N3 is the original one. Send the value and check the system time Time4 to verify that the mission time is within a reasonable range. 'After the verification is correct, the personal password entered by the client will be PWD conforming to 12 I paper size, using China National Standard (CNS) A4 Specifications (210X297 mm) -i \? M · 1 ^ (please first (Please read the notes on the back and fill in this page again.) No. 6 The Ministry of Economic Affairs Central Government Bureau of Shellfish Consumer Cooperation Du printed A7 B7 V. Description of the invention (丨 丨) and add the salt value Salt and then perform m hash operations. A first packet OTPl = Hm (Salt + PWD) is obtained, and a fourth verification factor N4 is generated, wherein the above-mentioned salt value Salt is the salt value during the registration process. [d] The client uses the above-mentioned first packet 0TP1, the above-mentioned fourth verification element (N4), and related information to merge into the client-side fourth signature (0TP1 + N4 + Time5), and uses the above-mentioned talk key TK1 to the above-mentioned The client ’s fourth signature is encrypted to obtain a client ’s fourth secret C4 = EN (TK1, OTPl + N4 + Time5), and 'C4 is sent back to the temple server. [E] The server receives the above-mentioned client After the four secrets C4, use the talk key TK1 to unlock the fourth secrets to get the first packet 0TP1. The server verifies whether the fourth verification factor (N4) is the value originally sent, and checks The system time is Time4 to verify whether the transmission time is within a reasonable range. If the transmission time is correct, the server will perform k hash operations on the first packet 0TP1. The calculation result Hk (OTPl) and the password stored in the server during the registration process. The packet OTP comparison is the same. After the verification is correct, the integer m is stored on the server and replaces the original integer η. At the same time, OTP1 is stored instead of the original OTP, and then the encryption key SK and the password packet 0TP1 generated in the above registration process are replaced with Verification success The information Auth_yes is merged into the fourth servo (0TP1 + SK_ + Auth_yes + Time6), which is encrypted with the talk gun TK1, and S4 = EN (TK1, 0TP1 + SK + Auth_y «s + Time6) is then returned to user terminal. [f] The client uses the talk key TK1 to unlock the encrypted data S4 13 This paper size uses tBI_ house standard rate (CNS) Λ4 wash grid (210X297 mm) ~~ '______1; —f install ______ Order ______0. * (Please read the note $ on the back before filling in this note) The Central Samples Bureau of the Ministry of Economic Affairs printed A7 B7 V. After the invention description (G), you will get the encryption balance SK , Password packet OTP 1, and authentication success message Auth_yes, and check the system time Time6 to verify whether the transmission time is within a reasonable range. After the authentication is determined to be successful, the user password PWD is hashed to derive a password key. PWK = H (PWD), the client uses the encryption key SK and the cryptographic key PWK to decrypt the ciphertext ECK stored on the client to obtain the client's remaining balance CK in the registration process described above. Use the client key CK, cryptographic key PWK, and encryption key SK to decrypt the ciphertext ECK stored in the portable storage device to obtain the user's private data DK. This completes the verification process, and the client then The messenger can then use his private information DK to perform the desired action. Please refer to Figure 2C. When the user wants to change the password, the password replacement process includes the following steps: [a] The client ID, its fifth verification factor N5, and the talk key TK2 to be used with this program. The fifth signature of the client (TK2 + ID + N5) is generated by the merger. The client encrypts the fifth signature of the client with the public key KSP of the server, and the client ’s fifth secret C5 = EN (KSP , TK2 + ID + N5), and transmits the fifth secret C5 of the client, the identification ID, a password replacement request CP_req, and related data to the server. [b] After receiving the password replacement request CP_req, the server uses the server's private key Kss to unlock the client ’s fifth secret C5 to obtain the talk key TK2, the fifth verification factor N5, and the identification code ID. 14 This paper size is in accordance with Chinese National Standard (CNS) A4 (210X297 mm) {Please read the notes on the back before filling this page). Install A7 _ · _B7__ 5. Description of the invention (丨 3) About the data 'server and find out the integer η data corresponding to the user in the above registration process' The server generates a positive integer m = nk and integer I, Where k is also an integer, then the integers m, l, the fifth verification factor N5, and related data are combined into the server's fifth signature (m + I + N5 + N6 + Time7 + Saltl + Salt2). The server's fifth secret S5 = EN (TK2, m + I + N5 + N6 + Time7 + Salt + Saltl) is encrypted, and the server's fifth secret S5 is returned to the client. [C] The client finishes receiving Then, use the above-mentioned talk key TK2 to unlock the fifth secret S5 of the server, and obtain the integers m, I, and The fifth verification factor N5 is described. The client checks whether the above fifth verification factor N5 is the value originally sent, and checks whether the system time Tΰηβ7 is within a reasonable range. After the verification is correct, the client will merge the personal password entered by the messenger PWD and The salt value Salt 1 is hashed m times to obtain a first packet OTPl = Hm (Salt + PWD). At the same time, the new password NPWD inputted by the user is hashed one time to obtain a second packet 0 τ P 2 = Hi (Saltl + NPWD). [d] The client uses the above-mentioned first packet 0TP1, the second packet 0TP2, and the above-mentioned sixth verification factor N6, and related information to merge into the client's sixth signature (OTP 1 + OTP2 + N6 + Time8), using the above The meeting key TK2 encrypts the sixth signature of the client and obtains a sixth secret C6 = EN (TK2, OTPl + OTP2 + N6 + Time8) of the client, and then transmits C6 to the server. & [e] After receiving the client ’s sixth confidential C6, the server uses the talk key TK2 to unlock the sixth confidential C6, and obtains the 15th paper size above. ) A4 size (210X297mm) " --- n I l · n L · ^ HI * (Please read the precautions on the back before filling in this purchase) Order 6 Printed by the Central Ministry of Economic Affairs, Central Bureau of Standards and Labor, Consumer Cooperatives * A7 B7 V. Description of the invention (i) One packet, 0TP1 and the second packet, the server verifies whether the above-mentioned sixth verification factor N6 is the value originally sent, and checks whether the system time is within a reasonable range; If there is no error, the server will perform the hash calculation on the first packet 0TP1 k times. Its operation result is the same as the registration procedure t The password packet comparison stored on the server is the same. After the verification is correct, the integer I will be stored on the server instead of the original integer. n 'also stores the second packet on the server, and generates a new encryption key NSK' The encrypted Jinyu SK and the new encryption key NSK generated by the registration process, the first packet 0TP1 and the second packet 0TP2, and the replacement Success message CP_yes merged into Serve the sixth sign (0TP1 + 0TP2 + SK + NSK + CP_yes + Time9), encrypt it with the talk key and send it back to the client. [f] After the client decrypts the encrypted data with the talk key TK2, the client obtains the encryption key SK, the new encryption key NSK ', the first packet 0TP1 and the second packet 0TP2, and the message of successful replacement CP_yes. After success, and check the system time Time9 is within a reasonable range. First use PWK and SK to extract the ciphertext ECK stored on the client, and then use CK to combine the key PWK derived from the user's personal password and SK to extract the key ciphertext EDK that was originally encrypted and stored in the portable storage device. After that, the client generates a new client key (NCK) on its own. The NPKK encrypted NCK derived from the previously obtained NSK and the user's new password NPWD is stored on the client, and the DK is encrypted with NPWK, NSK, and NCK. The result is stored in the portable storage device t. One of the third embodiment: (used in the group-oriented digital f chapter for signature control), 16 paper sizes are applicable to China National Standard (CNS) A4 specification (2 丨 0X297 mm) ------ 1丨 _iT Pack ------ 1T ------ 0 (Please read the notes on the back before filling in this purchase) Printed by the Central Standards Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperative, A7 B7_V. Description of the invention (丨 6 *) An identification card security control method, which is a group-oriented digital signature system with multiple signature methods, to prevent users from unintentionally checking out documents, including the following steps: When the document is issued, the above-mentioned document is firstly signed with the private key of the client and the first signature is obtained, and then the first and second signatures are signed with the private key of the server to obtain a second signature. Sign and complete the process of signing; and in the verification process, the second signature is first unlocked with the public key of the server to obtain a verification signature, and then the verification signature is made public by the user The key is unlocked to obtain a verification file. Compare the first verification file with the original file. The same, it means that if the correct signature line is correct. In the following, an embodiment of the signature control system of the present invention is constructed under the RSA signature system. Under the group-oriented digital signature system of the multiple signature method of the RSA system, a control method for preventing users from unintentionally checking out documents includes the following steps: The public records of the client and server are up and sp, its modulus is Nu and Ns, and its corresponding private key is us and ss, respectively; during the signing process, the user ’s private key us is first used to sign the file M to obtain SIG and Mus mod. Nu, then use the server ’s private key ss to sign SIG1 to obtain SIG2 = SIG1SS mod Ns; during the verification process, when the recipient wants to verify the signature SIG2 of the document M, first use the server ’s public key sp to calculate SIG2sp. SIG1 is obtained by mod Ns, and SIGlupmodNu is calculated by using the public key of the client. M1 is a value to be verified. 17 This paper size applies the Chinese National Standard (CNS) A4 specification (2 丨 0X297 mm) * * 1 —ι—HIL --- r 、 install-* (Please read the precautions on the back before filling this page) Order the Central Samples Bureau of the Ministry of Economic Affairs, Shellfish Consumer Cooperatives, printed A7 B7_ 5. Description of the invention (4) Check Ml Is it equal to file M, if it is equal, SIG2 is the correct signature, Otherwise it is not properly signed. From the above, it can be known that the signature of this mechanism must be signed by the client and then signed once by the server. Therefore, it has the function of double verification, so it will not happen due to the negligence of the messenger or the operation error. And check out the file. Embodiment 3bis: (Ship-oriented digital signature mechanism used for signature control) An identification card security control method is used under the group-oriented digital signature system of group signature to prevent users from The control method for unintentionally checking out a document is as follows: Both the server and the user of the client have only one public public key, and the server and the user of the client each have their own private key and its private key. Corresponding public key, the above-mentioned common public key is obtained from the server public key and the user public key, and the document to be checked out must be signed by the user's private key before being signed by the server. The private key can be sent only after it is signed. When verifying the signature of the checked-out document, the above-mentioned common public key must be used to decrypt the signed-out document and compare it. In the following, an embodiment of the signature control system of the present invention will be constructed using a modified system of ElGamal. An identification card security control method, which is based on the ElGamal variant system, is a group-oriented digital signature system under the group signature method to prevent users from unintentionally checking out documents. Sub-g and a large prime number P, the private key of the user is 18 This paper size applies to Chinese National Standard (CNS) A4C (210X297 mm) (Please read the precautions on the back before filling this page) Ministry of Economic Affairs _ Printed by the Central Consumers ’Cooperative of the A7 B7 V. Invention Description (β) us, and its corresponding public Jinyu is up = gus mod P, the private gilt of the temple service end is ss, and its relative public Jinyu is sp = gss mod P, and the common public key of the two is Y = (upxsp) modP. The special virtue of the above control method lies in: When the user of the client wants to check out the file (M) The client and server perform the signing process and verification process according to the following steps: During the signing process: [έ] The client and server generate random variables kl and k2 respectively; [b] The client calculates rl = gkl mod P, At the same time, the server also calculates r2 = gk2 mod P, after which the user Exchange rl and r2 with the server; [c] Both client and server calculate R = (rlxr2) mod PPP; [d] The client first verifies whether spM and (r2Rxgss) mod P are equal. If the two are equal, the user The terminal calculates Sl = (usxM-klxR) mod (P-1); and [e] The server verifies whether P is equal. If the two are equal, the server calculates S2 = (ssxM-k2xR) mod (P-1). If they are not equal, the signature program will end and the process will be restarted; otherwise, SIG = (R, S = (S1 + S2) mod P-1) will be used as the signature of document M. II. During the verification process: The common public key Υ is used to verify whether YM mod P is equal to RRxgs mod P. If they are, it means that the SIG is the correct signature of the document M, otherwise it is not the signature of the original disc. From the above, it can be known that the signature of this mechanism must be signed by the client and then signed once by the server, so it has the function of double verification, so it will not happen due to the negligence of the messenger or the operation error. , And check out the document β 19 ------: --- λ-, installed-«(Please read the precautions on the back before filling out this page) Order. 6 This paper size applies to Chinese National Standards (CNS) A4 specification (210X297 mm) A7 B7 printed by the Zhengquan Consumers Cooperative in the Ministry of Economic Affairs 5. Description of the invention (1¾) One of the fourth embodiment: (Key recovery mechanism) A security control method for identification cards The key recovery system used in the storage device is constructed, and the above system can be built in a key exchange system, which has published a public value (M), and has a first surplus recovery center (TKRC1) and a second key. In the operating environment of the recovery center (TKRC2), the control method of the above key recovery system is as follows: [a] The client and server first execute the mutual authentication procedure shown in the second embodiment. After the authentication is completed, the server Get an encryption key ( SK) and the private data (DK) on the storage device, and obtain the PWK with the password of your choice. [b] The client generates two prime numbers p and q, where pxq = N, where N is a modulus. [c] The client and the first remnant response center (TBCRC1) obtain the first shared key (SK1) by using the above key exchange system or performing the above-mentioned mutual authentication procedure, and also communicate with the second key recovery center (TKRC2) Perform the same procedure to obtain a second shared key (SK2). [d] The first and second key recovery centers (TKRC1 and TKRC2) generate a first media number (R1) and a second media number (R2), respectively, and then use the first and second numbers between them and the client, respectively. The shared key (SK1 and SK2) is encrypted and transmitted to the client after the first and second media numbers are encrypted. [e] After receiving the first and second media numbers, the user uses them to generate a public key. If the public key (PK) cannot be generated, repeat steps c, d, and e until a Up to the public key; where the above public key PK matches the following formula, PKx (f < Rl, R2)) = 1 20 This paper uses the Chinese standard (CNS) 8 secrets (21〇χ-297mm) one " ------ rI- 、 装- ---- Order ------ C * (Please read the precautions on the back before filling this page) Printed by A7 _ ^ _ B7_ of the Cooperative Work Cooperation between Shell and Consumers of the Central Bureau of Standards of the Ministry of Economic Affairs ) mod F (N), where F (N) = (pl) X (ql) or F (N) is the least common multiple of (pl) and (ql), and the private key of the client relative to PK is S = f (Rl, R2) mod F (N). The above f (Rl, R2) can be selected as R1 + R2 or RlxR2. [f] The client calculates MPK modN to obtain a generator C, and generates the above generator Child C, the public key PK 'and the modulus N are transmitted to the first golden gun recovery center (TKRC1) and the second key recovery center (TKRC2), and the public key PK and the modulus F (N) are transmitted. [G] The first key reply center (TKRC1) calculates Ml = CR1 modN and sends it to the second key reply center (TKRC2), and at the same time, the second key reply center (TKRC2) TKRC2) Calculate M2 = CR2 mod N and send it to the first key reply center (TKRC1); [h] first key reply The center (TKRC1) calculates Ml * = CR1 mod N, or Ml * = (CR1xCR2) modF (N), depending on the selected f (Rl, R2), and verifies that] Vil * is equal to M, and Second key back-* In ml 9 nn ne (Please read the notes on the back before filling this page) Set M2 * = CR2 mod Ν, or M2 * = (CR2xCR1) mod F (N) F (R1, R2) is selected, and the verification check 1 ^ 12 * is ^ equal to M. If the verification is passed, the first and second key recovery centers use their respective private keys to publicly pay The key PK and the modulus N are signed and then transmitted to the above-mentioned certification center CA. [i] After receiving the signatures of the public key PK and the modulus N by the first and second key reply centers, After the verification is passed, a certificate of PK and N is issued, and then it is transmitted back to the user of the client; 21 Paper Center (TKRC2) paper size is applicable to China National Standard (CNS) A4 specification (210X297 mm) Ministry of Economic Affairs Printed by the Central Government Bureau of Shellfisher Consumer Cooperative A7 —_B7 V. Description of the invention (20) [j] The client can use the encryption key SK, and the private data DK and PWK to encrypt The user ’s private key S and other personal private keys ”As mentioned above, when the user ’s key is lost or there is a dispute, and a third party must prove it, the first and second key recovery centers and certification centers Call out relevant information, such as R1 and R2 by S = (RlxR2) mod F (N), or S = (Rl + R2) mod F (N), the end depends on the selected f (Rl, R2), To export the client's private key S. Embodiment 4bis: (Key Recovery Mechanism) An identification card security control method, which can be used to construct a key recovery system for storage devices. The above system can be built in a key exchange system, which has been published and published. Value (M), and an operating environment with a first key recovery center (TKRC1) and a second key recovery center (TKRC2), the above-mentioned key recovery system is based on a cryptographic system that solves discrete logarithmic difficulty. For a large prime number P and a generator g, the control method is as follows: [a] The client and the server first execute a mutual authentication procedure as in the second embodiment. After the authentication is completed, the server can obtain an encryption key (SK ) And the private data (DK) on the storage device, and the PWK obtained by the password of your choice. [b] The client and the first key recovery center (TKRC1) obtain the first shared key (SK1) by using the above key exchange system or performing the above-mentioned mutual authentication procedure, and also communicate with the second key recovery center (TKRC2) Perform the same procedure to obtain a second #shared key (SK2). [c] The first key recovery center (TKRC1) generates a first medium number (R1), encrypts it with the shared key SK1 between the client and the client, and sends it to 22 paper standards. Common Chinese national standard ¥ (CNS) Λ4 Regulations ^ U10X297 Gong) — (Please read the precautions on the back before filling this page)
.1T A7 B7 經濟部中央樣隼局負4消费合作社印製 五、發明説明(y) 用戶端,並計算CU=gR1 modP,再將Cl送至第二金鑰回 復中心(TKRC2),同時,第二金鑰回復中心(TKRC2)產生 一第二媒介數(R2),利用其與用戶端間的共享金鑰SK2 加密後傳送給用戶端,並計算C2=gR2 P,再將C2 送至第一金鑰回復中心(TKRC1)。 [d] 用戶接到第〆和第二金鑰回復中心所送來之上 述第一和第二媒介數R1、R2後’藉兩者以產生一公開金 鑰PK = gf(R1,R2) mod P,則使用者相對於PK之私密金鑰 S為由f(Rl,R2)mod(P-l)而得,為上述第一和第二媒介 數R1、R2之一特定運算值,可視需要,將上述f(R1,R2) 選擇為R1+R2或RlxR2。 [e] 用戶端將PK傳送給第一金鑰回復中心 (TKRC1)、第二金瑜回復中心(TKRC2),與一認證中心 CA。 [f] 若f(Rl,R2)=RlxR2則,第一金鑰回復中心 (TKRC1)計算Ml=PKinv(R1〉modP後並比較驗證Ml是否 等於C2,同時,第二金鑰回復中心(TKRC2)計算 M2=PKinv(R2)modP後並比較驗證M2是否等於C1,其中 inv(Rl)表示(Rl)*1 modP-1 之運算。若 f(Rl,R2)=R1+R2 則第一金鑰回復中心(TKRC1)計算Ml=PKxginv(R1) mod P 後對比較Ml是否等於C2,同時TKRC2計算 M2=PKxginv(R2) mod P後並比較M2是否等於C1 » [g] 若通過驗證後,第一和第二金鎗回復中心以其各 自的私密金鑰對PK簽章後,再傳送至上述認證中心 ------:—.._ ( '裝— (請先閲讀背面之注意事項再填寫本頁) 訂 本紙张尺度適用中囷囷家標率(CNS ) A4規格(210X297公釐) 經濟部中央標準局員工消費合作社印製 A7 B7五、發明説明(〉 CA。 [h] 上述認證中心收到第一和第二金鑰回復中心對 PK之簽章後,待驗證通過後即對PK作一憑證證明後, 再回傳給用戶端。 [i] 用戶端使用加密金鑰SK,私密資料DK及PWK, 來加密私密金鑰S及用戶其它個人私密資料。 如上所述,當用戶之金鑰遺失或有爭端,而必須由 第三者舉證時,即由第一和第二金鑰回復中心及認證中 心呼叫出相關之資料,如R1和R2,即可藉S=(RlxR2) mod(P-l)、或S=(Rl+R2)mod(P-l)而導出用戶端私密金 鑰S 〇 實施例五:(回復金鑰加解密機制) 一種識別卡安全控管方法,藉此方法構成一回復金 鑰加解密系統,上述回復金鑰加解密系統之控管方法包 括: 資料傳送及驗證程序,係為正常情形下之資料傳送 程序;以及 金鑰及密文的回復程序,藉以當發文端之金鑰或明 文遺失時,能利用此一機制將之回復; 上述資料傳送及驗證程序,請參照第3A圖所示之 方塊圖,其包括如下步驟: [a]當發文端欲傳送明文資料岭.給收文單位時,發文 單位先產生一通訊基碼SK(又稱為會談金鑰),再由一發 文端加解密器ENS,以發文端之私密金鑰KGS對上述通 24 本紙張尺度適用中國國家標準(CNS ) A4規格(210X297公釐) -----l·'丨~^-Γ'-裝------訂------Q * (請先閱讀背面之注意^項再填寫本頁) 經濟部中夹揉準局貝tir:消费合作社印装 A7 B7 _____ 五、發明説明(H) 訊基碼SK進行加密而得(SK)kgs,並以收文端之公開金 鑰PKR對上述通訊基碼SK進行加密而得(SK)PKR,將上 述通訊基碼SK與上述(SK)KGS進行特定之運算而得一發 文端密鑰,在此實施例為互斥運算,所以發文端密鑰為 SK㊉(SK)KGS。 以上述發文端密鑰對所欲傳送之明文資料Μ進行加 密而得一密文SM=(M)SKe(SK),對上述通訊基碼SK、 (SK)KGS、(SK)PKR及特定相關資料,(例如,發文端之機 關代碼IDS、收文端之機關代碼IDR、及一初始向量值 IV等)進行雜湊運算而得到一信託認證子EA。再以一家 族金鑰FK對上述對上述(SK)KGS、(SK)PKR、特定相關資 料IDR和IDS、以及信託認證子EA進行加密而得一法定 存取攔位LEAF,再將上述密文SM、法定存取欄位 LEAF、以及初始向量值IV傳送至收文端。 [b] 收文端接收上述資料後,利用家族金鑰FK解開 LEAF而得到上述(SK)KGS、(SK)PKR、信託認證子EA、以 及特定相關資料IDS、IDR、及IV。利用收文端私密金 鑰KGR解開(SK)pkr而得上述通訊基碼SK,以通訊基碼 SK將所接收之上述(SK)KGS還原而可得上述發文端密鑰 SK®(SK)kgs,再利用發文端密鑰解開密文 SM= (M)SK0(SK)K〇s而得到明文資料Μ :以及 [c] 收文端並對所接收後解得之上述通訊基碼SK、 (SK)KGS、(SK)PKR、及特定相關資料IDS、IDR、及IV進 行雜湊運算,其運算結果用以與所接收到之信託認證子 25 冬紙张尺度i用中國國家樣準(CMS ) Μ規格(210X2?7公釐) ^ "" iil.*—L_r、裝----——訂-----b (請先閲讀背面之注意事項再填寫本頁) 經濟部十央橾率局員工消費合作杜印製 A7 B7 五、發明説明(24 ) EA互相比對,若相等則表示驗證成功傳輸過程無誤。 其中上述收文端金鑰KGR是由一第一金鑰管理單 位和第二金鑰管理單位分別提供之收文端第一金鑰因子 KGR1與收文端第二金鑰因子KGR2,兩者經特定運算後 而得,另外上述發文端金餘KGS是由一第金餘管理單位 和第二金鑰管理單位分別提供之收文端第一金鑰因子 KGS1與收文端第二金鑰因子KGS2,兩者經特定運算後 而得》在此實施例中KGR = KGR1㊉KGR2, KGS = KGS1 ㊉ KGS2。 當發文端之金鑰或明文遺失時,請參照第3B圖所 示之方塊圖,上述金鑰及密文的回復程序,其包括如下 步驟: 發文端先要求上述第一金鑰管理單位及第二金鑰管 理單位取出第一金鑰因子KGS1與收文端第二金鑰因子 KGS2,由KGS1與KGS2即可經互斥運算帀得發文端金 鑰 KGS ’· 利用回復之發文端金鑰KGS,即可將(S] 得上述通訊基碼SK,再利用上述通訊基碼與(SK)kgs 進行互斥運算而得到上述發文端密鑰SKe(sf〇KGS,利用 此一發文端私密金鑰即可以將密文解開而得到明文資 料。 由上所述,利用本發明之回復金錄加解密機制,其 可在金鑰遺失之場合,輕易地將金鑰恢復,再藉以將密 文解出回復,可避免因金鑰遠失而遭致漏失資料之情形 --------: —「裝-- (請先閲讀背面之注意事項再填寫本頁) 訂 26 本紙張尺度適用中國國家標準{ CNS ) A4規格(210X297公釐) A7 B7 經濟部令央樣準局貞工消費合作杜印褽 五、發明説明(25 ) 發生。 實施例六:(所有權驗核機制) 一般所有權驗核機制’在理論上可使用資料隱藏法 技術在文件中藏入不易查覺之資訊做為所有權之證據。 然而’以文件而言所加入之隱藏資訊,確可能因為使用 軟體之不同,而改變了隱藏的資訊,而使所有權之歸屬 有所爭議。另外,亦有藉改變文件内容之語法、語意、 同義字或文句中標點等,將額外的資訊藏入原文_。然 而此類方法’其實作困難且改變文件之表達方式,可能 造成閱讀上的不順暢,所以並不切實際。 本發明之所有權機制,利用密碼技術實現電子文件 所有權驗核之機制,其可在不修改文件原文之内容的前 提下’能做到保護發文者的擁有權及文件之完整性0 擁有權機制所要處理之情形為,當一份文件被不當 使用(例如有人冒用發文者發佈不實文件)時,發文者可透 過公正程序證明該文件並非屬於發文者所有。 本發明所提出之一種所有權驗核機制,其透過密碼 學上之技巧,建立一份與其前、後各文件間之關連性, 以確保他人無法在已發出的文件間插入其他偽造之文 件。此一關連性可經由一公正當局在適當時加以揭示, 以確保發文者之所有權不被他人所冒用β 亡本發明之所有權驗核機制,可由發文端Α、收文端 B、及所有權公正機關TKC及公正機關TTP互相連動運 作。而發文端A與所有權公正機關間之所有訊息交換均 本紙張尺度適用中國國家標準(CNS ) A4規格(21 OX 2M公釐) —i I I ---t n n n .^1 I n I I --- * (請先M讀背面之注意Ϋ項再填寫本頁) 經濟部中央樣準局負工消費合作社印製 A7 B7五、發明説明(A) 經公證處理,以確保雙方文件交換之不可否認性,詳細 交換過程如下: I. 初始階段: 在第一次登入時,於發文端A隨機選取一數字N〇。 於發文端A產生所有權簽署金鑰對八。3、Απ,以及 通訊金瑜Kat。 以及,發文端A經由公證程序將八。8及KAT送交上 述所有權公正機關TKC。 II. 第一次文件傳輸: a.對第一份文件%產生一第一文件表頭 AsII^No+IDa+SD},其中 IDA 為發文 端A之身份識別碼,S〗為第一份文件之序號,As為發文 端A之文件簽署密鑰,h(·)表雜湊函數。 . b.發文端A利用所有權簽署金鑰八。3對上述第一文 件今頭MT1簽章而得第一表頭簽章Α<^{ΜΤ1},發文端合 併IDA、公正機關身份識別碼IDTTP、收文端身份識別碼 IDB、文件表頭MT1、及第一表頭簽章以通訊 金^ KAT加密,再將其與第一份文件之表頭MT1傳送至 公正機關TTP。 c.公正機關TTP收到後,令L等於上述第一文件表 頭MT1,並將IDA、IDB、AUTi}、以及L儲存。d.發文 端A將IDA+ AWTj+MU以公證程序送交收文端B。 e.收文端B將ApS{T!}及文件序號、收文方等文件識 (請先聞讀背面之注意事項再填寫本頁) 裝· ,11 h 別資訊以KBT加密後 以TTP之公開金鑰ΤΤΡΡ加密後 28 本紙張尺度適用中國國家標準(CNS > A4規格(210X297公釐) 經濟部中央橾準局員工消费合作社印製 A 7 B7五、發明説明(叫) 送交TTP。 f. TTP以其私密金鑰TTPs解開上述密文後比較步驟 e中之八如丨丁丨丨是否相同,並將比較結果以KBT加密後送 給B。 g. 若步驟f令之較結果為相同則B執行步驟h,否則 B可要求A動新執行步驟d。 h·最後收文端B儲存AoJTG。 III.第i次文件傳輸: a. 發文端A對第i份文件產生第i文件表頭MTi=IDA + Si +h(Mi)+ (Ao^hCTw),其中Si為第i份文件之序號。 b. 發文端A利用所有權簽署金鑰八。8對上述第i文件 表頭MTi簽章而得第一表頭簽章Α^{ΜΤί},發文端A合 併IDA、公正機關身份識別碼IDTTP、收文端身份識別碼 IDB、文件表頭MTi、及第i表頭簽章Αμ{Μή}後以通訊 金鑰ΚΑΤ加密,再將其與第i份文件之表頭MTi傳送至公 正機關TTP。 c. 公正機關TTP收到後,令Ti等於上述第i文件表 頭MTi與第i-Ι次文件表頭Ti.fMTw之互斥運算值 Μτ沖Tw,並將 IDA、IDB、A0S{MTi}、.以及 儲存。 d. 將T1以Ti取代,重覆第一次傳輸中之步驟d~ h, 如此來從事正常之文件傳送。 依上述機制運作之文件系#*,當收文端B提出M* 及AUMti},欲證明M*為發文端A所送出之文件,則公 正機關TTP可公佈Aop並解出MTi,再根據MTi之内容確 29 (請先閲讀背面之注意事項再填寫本頁) 本纸張尺度適用中國國家標準(CNS〉A4規格(210X297公釐) 經濟部中央標準局貝費合作社印製 A 7 B7五、發明説明(β) 定文件是否為發文端A所發出,若Μ*為事後偽造之文 件,則根據兀及MTi之關連性,ΤΤΡ可證明Μ*非由發文 端所發出,其前後文件之關連性如下: 往前關連性為Μ·π=Τί㊉Ti_i ; 往後關連性為自MTi+1中取出(Aop^h(Ti)欄位,h(Ti)= (Aop㊉ h(TiB®Aop。 由上述可知,本發明之所有權核驗機制,其透過密 碼學之技巧,建立各文件間之前後關連性。如此一來, 縱使簽章系統被破解之情形下,仍不會有被仿冒、偽簽 之危險。因為,入侵者無法得知文件間之關連性,故而 無法在已發出之文件插入其他偽造之文件。而此一機制 也藉由關連性而可輕易地驗證文件之所有權歸屬。 根據本發明之安全控管方法有: 一、 檢驗系統檔案有無遭篡改的檢查機制。 二、 植基相互認證系統的控管機制。 三、 使用於簽章控管的群體導向數位簽章機制。 四、 金鑰回復機制。 五、 回復金鑰加解密機制。 六、 所有權驗核機制。 由上述之各種控管方法,可確知本發明對於網路環 境下運作之系統可提供較佳之保密及保障,尤其對於用 戶端之使用者之防護能更具有可靠性和安全性,本發明 所提出一套識別卡安全控管方法,其對於用戶端的軟體 及存於可攜式儲存裝置的私密資料,如私密金鑰等,利 30 (請先閲讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標率(CNS ) A4規格(210X297公釐) A7 經濟部中央搮準局貝工消费合作社印製 B7五、發明説明(θ) 用密碼學加解密、電子簽章技術、以及分散機密的觀念 來加以保護,以提高入侵者破解機密而危害系統的困難 度。而對於使用者的私密金鑰遺失後金鑰回復之措施亦 提出一可行之方案。另外,亦提出一所有權驗核機制而 達到發文者擁有權及對文件完整性能有所保護之目的。 上述相關之實施例中,本發明有使用到可應用儲存 裝置之系統,而儲存裝置中的内容不外乎為: 一、 測試程式,用以測試欲測程式之版本,及程式 之正確性。 二、 個人之機密資料,包括個人私密金鑰等。 三、 公開資料,如驗證碼(Certificate)、使用者ID、 用戶相關資料、磁片編號等。 四、 測試資料,如程式雜湊值之簽章、程式版本及 曰期之簽章等。 上述各項可視所需之情形而調整。 雖然本發明已以多個較佳實施例揭露如上,然其並 非用以限定本發明,任何熟悉本項技藝者,在不脫離本 發明之精神和範圍内所提出之測試機制,均係涵括在本 發明之保護範圍内。 -----^ ! rf 裝! « (請先閱讀背面之注意事項再填寫本頁) 訂.1T A7 B7 Printed by the Central Government Bureau of the Ministry of Economic Affairs, 4 Consumer Cooperatives. 5. Invention Description (y) The client, calculates CU = gR1 modP, and sends Cl to the second key recovery center (TKRC2). At the same time, The second key recovery center (TKRC2) generates a second media number (R2), encrypts it with the shared key SK2 between the client and the client, sends it to the client, calculates C2 = gR2 P, and sends C2 to the first A key recovery center (TKRC1). [d] After receiving the first and second media numbers R1 and R2 sent by the first and second key reply centers, the user borrows both to generate a public key PK = gf (R1, R2) mod P, the user's private key S relative to PK is obtained by f (Rl, R2) mod (Pl), which is a specific operation value of the first and second media numbers R1 and R2. The f (R1, R2) is selected as R1 + R2 or RlxR2. [e] The client sends the PK to the first key response center (TKRC1), the second golden-yu response center (TKRC2), and a certification center CA. [f] If f (Rl, R2) = RlxR2, the first key recovery center (TKRC1) calculates Ml = PKinv (R1> modP and compares and verifies whether M1 is equal to C2. At the same time, the second key recovery center (TKRC2 ) Calculate M2 = PKinv (R2) modP and compare and verify whether M2 is equal to C1, where inv (Rl) represents the operation of (Rl) * 1 modP-1. If f (Rl, R2) = R1 + R2, then the first gold The key recovery center (TKRC1) calculates whether Ml = PKxginv (R1) mod P and then compares whether M1 is equal to C2, and TKRC2 calculates M2 = PKxginv (R2) mod P and compares whether M2 is equal to C1 »[g] If it passes the verification, The first and second gold gun reply centers sign the PK with their respective private keys, and then send them to the above-mentioned certification center ---: -.._ ('装 — (Please read the note on the back first) Please fill in this page for the items) The size of the paper is applicable to the standard of China Standards (CNS) A4 (210X297mm) Printed by the Consumer Cooperatives of the Central Bureau of Standards of the Ministry of Economic Affairs A7 B7 V. Description of the invention (> CA. [h] After receiving the signature of the PK from the first and second key reply centers, the above certification center will send a certificate to the PK after the verification is passed, and then send it back to the client. [I] The client uses the encryption key SK, private information DK and PWK to encrypt the private key S and other personal private information of the user. As mentioned above, when the user's key is lost or there is a dispute, it must be proved by a third party. That is, the relevant information is called by the first and second key reply centers and certification centers, such as R1 and R2, and S = (RlxR2) mod (Pl), or S = (Rl + R2) mod (Pl) And the private key S of the client is derived. Embodiment 5: (Restoring Key Encryption and Decryption Mechanism) An identification card security control method, by which the method constitutes a replying key encryption and decryption system. Management methods include: data transmission and verification procedures, which are normal data transmission procedures; and key and cipher text recovery procedures, so that when the sender ’s key or plain text is lost, this mechanism can be used to reply ; For the above data transmission and verification procedures, please refer to the block diagram shown in Figure 3A, which includes the following steps: [a] When the sending end wants to send clear text data ridge. When sending to the receiving unit, the sending unit first generates a communication base code SK (Also known as talks Key), and then the sender encrypts and decrypts ENS, and uses the sender ’s private key KGS for the above-mentioned 24 paper sizes to apply the Chinese National Standard (CNS) A4 specification (210X297 mm) ----- l · '丨 ~ ^ -Γ'-pack ------ order ------ Q * (Please read the note on the back ^ before filling in this page) The Ministry of Economic Affairs, Treasurer, Tir: Consumer cooperative seal Install A7 B7 _____ V. Description of the invention (H) The base code SK is encrypted to obtain (SK) kgs, and the above public base key PK is used to encrypt the communication base code SK to obtain (SK) PKR. The communication base code SK and the above-mentioned (SK) KGS perform a specific operation to obtain a sender key. In this embodiment, the sender key is mutually exclusive, so the sender key is SK㊉ (SK) KGS. The plaintext data M to be transmitted is encrypted with the above-mentioned sender key to obtain a ciphertext SM = (M) SKe (SK), and the above communication base codes SK, (SK) KGS, (SK) PKR and specific correlation Data (for example, the institution code IDS at the sending end, the institution code IDR at the receiving end, and an initial vector value IV, etc.) are hashed to obtain a trust authentication sub-EA. Then a family key FK is used to encrypt the above-mentioned (SK) KGS, (SK) PKR, specific related data IDR and IDS, and the trust authentication sub-EA to obtain a legal access block LEAF, and then encrypt the above ciphertext SM, legal access field LEAF, and initial vector value IV are transmitted to the receiver. [b] After receiving the above information, the receiver uses the family key FK to unlock the LEAF to obtain the (SK) KGS, (SK) PKR, trust authenticator EA, and specific related information IDS, IDR, and IV. The above-mentioned communication base code SK is obtained by decrypting the (SK) pkr with the private key KGR of the receiving end, and the received above-mentioned (SK) KGS is restored with the communication base code SK to obtain the above-mentioned sending end key SK® (SK) kgs , And then use the sender's key to unlock the ciphertext SM = (M) SK0 (SK) K〇s to obtain the plaintext data M: and [c] the receiver and the above-mentioned communication base codes SK, (SK) obtained after the reception. KGS, (SK) PKR, and specific related data IDS, IDR, and IV perform hash calculations, and the results are used to receive the trust authenticator 25 Winter paper size i Use Chinese National Standard (CMS) M specifications (210X2? 7mm) ^ " " iil. * — L_r, equipment ----—— order ----- b (Please read the notes on the back before filling this page) Ministry of Economic Affairs The consumer cooperation of the bureau staff is printed by Du A7 B7 V. Description of the Invention (24) EA is compared with each other. If they are equal, it means that the verification is successful and the transmission process is correct. The above receiving key KGR is the first receiving key factor KGR1 and the second receiving key factor KGR2 provided by a first key management unit and a second key management unit, respectively. In addition, in addition, the above-mentioned sender's remaining balance KGS is a first-end receiving key factor KGS1 and a second-end receiving key factor KGS2 provided by a first surplus management unit and a second key management unit, respectively. Resulting from the calculation "In this embodiment, KGR = KGR1㊉KGR2, KGS = KGS1 ㊉ KGS2. When the sender's key or plaintext is lost, please refer to the block diagram shown in Figure 3B. The above key and ciphertext recovery procedure includes the following steps: The sender first requests the first key management unit and the first The two key management units take out the first key factor KGS1 and the second key factor KGS2 at the receiving end. From the KGS1 and KGS2, the sender key KGS can be obtained through a mutually exclusive operation. · Using the returned sender key KGS, The above-mentioned communication base code SK can be obtained from (S), and the above-mentioned communication base code is used to perform a mutually exclusive operation with (SK) kgs to obtain the above-mentioned sender key Ske (sf0KGS). Using this sender's private key, The ciphertext can be unraveled to obtain the plaintext data. From the above, by using the recovery record encryption and decryption mechanism of the present invention, it can easily recover the key when the key is lost, and then use it to extract the ciphertext. Reply, you can avoid the situation of missing data due to the far lost key --------:-"install-(Please read the precautions on the back before filling this page) Order 26 This paper size applies to China National standard {CNS) A4 specification (210X297 mm) A7 B7 The Ministry of Economic Affairs ordered the Central Bureau of Justice and Consumers to cooperate with Yin Du. 5. The description of the invention (25) occurred. Embodiment 6: (Ownership Verification Mechanism) The general ownership verification mechanism can theoretically use the data hiding method in documents. Information that is hard to detect is hidden as evidence of ownership. However, the hidden information added in terms of documents may indeed change the hidden information due to the use of software, making the ownership of the contentious. In addition, there are also additional information hidden in the original text by changing the grammar, semantics, synonyms, or punctuation in the text of the content of the document. However, such methods are actually difficult and changing the expression of the document may cause reading problems. It is not smooth, so it is not practical. The ownership mechanism of the present invention uses the cryptographic technology to implement the ownership verification of electronic documents, which can 'protect the author's ownership and Document Integrity 0 The ownership mechanism deals with situations when a document is used improperly (for example In the case of false documents), the author can prove through impartial procedures that the document does not belong to the author. An ownership verification mechanism proposed by the present invention uses cryptographic techniques to establish a document with its front and back. To ensure that others cannot insert other forged documents between the documents that have been sent. This relevance can be revealed by an impartial authority when appropriate to ensure that the author's ownership is not misused by others β The ownership verification mechanism of the present invention can be operated by the sending end A, the receiving end B, and the impartiality authority TKC and the impartiality authority TTP. All information exchanges between the issuing end A and the impartiality authority are based on this paper Standard (CNS) A4 specification (21 OX 2M mm) —i II --- tnnn. ^ 1 I n II --- * (please read the note on the back before filling in this page) The central sample of the Ministry of Economy A7 B7 printed by the Bureau ’s Consumer Cooperatives V. Invention Description (A) Notarized to ensure the non-repudiation of document exchange between the two parties, the detailed exchange process is as follows: I. Initial stage: When logging in for the first time, randomly select a number 0 at the sending end A. A signature key pair eight was generated at the sending end A. 3. Απ, and communication Jin Yu Kat. And, the sending end A will go through the notary procedure. 8 and KAT are sent to TKC. II. The first file transfer: a. Generate a first file header AsII ^ No + IDa + SD} for the first file%, where IDA is the identification code of the sender A, and S is the first file The serial number, As is the document signing key of sender A, and h (·) represents a hash function. b. Issuer A uses ownership to sign key eight. 3 First head of the above-mentioned first document is obtained from the first MT1 signature A < ^ {ΜΤ1}, and the issuing end merges IDA, the impartial authority IDTTP, the receiving end IDB, the document header MT1, And the first head seal is encrypted with the communication gold ^ KAT, and then it and the head MT1 of the first document are transmitted to the fair authority TTP. c. After receiving the TTP of the impartial agency, let L equal the above-mentioned first document header MT1, and store IDA, IDB, AUTi}, and L. d. Sending end A sends IDA + AWTj + MU to receiving end B by notarization procedure. e. Receiver B recognizes ApS {T!}, the document serial number, the recipient, and other documents (please read the precautions on the back before filling out this page), install, 11h, do not encrypt the information with KBT, and use the TTP public money. Key TTPP encrypted 28 This paper size applies Chinese national standard (CNS > A4 specification (210X297 mm)) Printed by the Consumers Cooperative of the Central Bureau of Standards of the Ministry of Economic Affairs A 7 B7 V. Description of the invention (called) Submit to TTP. F. TTP uses its private key TTPs to decrypt the above cipher text to compare whether the eighth in step e are the same, and send the comparison result to KBT after encrypting it. G. If the comparison result in step f is the same Then B executes step h, otherwise B may request A to perform new step d. H. The final receiver B stores AoJTG. III. The i-th file transfer: a. The sender A generates the i-th file header for the i-th file MTi = IDA + Si + h (Mi) + (Ao ^ hCTw), where Si is the serial number of the i-th document. B. The sender A uses the ownership to sign the key 8. Eighth, the above-mentioned i-file header MTi signature The first head seal A ^ {ΜΤί} is obtained, and the sender A merges IDA, the impartial authority IDTTP, and the receiver ID The IDB, the document header MTi, and the i-th header signature Αμ {Μή} are encrypted with the communication key KAT, and then transmitted to the fairness agency TTP with the i-th document header MTi. C. The fairness agency TTP receives After that, let Ti be equal to the mutually exclusive operation value Mτ of the i-th file header MTi and the i-th file header Ti.fMTw and then tw, and store IDA, IDB, AOS {MTi}, and store. D Replace T1 with Ti, repeat steps d ~ h in the first transmission, so as to engage in normal file transmission. The file system operating according to the above mechanism is # *, when the receiver B proposes M * and AUMti}, Prove that M * is the document sent by the sender A, then the fair agency TTP can announce the Aop and extract the MTi, and then confirm the content of the MTi 29 (Please read the precautions on the back before filling this page) This paper size applies to China National Standard (CNS> A4 Specification (210X297mm) Printed by the Central Bureau of Standards, Ministry of Economic Affairs, Befel Cooperative, A 7 B7 V. Description of Invention (β) Whether the document is issued by the originator A, if M * is a forged document after the fact , According to the connection between Wu and MTi, TTP can prove that M * is not issued by the sender, The relatedness is as follows: The previous relationship is M · π = Τί㊉Ti_i; the subsequent relationship is taken from the MTi + 1 (Aop ^ h (Ti) field, h (Ti) = (Aop㊉ h (TiB®Aop. By It can be seen from the above that the ownership verification mechanism of the present invention establishes the relevance between the files through the techniques of cryptography. In this way, even if the signature system is cracked, there is still no danger of being counterfeited or forged. Because the intruder cannot know the relationship between the documents, it is impossible to insert other forged documents into the issued documents. And this mechanism can also easily verify the ownership of documents through its relevance. The security control method according to the present invention includes: 1. An inspection mechanism to check whether a system file has been tampered with. Second, the control mechanism of the foundation-based mutual authentication system. 3. A group-oriented digital signature mechanism used for signature control. Fourth, the key recovery mechanism. 5. Reply key encryption and decryption mechanism. 6. Ownership verification mechanism. From the above-mentioned various control methods, it can be ascertained that the present invention can provide better confidentiality and protection for the system operating under the network environment, especially the protection of the user at the user end can be more reliable and secure. A set of security control methods for identification cards. For software on the client side and private data stored in portable storage devices, such as private keys, etc., 30 (please read the precautions on the back before filling this page). Applicable to China National Standards (CNS) A4 specifications (210X297 mm) A7 Printed by B7 Consumers Cooperative of Central Bureau of Standards of the Ministry of Economic Affairs 5.Brief description of the invention (θ) Use cryptographic encryption and decryption, electronic signature technology, and decentralized confidentiality To protect them to increase the difficulty for intruders to crack secrets and compromise the system. It also proposes a feasible solution for the key recovery measures after the user's private key is lost. In addition, an ownership verification mechanism is also proposed to achieve the purpose of the author's ownership and to protect the integrity of the document. In the above related embodiments, the present invention has a system using an applicable storage device, and the content of the storage device is nothing more than: 1. A test program, which is used to test the version of the program to be tested, and the correctness of the program. 2. Personal confidential information, including personal secret keys. 3. Public information, such as Certificate, user ID, user-related information, disk number, etc. 4. Test data, such as the signature of the hash value of the program, the version of the program and the signature of the date. The above items can be adjusted as needed. Although the present invention has been disclosed as above with several preferred embodiments, it is not intended to limit the present invention. Anyone familiar with the art may put forward the testing mechanism without departing from the spirit and scope of the present invention. Within the scope of the present invention. ----- ^! rf equipment! «(Please read the notes on the back before filling this page) Order
•P 31 本紙張尺度適用中國國家標隼(CNS ) A4規‘(210X297公釐)• P 31 This paper size applies to China National Standard (CNS) A4 Regulations ‘(210X297 mm)