[0046] The present invention conceives a digital certificate security lock device with an audio plug (also called a universal audio interface KEY, referred to as A-KEY), so as to cooperate with a communication terminal with an audio interface to authenticate the user's identity and secure Access services or application systems, such as online banking systems.
[0047] like figure 1 As shown, the digital certificate security lock device 100 of the present invention includes a universal encryption and digital signature microcontroller 10 , a first modem module 20 and an audio plug 30 . Wherein, the universal encryption and digital signature microcontroller 10 is provided with an encryption and digital signature module 12 and a memory (not shown in the figure) for storing digital certificates, keys and encryption and decryption algorithms. The audio plug 30 includes a microphone (MIC) pole 32 and a first channel pole (eg, left or right channel pole) 34 . In the present invention, as an option, the audio plug 30 may be an earphone integrated plug. As another option, the audio plug 30 may also be a separate plug in which the earphone plug and the microphone (MIC) plug are separated. On the headset integrated plug, the MIC pole 32 and the left and/or right channel poles are all arranged on the same pin, and are isolated from each other by insulating materials. On the split plug, the MIC pole 32 is set on the MIC plug; the left and/or right channel poles are set on the earphone plug, and are isolated from each other by insulating materials.
[0048] In operation, the first modem module 20 is used for modulating the data information from the encryption and digital signature module 12 to be sent out through the MIC pole 32 of the audio plug, and for receiving the first audio plug from the audio plug. The signal from the channel electrode 34 is demodulated to obtain data information and then sent to the encryption and digital signature module 12 .
[0049] Figure 2A It is a schematic structural diagram of a digital certificate security lock device 100A according to the first embodiment of the present invention. like figure 1 As shown, the digital certificate security lock device 100A includes a universal encryption and digital signature microcontroller 10 , a first modem module 20 , an audio plug 30 and a power collector 52 . An encryption and digital signature module 12 and a memory (not shown in the figure) are arranged on it, and digital certificates, keys thereof, and encryption and decryption algorithms are stored in the memory. The first modem module 20 includes a first communication microcontroller 22 , a low-pass filter circuit 24 , and an AC coupling circuit 26 . The first communication microcontroller 22 is provided with an audio encoding module 22a and an audio decoding module 22b for encoding and decoding audio signals. The audio plug 30 includes a MIC pole 32 , a right audio channel pole 34 a, and a left audio channel pole 34 b.
[0050] Universal encryption and digital signature microcontroller 10 are communicatively connected with first communication microcontroller 22, such as through UART interface, USB interface or I 2 C interface or other applicable communication interface for communication. The output end of the first communication microcontroller 22 is connected to the MIC pole 32 of the audio plug through the low-pass filter circuit 24, and the 20 input end of the first communication microcontroller is connected to the right channel pole of the audio plug 30 through the AC coupling circuit 26 34a. The power collector 52 is connected to the left audio channel pole 34b of the audio plug 30, and is used to obtain power from the connected communication terminal so as to supply power to the digital certificate security lock device.
[0051] It should be noted that although Figure 2A It is shown that the AC coupling circuit 26 is connected to the right channel pole 34a, and the power collector 52 is connected to the left channel pole 34b, but the present invention is not limited thereto, as an alternative, the AC coupling circuit 26 can also be connected to the left channel pole 34b Connected, the power collector 52 is connected with the right channel pole 34a. It is thus possible to designate one of the right channel pole 34a and the left channel pole 34b as a first channel pole, and the other channel as a second channel pole.
[0052] Figure 2B , is a schematic structural diagram of a digital certificate security lock device 100B according to the second embodiment of the present invention. Figure 2B In addition to adopting the battery 54 to replace the power collector 52 to supply power for the digital certificate security lock device, the rest are the same as Figure 2A The illustrated digital certificate security lock device 100A has the same structure. in addition, Figure 2B In the illustrated embodiment, the AC coupling circuit 44 may be connected to the right channel pole, or may be connected to the left channel pole, Figure 2B The right sound channel pole 34 a or the left sound channel pole 34 b is collectively referred to as the right or left sound channel pole 34 .
[0053] Figure 3A It is a schematic structural diagram of a digital certificate security lock device 100C according to the third embodiment of the present invention. and Figure 2A The illustrated embodiment differs in that, Figure 3A In the shown embodiment, the audio codec module is integrated in the universal encryption and digital signature microcontroller 10, i.e. with Figure 2A Compared with the shown embodiment, a microcontroller is saved. like Figure 3A As shown, in the digital certificate security lock device 100C, the universal encryption and digital signature microcontroller 10 not only includes the encryption and digital signature module 12, but also integrates a first audio signal codec module 28. The output signal of the first audio signal codec module 28 is transmitted to the wheat MIC pole 32 of the audio plug 30 through the output terminal of the general-purpose encryption and digital signature microcontroller 10 through the low-pass filter circuit 24, and the first audio signal codec module 28 can receive a signal via the input of the universal encryption and digital signature microcontroller 10 through the AC coupling circuit 26 and the right channel pole 34a of the audio jack 30 . The power collector 52 is connected to the left audio channel pole 34b of the audio plug 30, and is used to obtain power from the connected communication terminal so as to supply power to the digital certificate security lock device.
[0054] It should be noted that although Figure 3A It is shown that the AC coupling circuit 26 is connected to the right channel pole 34a, and the power collector 52 is connected to the left channel pole 34b, but the present invention is not limited thereto, as an alternative, the AC coupling circuit 26 can also be connected to the left channel pole 34b Connected, the power collector 52 is connected with the right channel pole 34a. It is thus possible to designate one of the right channel pole 34a and the left channel pole 34b as a first channel pole, and the other channel as a second channel pole.
[0055] Figure 3B It is a schematic structural diagram of a digital certificate security lock device 100D according to the fourth embodiment of the present invention. Figure 3B In addition to adopting the battery 54 to replace the power collector 52 to supply power for the digital certificate security lock device, the rest are the same as Figure 3A The illustrated digital certificate security lock device 100C has the same structure. in addition, Figure 3B In the illustrated embodiment, the AC coupling circuit 44 may be connected to the right channel pole, or may be connected to the left channel pole, Figure 3B The right sound channel pole 34 a or the left sound channel pole 34 b is collectively referred to as the right or left sound channel pole 34 .
[0056] Figure 4A It is a schematic structural diagram of a digital certificate security lock device 100E according to the fifth embodiment of the present invention. and Figure 2A The illustrated embodiment differs in that, Figure 4A In the illustrated embodiment, the low-pass filter circuit 24 is replaced by a digital-to-analog converter (DAC) 23a, and the AC coupling circuit 26 is replaced by an analog-to-digital converter (ADC) 23b. while the rest of the Figure 2A The illustrated digital certificate security lock device 100A has the same structure.
[0057] Figure 4A In the ADC 23b, the dotted line box indicates that this component is an optional component. In other embodiments, the ADC 23b may not be used, and the input end of the first communication microcontroller 22 is directly connected to the right channel pole 34a of the audio plug 30. .
[0058] Figure 4B It is a schematic structural diagram of a digital certificate security lock device 100F according to the sixth embodiment of the present invention. and Figure 3B The illustrated embodiment differs in that, Figure 4B In the illustrated embodiment, the low-pass filter circuit 24 is replaced by a digital-to-analog converter (DAC) 23a, and the AC coupling circuit 26 is replaced by an analog-to-digital converter (ADC) 23b. while the rest of the Figure 2A The illustrated digital certificate security lock device 100A has the same structure.
[0059] Figure 4A In the ADC 23b, the dotted line box indicates that this component is an optional component. In other embodiments, the ADC 23b may not be used, and the input end of the first communication microcontroller 22 is directly connected to the right channel pole 34a of the audio plug 30. .
[0060] It should be noted that although Figure 2A , 2B The embodiments shown in , 3A, 3B, 4A and 4B all include a built-in power collector 52 or a battery 54, but, as known to those skilled in the art, the digital certificate security lock device can also be powered by an external power source instead of a built-in Power harvester 52 or battery 54 .
[0061] During operation, insert the audio plug of the digital certificate security lock device of the above embodiment into the audio interface of the corresponding communication terminal, and the modulated data information can be transmitted to the communication terminal (such as mobile phone, tablet computer, personal digital assistant or desktop computer, etc.), through the processing of the second modulation and demodulation module configured in the communication terminal, the restored data information is obtained. About this point, will be combined later Figure 5 , Figure 6A , Figure 6B and Figure 7 Describe in detail.
[0062] Figure 5 It is a schematic structural diagram of the digital certificate authentication system of the present invention. like Figure 5 As shown, the digital certificate authentication system includes a digital certificate security lock device 100 (for example Figure 1-4B The digital certificate security lock devices 100 , 100A, 100B, 100C, 100D, 100E and 100F shown in ), the mobile communication terminal 200 , the authentication server 300 and the communication network 400 . Wherein, the mobile communication terminal 200 includes an audio interface 202, a second modem module 204, and a communication module 206, as well as functional modules or devices that are not shown in the figure but that a conventional mobile communication terminal has, such as processors, memory, input and output devices Wait.
[0063] During operation, the audio plug 30 of the digital certificate security lock device 100 communicates with the audio interface 202 of the mobile communication terminal 200 (that is, the audio plug 30 is inserted into the audio interface 202), and the mobile communication terminal 200 passes through the communication network 400 via the communication module 206. Communication connection with authentication server 300 . The second modulation and demodulation module 204 is used for demodulating the audio signal received by the audio interface 202 and then sending it to the communication module 206, and for modulating the signal received from the communication module 206 to obtain a modulated audio signal, Then send it to the digital certificate security lock device 100 through the audio interface 202 .
[0064] Figure 6A It is a schematic structural diagram of the first embodiment of the digital certificate authentication system of the present invention. like Figure 6A As shown, the digital certificate authentication system includes a digital certificate security lock device 100 (for example Figure 1-4BThe digital certificate security lock devices 100 , 100A, 100B, 100C, 100D, 100E and 100F shown in ), the mobile communication terminal 200 , the authentication server 300 and the communication network 400 . Wherein, the mobile communication terminal 200 includes an audio interface 202, a second communication microcontroller 204a and a communication module 206 for encoding and decoding audio signals, and functional modules not shown in the figure but possessed by a conventional mobile communication terminal Or devices such as processors, memories, input and output devices, and the like.
[0065] During operation, the audio plug 30 of the digital certificate security lock device 100 communicates with the audio interface 202 of the mobile communication terminal 200 (that is, the audio plug 30 is inserted into the audio interface 202), and the mobile communication terminal 200 passes through the communication network 400 via the communication module 206. Communication connection with authentication server 300 . The second communication microcontroller 204a is used for decoding the audio signal received by the audio interface 202 and sending it to the communication module 206, and for encoding the signal received from the communication module 206 to obtain an encoded audio signal, and then It is transmitted to the digital certificate security lock device 100 through the audio interface 202 .
[0066] Figure 6B It is a schematic structural diagram of the second embodiment of the digital certificate authentication system of the present invention. As shown in Figure 6, the digital certificate authentication system includes a digital certificate security lock device 100 (for example Figure 1-4B Digital certificate security lock devices 100, 100A, 100B, 100C, 100D, 100E, and 100F), a desktop computer 200′, an authentication server 300, and a communication network 400 shown in FIG. Among them, the desktop computer 200' includes an audio interface, that is, a MIC interface 202a and a headphone interface 202b, a second audio signal codec module 204b and a communication module 206 for encoding and decoding audio signals, and a conventional but not shown in the figure Functional modules or devices of a computer such as processors, memories, input and output devices, etc. In this embodiment, the audio plug of the digital certificate security lock device 100 includes a separate MIC plug 32' and an earphone plug 34'.
[0067] During operation, the audio plug of the digital certificate security lock device 100 is connected to the audio interface of the desktop computer 200' (that is, the MIC plug 32' is inserted into the MIC interface 202a, and the earphone plug 34' is inserted into the earphone interface 202b), and the desktop computer 200 ' communicate with the authentication server 300 via the communication module 206 through the communication network 400 . The second audio signal codec module 204' is used to decode the audio signal received from the MIC interface 202a and transmit it to the communication module 206, and to encode the signal received from the communication module 206 to obtain the encoded audio The signal is then transmitted to the digital certificate security lock device 100 through the earphone interface 202b.
[0068] In the above embodiment, the authentication server 300 is a server for online banking, which includes an online banking web server 302 and an application server 304 communicatively connected to it, and the application server 304 is communicatively connected to a database 306 . In the application of online banking, corresponding online banking software needs to be installed on the communication terminal equipment (such as desktop computer 200' or mobile communication terminal 200).
[0069] The authentication server 300 can also be an authentication server for other purposes, such as an authentication server used for identity verification when the branch personnel of a multinational or regional group company log in to the head office database remotely, or an application software user logs in to the software provider's website for software upgrades or Authentication servers used for identity verification when reporting data, corporate VPN servers, financial middleware servers, e-commerce website login authentication servers, etc.
[0070] It should be noted, Figure 5 , Figure 6A The mobile communication terminal 200 in the illustrated embodiment may be a portable communication terminal such as a mobile phone, a tablet computer, or a personal digital assistant. exist Figure 6A In the embodiment, the second communication microcontroller 204a can also be replaced by the second audio signal codec module 204b. exist Figure 6B In the embodiment, the second audio signal codec module 204b can also be replaced by the second communication microcontroller 204a.
[0071] In addition, in various embodiments, whether the audio plug is an integrated headset plug or a split MIC plug and earphone plug needs to be determined according to the audio interface type of the connected communication terminal. The selection of the specification of the audio plug (for example, 2.5mm or 3.5mm) also needs to be determined according to the audio interface type of the connected communication terminal.
[0072] It should also be noted that the above-mentioned audio encoding module 22a, audio decoding module 22b, first audio signal encoding and decoding module 28 and second audio signal encoding and decoding module 204b can be implemented by software, hardware, firmware or a combination of software and hardware.
[0073] For example, the codec program residing on the digital certificate security lock device is implemented with the programming language of the microcontroller, and resides in the code memory of the microcontroller together with other control processes. It is also possible to design an independent codec chip to implement the codec algorithm. Audio codec can be implemented with TI MSP430 series ultra-low power microcontrollers. Using the GPIO, timer and comparator of the microcontroller, the GPIO can be controlled to output a specific waveform signal, and the signal suitable for the audio channel can be obtained after low-pass filtering, and sent to the MIC pole. The audio signal transmitted from the left channel pole reaches the G PIO and comparator of MSP430 after AC coupling, and the comparator judges whether the waveform is up or down, and decodes it to get 0 or 1 through Vcc/2 voltage comparison.
[0074] Also, the function of the second communication controller located in the communication terminal can also be realized by software, running in the software process of the mobile phone. It can also exist in the form of a communication terminal operating system module or driver, and reside in the operating system firmware storage area of the communication terminal. For example, a smart phone using the Android operating system obtains the audio sample value from the MIC pole recording through the AudioRecord class, and obtains 0 or 1 by judging the positive or negative of the audio sample value and the rise or fall of the audio waveform. Select different frequencies by judging whether the bit to be output is 1 or 0, and use the sine wave function to calculate the PCM value corresponding to the corresponding frequency; use the AudioTrack class provided by the Android platform to specify the left channel to play the PCM data.
[0075] In addition, the communication module 206 may be a wired communication module or a wireless communication module, and the communication network may be a wired communication network, a wireless communication network, or a combination of a wired communication network and a wireless communication network.
[0076] Figure 7 It is a flow chart of the digital certificate authentication method of the present invention. like Figure 7 As shown, in step 702, the communication terminal sends a login request and transmits it to the authentication server through the communication network. In step 704, after receiving the login request sent by the communication terminal through the communication network, the authentication server returns a response signal including a data string. In step 706, the second modulation and demodulation module in the communication terminal modulates the received data string. In step 708, the communication terminal transmits the modulated signal containing the data string information to the digital certificate security lock device through the audio interface. In step 710, the first modulation and demodulation module in the digital certificate security lock device demodulates the received modulated signal and reacquires the data string. In step 712, the encryption and digital signature module in the digital certificate security lock device encrypts and signs the data string to obtain an encrypted signature result string. In step 714, the first modulation and demodulation module in the digital certificate security lock device encodes and converts the encrypted signature result string into a modulated signal. In step 716, the digital certificate security lock device returns the modulated signal containing the encrypted signature result string information to the communication terminal through the audio interface. In step 718, the second modulation and demodulation module in the communication terminal demodulates the received modulated signal to re-obtain the encrypted signature result string, and send the encrypted signature result string to the authentication server through the communication network for verification . After the authentication server performs authentication processing on the encrypted signature result string, in step 720, the login verification result is returned to the communication terminal.
[0077] In the present invention, the encrypted signature processing in the digital certificate security lock device and the verification processing in the authentication server are compatible with the processing procedures and methods in the prior art, so they will not be repeated here.
[0078] To help understand the present invention, the following examples are given.
[0079] The digital certificate safety lock device of the present invention (also called universal audio interface KEY, referred to as A-KEY) is equipped with a digital certificate encryption signature algorithm microcontroller, and the audio interface KEY is connected to a communication terminal through an audio interface. The software development kit (Software Development Kit, SDK for short) is provided to communication terminal banking software developers. The communication terminal software developer calls the function in the SDK, this function adds the incoming data to the command word to form a bit stream, and then sends the bit stream signal to the earphone output audio interface. The communication microcontroller (MCU) reads the Manchester coded signal (optional MODEM modulation signal) from the audio left channel (optional right channel), judges 0 or 1 according to the intermediate voltage comparison, and then uses it as UART RX input signal, sent to a general-purpose cryptographically signed microcontroller. The communication MCU also encodes the output signal of the universal encrypted signature microcontroller into a Manchester signal (optional MODEM modulation signal) and outputs it to the microphone (MIC) interface through low-pass filtering.
[0080] Since the digital certificate safety lock device of the present invention is connected to the earphone output audio interface of the communication terminal through the audio interface, the signal can be read, and the command word and command data can be obtained after the signal is decoded, and the command data is processed according to the command word using a known message summary. Algorithms (such as MD5 or SHA1) perform digest operations, signature operations, or 3-DES encryption operations. Then the operation result is formed into a bit stream, and then the bit stream signal is sent to the MIC interface of the audio interface. The SDK software on the communication terminal provides the resulting bit stream data on the MIC input interface to the banking software installed on the communication terminal. The banking software of the communication terminal can send the data signed by the external independent encryption hardware (that is, the digital certificate security lock device of the present invention) to the communication server of the bank to handle functions such as transfer, remittance, and inquiry required by the transaction.
[0081] Specifically, there is an audio interface plug on the digital certificate safety lock device, which can be inserted into the audio interface of the communication terminal. When using, insert the audio plug into the audio interface of the communication terminal, and then select login on the application software of the communication terminal. The banking software of the communication terminal will send an authentication request to the authentication server, and then obtain a data string response signal. After encoding the data string response signal, Send the data string response signal to the digital certificate security lock device, and the digital certificate security lock device decodes the received audio, encrypts it with the bank public key and signs it with the user's private key, encodes the result of the encrypted signature, and transmits it to the bank software of the communication terminal , the software reads the operation result of the decoded digital certificate security lock device, and then sends it to the authentication server of the bank. The bank authentication server uses the private key to decrypt, and uses the user's public key to verify the signature to determine whether it is a legitimate user, and the secure login is completed. Other functions such as transfer, remittance, and inquiry can also perform similar security verification and signature.
[0082] In the present invention, the main function of the communication microcontroller has two points: a) complete the modulation and demodulation from the audio signal to the digital signal; b) forward the digital signal to the universal encryption and digital signature microcontroller controller. For example, the request sent from the communication terminal performs MD5 calculation on a piece of data. The communication microcontroller obtains the audio signal from the left channel, and compares the signal level to obtain a 01bit stream, and then presses the universal digital signature and encryption microcontroller. request, sent to its USB port. The general-purpose digital signature and encryption microcontroller obtains the MD5 request command and the data to be calculated from the USB input, and calculates the MD5 summary value for the data through the internal solidified MD5 algorithm.
[0083]Universal encryption and digital signature microcontrollers actually contain a smart card chip and a FLASH memory. The hardware of the smart card chip solidifies the MD5 or SHA1 digest algorithm, and also solidifies the hardware algorithm of the public key private key system (PKI) signature, signature verification, data encryption and data decryption. For the sake of security, the user's digital certificate (public key), private key, etc. are stored in the FLASH memory of the general encryption and digital signature microcontroller. In this way, the algorithm programs, certificates, private keys and other data required by PKI are stored independently in this hardware, which can prevent hacker attacks.
[0084] For example, the audio encoder needs to encode the digital signal of 0 and 1 into an audio frequency signal (20-20000 Hz) that can be transmitted through the audio line. The digital signal can be encoded into a Manchester encoded audio signal, or it can be encoded into a Bell 202 MODEM( http:∥en.wikipedia.org/wiki/ Bell_202_modem )Signal. The process is reversed for audio decoders. This function can also be implemented by a communicating microcontroller. For example, the audio encoder and audio decoder can be an audio encoding program and an audio decoding program running on a communication microcontroller, or an audio codec program solidified on a communication microcontroller, or can be made into a hardware Audio codec. There are many encoding and decoding algorithms, such as Manchester code, Morse code, and the encoding and decoding method used by MODEM modem for dial-up Internet access.
[0085] Corresponding audio encoders and audio decoders are also provided on the communication terminal. For example, the audio encoder and audio decoder can be an audio encoding program and an audio decoding program running on the communication terminal, or an audio codec program solidified on the communication terminal, or an audio codec made into hardware audio. This encoder turns 0 into 10, 1 into 01, and then sends the 10, 01, etc. to the digital-to-analog converter, which goes through the left channel to the digital certificate security lock unit.
[0086] An example of the necessary process for user login is given below:
[0087] a) The communication terminal sends a login request to the login server;
[0088] b) The server returns a random number "123456789";
[0089] c) After the communication terminal obtains the random number, it is handed over to the audio encoder at the communication terminal, and the audio encoder encodes it and plays it to the left channel;
[0090] d) A-KEY's communication microcontroller gets the audio signal from the left channel, decodes the digital signal, and transmits the digital signal to the USB input of the universal encryption and digital signature microcontroller;
[0091] e) A-KEY's universal encryption and digital signature microcontroller performs private key encryption operation on the random number "123456789", and outputs the operation result "25d55ad283aa400af464c76d713c07ad" to the interface;
[0092] f) A-KEY's communication microcontroller gets the signature result from the USB, encodes the result, and sends it to the MIC interface;
[0093] g) The audio decoding software running in the communication terminal obtains the audio signal from the MIC, decodes it into digital data "25d55ad283aa400af464c76d713c07ad", and sends this data to the login server;
[0094] h) Log in to the server to get the data "25d55ad283aa400af464c76d713c07ad", and use the user's public key to decrypt it. If the decryption is successful, it means that the user is the user declared in the public key certificate, and the login is successful.
[0095] To sum up, the present invention relates to an external component of a communication terminal (that is, a digital certificate security lock device), which can realize a hardware digital signature through a universal audio interface, and become an independent hardware security key when the communication terminal performs operations such as login, payment, and shopping. The communication terminal achieves a security level similar to that of a PC personal computer. The invention mainly solves the problem of limitation of the scope of application of the current USB KEY. In addition, the present invention also relates to a digital certificate authentication system including the digital certificate security lock device, and a digital certificate authentication method using the digital certificate security lock device.