Patent Application
20160323100
This application claims priority to Taiwanese Patent Application No. 104113792 filed on Apr. 30, 2015 in the Taiwan Intellectual Property Office.
The subject matter herein generally relates to data security, and particularly to a key generation device, a terminal device, and a data signature and encryption method thereof.
A certificateless signcryption system at least includes a key generation center and a number of terminal devices. The key generation center generates initial keys and transmits the initial keys to the terminal devices. After the initial keys are transmitted to the terminal devices, the initial keys cannot be revoked.
Implementations of the present technology will now be described, by way of example only, with reference to the attached figures.
It will be appreciated that for simplicity and clarity of illustration, where appropriate, reference numerals have been repeated among the different figures to indicate corresponding or analogous elements. In addition, numerous specific details are set forth in order to provide a thorough understanding of the embodiments described herein. However, it will be understood by those of ordinary skill in the art that the embodiments described herein can be practiced without these specific details. In other instances, methods, procedures, and components have not been described in detail so as not to obscure the related relevant feature being described. The drawings are not necessarily to scale and the proportions of certain parts may be exaggerated to better illustrate details and features. The description is not to be considered as limiting the scope of the embodiments described herein.
Several definitions that apply throughout this disclosure will now be presented. In general, the word “module,” as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, written in a programming language. The software instructions in the modules can be embedded in firmware, such as in an erasable programmable read-only memory (EPROM) device. The modules described herein can be implemented as either software and/or hardware modules and can be stored in any type of computer-readable medium or other storage device. The term “coupled” is defined as connected, whether directly or indirectly through intervening components, and is not necessarily limited to physical connections. The connection can be such that the objects are permanently connected or releasably connected. The term “comprising” means “including, but not necessarily limited to”, it specifically indicates open-ended inclusion or membership in a so-described combination, group, series and the like.
In at least one embodiment, the key generation device 10 can communicate with the terminal devices 20 wirelessly, for example by using the BLUETOOTH protocol, the ZIGBEE protocol, and the WIFI protocol. In an alternative embodiment, the key generation device 10 can communicate with the terminal devices 20 through wires, for example by using Ethernet or other fixed network protocols.
In at least one embodiment, a key generation system 100 is running in the key generation device 10. The key generation system 100 can include a number of modules, which are collection of software instructions stored in the first storage device 13 and executed by the first processor 11. In at least one embodiment, the key generation system 100 at least includes a client management module 101 and an initial key generation module 102.
The client management module 101 registers and releases the terminal devices 20 in response to a user command input via an input device (such as a keyboard or a mouse), or in response to requests sent by the terminal device. In at least one embodiment, each registered terminal device 20 has a unique identifier, the unique identifier can be an IP address or a MAC address of the terminal device 20. The unique identifier can also be an employee number, a telephone number, an email account, or an identification number of a user of the terminal device 20.
When a terminal device 20 is successfully registered to the key generation device 10, the initial key generation module 102 generates an initial secret key according to the unique identifier of the registered terminal device 20, and generates a time update key at regular time intervals. The initial key generation module 102 transmits the initial secret key and the time update key to the registered terminal device 20 via the first communication device 12 after the initial secret key and the time update key is generated.
The time update key at least includes the unique identifier of the terminal device 20 and data as to a time period. The time period can be a fixed length of time, for example thirty days, or a timestamp-delineated period, for example from 06:00 AM of Jan. 1, 2015 to 06:00 AM of Jan. 30, 2015. In at least one embodiment, once the initial key generation module 102 determines that the time period of a time update key is expired, the initial key generation module 102 generates a new time update key and controls the communication device 12 to transmit the new generated time update key to the registered terminal device 20. For example, the time period in a first time update key may be from 06:00 AM of Jan. 1, 2015 to 06:00 AM of Jan. 30, 2015; if the initial key generation module 102 determines that a current time is 06:00 AM of Jan. 30, 2015, the initial key generation module 102 determines that the time period of the first time update key is expired, and then the initial key generation module 102 generates a new time update key, the time period of the new time update key can be from 06:00 AM of Jan. 30, 2015 to 06:00 AM of Feb. 30, 2015.
In at least one embodiment, the initial key generation module 102 generates the time update key at regular time intervals until the initial key generation module 102 receives a command to stop generating the time update key, from the terminal device 20 or from the input device (not shown) of the key generation device 10. The initial key generation module 102 generates the time update key at the regular time intervals until the terminal device 20 logs out and is released from the key generation device 10.
In at least one embodiment, the time period of the time update key can be set by a user via input devices (not shown) of the key generation device 10. In other embodiments, the time period of the time update key also can be automatically set by the initial key generation module 102. In at least one embodiment, any initial secret key and time update key can be generated by using a well known algorithm, such as Hash algorithm.
In at least one embodiment, the first communication device 12 transmits the initial secret key to the terminal device 20 by using an encrypted security channel, and transmits the time update key to the terminal device 20 by using an unencrypted and non-private channel, for example by using a text message, an email, a push notification service, or other unencrypted means. In an alternative embodiment, the time update key further can be posted on a website for the terminal device 20 to download. In other embodiments, the time update key further can be transmitted by using the encrypted security channel.
A data signature and encryption system 200 is running in each terminal device 20. The data signature and encryption system 200 can include a number of modules, which are collection of software instructions stored in the second storage device 23 and executed by the second processor 22. In at least one embodiment, the data signature and encryption system 200 at least includes an acquiring module 201, a key generation module 202, and a data signature and encryption module 203.
The acquiring module 201 acquires the initial secret key and the time update key from the second communication device 21.
The key generation module 202 generates a public key and a private key according to a preset secret value, and then generates a key group by combining the initial secret key, the time update key and the generated private key.
The data signature and encryption module 203 encrypts and decrypts data, signs digital signatures, and verifies digital signatures by using the public key of the terminal device 20, the key group, and the public key received from other terminal devices.
In detail, the second communication device 21 of each terminal device 20 communicates with other terminal devices 20 to transmit the public key of the terminal device 20 to the other terminal devices 20 and receives public keys of the other terminal devices 20 from the other terminal devices 20. In an alternative embodiment, each terminal device 20 further can upload the public key to the key generation device 20, and the key generation device 20 can broadcast the public key of the terminal device 20 to the other terminal devices 20.
When at least two terminal devices 20 exchange data, a sending terminal device 20 creates a digital signature according to the key group of the sending terminal device 20, and uses the digital signature to sign the date to be transmitted. The sending terminal device 20 further encrypts the data to be transmitted using the public key of a receiving terminal device 20.
When the receiving terminal device 20 receives the encrypted data transmitted by the sending terminal device 20, the receiving terminal device 20 decrypts the data using the key group of the receiving terminal device 20, and verifies the signature using the public key of the sending terminal device 20.
In at least one embodiment, the data signature and encryption system 200 further includes a determining module 204 to determine whether the time period of the time update key is expired. When the key generation device 10 is no longer transmitting the time update key to the terminal device 20, and the determining module 204 determines that the time period of the last time update key is expired, the terminal device 20 cannot generate the key group according to the time update key, thus the terminal device cannot verify the signature and decrypt the data.
At block 401, a key generation device accepts registration of a terminal device which is identified by a unique identifier.
At block 402, the key generation device generates an initial secret key according to the unique identifier of the terminal device 20, and generates a time update key at regular time intervals. The time update key at least includes the unique identifier of the terminal device and data as to a time period, the length of the regular time interval is equal to the length of the time period.
At block 403, the key generation device transmits the initial secret key and the time update key to the registered terminal device.
At block 404, the terminal device generates a public key and a private key according to a preset secret value.
At block 405, the terminal device generates a key group by combining the private key, the initial secret key, and the time update key.
At block 406, the terminal device encrypts and decrypts data, signs digital signatures, and verifies digital signatures by using the public key of the terminal device, the key group, and public keys received from other terminal devices. In detail, when at least two terminal devices exchange data, the sending terminal device creates a digital signature according to the key group of the sending terminal device, and uses the digital signature to sign the date to be transmitted. The sending terminal device further uses the public key of the receiving terminal device to encrypt the data to be transmitted. When the receiving terminal device receives the data transmitted by the sending terminal device, the receiving terminal device decrypts the data by using the key group of the receiving terminal device, and verifies the signature of the data by using the public key of the sending terminal device.
At block 407, the terminal device determines whether the time period of the time update key is expired, if yes, the procedure goes to block 408; if no, the procedure goes to block 406.
At block 408, the terminal device stops generating the key group.
In at least one embodiment, the method further includes: the time update key is generated at the regular time interval until a command for stop generating the time update key is received or until the terminal device is logout.
It is believed that the present embodiments and their advantages will be understood from the foregoing description, and it will be apparent that various changes may be made thereto without departing from the spirit and scope of the disclosure or sacrificing all of its material advantages, the examples hereinbefore described merely being exemplary embodiments of the present disclosure.
| Number | Date | Country | Kind |
|---|---|---|---|
| 104113792 | Apr 2015 | TW | national |
