基于USBKey的软件保护增强策略研究

1 The HASP-HL Crack SolutionHASP-HL is the current protection hardware by Aladdin Knowledge Systems. This document explains how to crack and bypass the security of HASP-HL – “their so-called Next Generation of Software Protection”.2 HASP-HL EnvelopeThe envelope encryption is done via a graphical user interface as shown in Figure 1. The encryption options are set by default to provide a high level of security. The selection of additional options (more encryption/anti debug modules, detection of user mode and system mode debuggers) has no influence on the analysis and mainly increases the size of the resulting executable and the startup time. Within the analysis there are no noticeable effects of these additional settings.Figure 1 Automatic encryption window of HASP-HLThe Encryption itself encrypts code and data. Resources are not encrypted even if the resource section is included in the list of sections to be encrypted. The Import Address Table (IAT) is encrypted and some APIs are redirected to the security engine (see also the detailed list of the redirected 633 APIs in the appendix). For the runtime check a separate thread is initiated. Anti debugging measures are in place which are mainly active at program startup time. Once the Security engine has decrypted the program it can be dumped to disk. After the IAT of the dump is restored and the program is reset to the Original Entry Point (OEP) the executable can be run without the HASP-HL.2.1 Locating the Original Entry Point (OEP)The OEP can be located using the standard hacker tool OllyDbg. Due to anti-debug measures some hardening of the debugger is required.2.1.1 Installing OllyDbg and the necessary pluginsOllyDbg is copied into a separate directory. There is no dedicated installation necessary. OllyDbg can be obtained from various websites including the homepage of OllyDbg:http://www.ollydbg.de/The current version 1.10 is the preferred version.To analyze HASP-HL it is necessary to install two plugins into OllyDbg: IsDebuggerPresent and OllyDump. These plugins are available from:/stuph/The plugins are simply copied into the same directory as OllyDbg.2.1.2 Hardening OllyDbgOllyDbg will be recognized by one of the several text references to OllyDbg inside the code. The usual way to evade this kind of debugger detection is to replace all occurrences of the string OllyDbg inside the executable to something else with the same length. Also the filename of the executable should be changed to this alternate name. Due to the structure of the plugins it is necessary to keep an original copy of OllyDbg in the same directory as the modified version. The string replacement can be done with any usual hex-editor.2.1.3 Setting the optionsStart the hardened OllyDbg (here for simplicity still referenced as OllyDbg) and choose from the menu Options / Debugging Options. In the options dialog select the SFX-tab and select “Extend code section to include extractor”, “Stop at entry of self-extractor”, and “Pass exceptions to SFX extractor” as shown in Figure 2.Figure 2: OllyDbg SFX DialogAs shown in Figure 3, in the tab Exceptions select mostly everything that can be selected. This will disarm some anti-debugging involving illegal opcodes, illegal memory accesses, and some more.Figure 3: OllyDbg Exceptions Dialog2.1.4 Tracing the OEPNow load the protected application into the debugger using the File / Open from the menu. Be sure to have the original HASP-HL dongle attached to the computer when loading the program. After a short analysis and two warnings about encrypted programs etc. the debugger should halt on the entry point of the application. Turn on the debugger hiding by selecting “Plugins / IsDebuggerPresent / Hide”. Alternatively you can set the “autohide” in Options Menu of the IsDebuggerPresent plugin. Switch to the hexdump section and go to the address of “ExitProcess” in Kernel32. To go to this Address use “<Ctrl> G” or the context menu. The entered Address is case sensitive. Select left topmost byte with the left mouse button. Then set a hardware breakpoint by clicking right, choosing “Breakpoint / Hardware on write / Byte”. Now run the program using <F9> until it hits the breakpoint. Switch to the memory window by hitting “<Alt> M” or selection “View / Memory” from the menu and highlight the code section (usually named “text”) of the protected program by left clicking it. Set a breakpoint on the section with <F2>. Your screen should look somewhat like Figure 4.Figure 4: OllyDbg with Breakpoint on code sectionIf you <F9> (Run) now the Debugger will put the program at the Original Entry Point (OEP). To get the relative entry point from the module start the module base (address of PE header) from the “Memory” window has to be subtracted. In this case 1,000,000. This OEP is needed in the next steps. Please leave the window open as it is still needed for the dump.2.2 Dumping the ExecutableOnce the program is halted at the Original Entry Point (OEP) the program can be dumped to disk. To do this click right into the disassembler window and select “Dump debugged process”. A dialog pops up in which you can save the program to disk. Please uncheck the “Rebuild Import” checkbox as this will not work correctly in this case. The entry point should be set automatically to the correct OEP. Otherwise please correct. The other setting should not be changed from the default values.2.3 Rebuilding the ExecutableTo rebuild the executable it is necessary to create a new Import Address Table (IAT). The original table has been destroyed by the encryptor and the links are rebuilt in real-time by the startup code of the protection engine. The rebuilding process can be managed using another standard hacker tool (Import Reconstructor, ImpRec).2.3.1 Installing ImpRecImpRec can be obtained from a number of pages including/mackt/projects/imprec/ucfir16f.zipImpRec does not require a dedicated installation. To install it copy it into an appropriate directory.Be sure to select the Option “Fix EP to OEP” in the options menu (Figure 5)Figure 5: ImRec Options Menu2.3.2 Rebuilding the IATStart the protected application. Once it is running start ImpRec. If ImpRec is running at program startup it will be detected as a Debugger. Do not forget to connect the dongle.Attach ImpRec to the running process by selecting the correct entry in the drop down list.Enter the OEP calculated above and hit the button “IAT AutoSearch”. The button “Get Imports” delivers the list of imported APIs with still some entries invalid. To see the invalid entries hit the button “Show Invalid”. This should result in a list similar to the list below (Figure 6) with some entries (in this case 74) are highlighted. As the following process might involve some iterations hit the “Save Tree” and store the results found so far in a text file. After restarting ImpRec and re-attaching to the executable this file can be loaded using “Load Tree”.Figure 6: ImpRec invalid entriesNow right click on an invalid API and select “Trace Level3 (Trap Flag)”. ImpRec should now resolve the invalid APIs one by one. Eventually the protected application will terminate or ImpRec is “unable to initialize the tracer”. In this case save the tree again, exit ImpRec, restart the application, restart ImpRec, Attach to the process, load the tree, hit “Show Invalid”, and manually deselect the first invalid entry (<Ctrl> <left click>) to stop ImpRec from resolving this entry again. If you have to restart multiply, you should successively deselect all problematic entries. With HASP-HL 1.20 there should be a maximum of 3 different problematic entries (out of several hundred redirected entries). The problematic entries are:1.GetVersion2.GetProcAddress3.ExitProcess2.3.3 Resolving the problematic 3 entriesResolving these three entries requires either a little trial and error or a short debugging session. For the invalid entries ImpRec offers the Address to which the API has been redirected. In the example below (Figure 7) it would be the address “011D368”. In a new debugger session (the old one will be detected as a debugger session because of the long delay) the address should be entered as a hardware breakpoint by calling <Ctrl G> in the disassembler window and than setting a hardware breakpoint on execution using a right click. A hardware breakpoint is needed here as the code has still to be decrypted. If a breakpoint occurs a short inspection reveals the correct entry. “GetVersion” is usually called at the beginning. “GetProcAddress” has the Address of an API and a module handle on the stack (lower right in the CPU windows, see Figure 8, were the entry “RegisterPenApp” and a reference to kerner32 is passed on the stack). “ExitProcess” is called to terminate the program. In Delphi-applications some of these APIs can be referenced multiply. If all APIs have been identified they can be entered in ImpRec by double clicking the respective invalid API. A list of possible APIs pops up and the correct one can be selected (see Figure 9). This leads to a completed import tree.Figure 7: Address of redirected functionFigure 8: Resolving additional APIsFigure 9: Selecting a resolved API2.3.4 Fixing the executableAfter all invalid entries have been fixed the dump can be adjusted to contain the correct OEP and a correct IAT. To fix the executable it is positively necessary to have ImpRec attached to the running program. Again due to debugger detection ImpRec has to be started after the protected program. If necessary load the completed tree file. Now hit the button “FixDump” and select the dump created in step 2.2 using OllyDebug. The new executable will contain an appended underscore and should be able to be run without a HASP-HL dongle.3 ConclusionThe automatic protection by HASP-HL from Aladdin knowledge systems provides a limited protection that can be removed with some experience and prior knowledge within a few minutes of time. If no dongle is available a restoration is not possible due to the encryption. The large number of redirected APIs (up to several hundred) and the considerable number of anti-debugging modules (50) seems to provide absolutely no security. Even after a closer look the purpose of the anti-debugging modules is unclear as they show no effect at all. The large number of redirects can be reduced to 3 by use of automatic tools. Here too the reason for the large number remains unclear as it has no effect on the security.4 Appendices4.1 List of redirected APIsSome APIs that are redirected by HASP-HL 1.20 are identified and are listed here for completeness4.1.1 Kernel32.dllkernel32.dll, WriteTapemark, WriteProcessMemory, WritePrivateProfileStructW, WritePrivateProfileStructA, WritePrivateProfileStringW, WritePrivateProfileStringA, WriteFileEx, WriteFile, WriteConsoleOutputW, WriteConsoleOutputCharacter, WriteConsoleOutputAttribute, WinExec, WideCharToMultiByte, WaitNamedPipeW, WaitNamedPipeA, WaitForDebugEvent, WaitCommEvent, VirtualUnlock, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualLock, VirtualFreeEx, VirtualFree, VirtualAlloc, VerifyVersionInfoA, VerSetConditionMask, VerLanguageNameA, UpdateResourceW, UpdateResourceA, UnlockFileEx, UnlockFile, TransmitCommChar, SystemTimeToFileTime, SuspendThread, SetupComm, SetWaitableTimer, SetVolumeLabelA, SetThreadPriorityBoost, SetThreadPriority, SetThreadExecutionState, SetThreadAffinityMask, SetTapePosition, SetTapeParameters, SetSystemTimeAdjustment, SetSystemTime, SetStdHandle, SetProcessWorkingSetSize, SetProcessPriorityBoost, SetPriorityClass, SetNamedPipeHandleState, SetMailslotInfo, SetLocaleInfoA, SetLocalTime, RestoreLastError, SetHandleInformation,SetFirmwareEnvironmentVaria, SetFileValidData, SetFileTime, SetFileShortNameW, SetFilePointerEx, SetFilePointer, SetFileAttributesW, SetErrorMode, SetEnvironmentVariableW, SetEnvironmentVariableA, SetEndOfFile, SetCurrentDirectoryW, SetComputerNameW, SetComputerNameA, SetCommTimeouts, SetCommState, SetCommMask, SetCommConfig, SearchPathW, SearchPathA, ScrollConsoleScreenBufferW, ScrollConsoleScreenBufferA, ResumeThread, ResetWriteWatch, RemoveDirectoryW, ReadProcessMemory, ReadFileEx, ReadDirectoryChangesW, ReadConsoleW, ReadConsoleOutputW, ReadConsoleOutputCharacterW, ReadConsoleOutputAttribute, ReadConsoleOutputA, ReadConsoleA, RaiseException, QueueUserAPC, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceA, QueryDepthSList, PurgeComm, ProcessIdToSessionId, PrepareTape, OutputDebugStringW, OpenWaitableTimerW, OpenWaitableTimerA, OpenThread, OpenSemaphoreW, OpenSemaphoreA, OpenProcess, OpenMutexW, OpenMutexA, OpenFileMappingW, OpenFileMappingA, OpenEventW, OpenEventA, MultiByteToWideChar, MapViewOfFileEx, MapViewOfFile, LockFileEx, LockFile, LocalReAlloc, LocalLock, LocalFree, LocalAlloc, LCMapStringW, LCMapStringA, IsValidLocale, HeapWalk, HeapValidate, HeapUnlock, HeapSize, HeapSetInformation, HeapReAlloc, HeapQueryInformation, HeapLock, HeapFree, HeapDestroy, HeapCreate, HeapCompact, HeapAlloc, GlobalWire, GlobalUnfix, GlobalUnWire, GlobalMemoryStatusEx, GlobalMemoryStatus, GlobalFix, GetWriteWatch, GetVersionExA, GetVersion, GetUserGeoID, GetUserDefaultLCID, GetTimeFormatW, GetTimeFormatA, GetThreadTimes, GetThreadSelectorEntry, GetThreadPriorityBoost, GetThreadPriority, _hwrite, GetTempPathA, GetTempFileNameW, GetTempFileNameA, GetTapePosition, GetTapeParameters, GetSystemWindowsDirectoryA, GetSystemTimeAdjustment, GetSystemTime, GetSystemPowerStatus, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExW, GetStringTypeExA, GetStringTypeA, GetQueuedCompletionStatus, GetProfileStringW, GetProfileStringA, GetProcessWorkingSetSize, GetProcessTimes, GetProcessPriorityBoost, GetProcessId, GetProcessHeaps, GetProcessAffinityMask, GetProcAddress, GetPrivateProfileStructW, GetPrivateProfileStructA, GetPrivateProfileStringW, GetPrivateProfileStringA, GetPrivateProfileSectionW, GetPrivateProfileSectionA, GetPrivateProfileIntW, GetPrivateProfileIntA, GetPriorityClass, GetNumberFormatA, GetNumaHighestNodeNumber, GetNamedPipeInfo, GetNamedPipeHandleStateW, GetNamedPipeHandleStateA, GetModuleHandleW, GetModuleFileNameA, GetMailslotInfo, GetLogicalDrives, GetLogicalDriveStringsW, GetLogicalDriveStringsA, GetLocaleInfoA, GetLocalTime, GetHandleInformation, GetFullPathNameA, GetFirmwareEnvironmentVaria, GetFileType, GetFileTime, GetFileSizeEx, GetFileSize, GetFileAttributesW, GetFileAttributesExW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetEnvironmentVariableA, GetEnvironmentStrings, GetDriveTypeW, GetDiskFreeSpaceW, GetDiskFreeSpaceExW, GetDiskFreeSpaceExA, GetDiskFreeSpaceA, GetDevicePowerState, GetDateFormatW, GetDateFormatA, GetCurrencyFormatW, GetCurrencyFormatA, GetComputerNameW, GetComputerNameA, GetCompressedFileSizeW, GetCommTimeouts, GetCommState, GetCommProperties, GetCommModemStatus, GetCommMask, GetCommConfig, GetCPInfoExA, GetBinaryType, FormatMessageW, FormatMessageA, FoldStringW, FoldStringA, FlushViewOfFile, FlushInstructionCache, FlushFileBuffers, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileA, FindFirstChangeNotification, FillConsoleOutputCharacterW, FillConsoleOutputAttribute, FileTimeToSystemTime, FileTimeToDosDateTime, FatalAppExitW, FatalAppExitA, ExpandEnvironmentStringsW, ExpandEnvironmentStringsA, ExitProcess, EscapeCommFunction, EraseTape, EndUpdateResourceW, DosDateTimeToFileTime, DisconnectNamedPipe, DeleteFileW, DeleteFiber, DefineDosDeviceW, DefineDosDeviceA, DebugSetProcessKillOnExit, CreateWaitableTimerA, CreateThread, CreateTapePartition, CreateSemaphoreW, CreateSemaphoreA, CreateProcessW, CreateProcessA, CreatePipe, CreateNamedPipeW, CreateNamedPipeA, CreateMutexW, CreateMutexA, CreateMailslotW, CreateMailslotA, CreateIoCompletionPort, CreateFileW, CreateFileMappingW, CreateFileMappingA, CreateFileA, CreateFiberEx, CreateEventW, CreateEventA, CreateDirectoryW, CreateDirectoryExA, CopyFileExA, CopyFileA, ContinueDebugEvent, ConnectNamedPipe, CompareStringW, CompareStringA, ClearCommError, CancelIo, CallNamedPipeA, BuildCommDCBW, BuildCommDCBAndTimeoutsW, BuildCommDCBA, BeginUpdateResourceW, BeginUpdateResourceA, Beep, BackupWrite, BackupSeek, BackupRead, _hread, _hwrite, lstrcmpi, CreateWaitableTimerW4.1.2 User32.dllIsCharAlphaW, IsCharAlphaNumericW, IsCharAlphaNumericA, IsCharAlphaA, InsertMenuW, InsertMenuItemW, InsertMenuItemA, InsertMenuA, GrayStringW, GrayStringA, GetWindowThreadProcessId, GetUserObjectSecurity, GetUserObjectInformationA, GetThreadDesktop, GetTabbedTextExtentW, GetTabbedTextExtentA, GetMessageW, GetMessageA, GetMenuStringW,GetMenuStringA, GetMenuItemInfoW, GetMenuItemInfoA, GetKeyboardType, GetKeyboardLayoutNameW, GetDlgItemTextW, GetClipboardData, GetClassNameW, GetClassInfoW, GetClassInfoExW, GetClassInfoExA, GetClassInfoA, FillRect, ExitWindowsEx, EnableMenuItem, DrawTextW, DrawTextExW, DrawTextExA, DrawTextA, DrawStateW, DrawStateA, DrawIconEx, DrawEdge, DlgDirSelectExA, DlgDirSelectComboBoxExA, DlgDirListW, DlgDirListComboBoxW, DialogBoxParamW, DialogBoxParamA, DialogBoxIndirectParamW, DialogBoxIndirectParamA, DefFrameProcW, DefFrameProcA, CreateWindowStationW, CreateWindowStationA, CreateWindowExW, CreateWindowExA, CreateMDIWindowW, CreateMDIWindowA, CreateIconFromResourceEx, CreateIcon, CreateDialogParamW, CreateDialogParamA, CreateDialogIndirectParamW, CreateDialogIndirectParamA, CreateDesktopW, CreateDesktopA, CreateCursor, CopyImage, CopyIcon, CheckMenuRadioItem, CheckMenuItem, CharUpperW, CharUpperBuffA, CharUpperA, CharToOemBuffW, IsCharUpperA, CharPrevW, CharPrevExA, CharPrevA, CharNextW, CharLowerW, CharLowerBuffA, CharLowerA, ChangeMenuW, ChangeMenuA, IsCharLowerA, ChangeDisplaySettingsExA, CascadeWindows, CallWindowProcW, CallWindowProcA, CallNextHookEx, CallMsgFilterW, CallMsgFilter, BroadcastSystemMessageW, BroadcastSystemMessage, AppendMenuW, AppendMenuA, MessageBoxExW, MessageBoxIndirectA, MessageBoxIndirectW, ModifyMenuA, ModifyMenuW, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, OemToCharBuffW, OpenClipboard, OpenDesktopA, OpenDesktopW, OpenWindowStationA, OpenWindowStationW, PeekMessageA, PeekMessageW, PostMessageA, PostMessageW, PostThreadMessageA, RegisterClassA, RegisterClassW, RegisterClipboardFormatA, RegisterClipboardFormatW, RegisterClipboardFormatA, RegisterClipboardFormatW, RemovePropA, RemovePropW, ScrollDC, ScrollWindow, ScrollWindowEx, SendDlgItemMessageA, SendDlgItemMessageW, SendMessageA, SendMessageCallbackA, SendMessageCallbackW, SendMessageTimeoutA, SendMessageTimeoutW, SendMessageW, SendNotifyMessageA, SendNotifyMessageW, SetClassLongA, SetClassLongW, SetClipboardData, SetDlgItemInt, SetMenuItemBitmaps, SetMenuItemInfoA, SetMenuItemInfoW, SetPropA, SetPropW, SetRect, SetScrollPos, SetScrollRange, SubtractRect, TabbedTextOutA, TabbedTextOutW, TileWindows, ToAscii, ToAsciiEx, ToUnicode, ToUnicodeEx, TrackPopupMenu, UnionRect, UnregisterClassA, UnregisterClassW, VkKeyScanA, VkKeyScanExA, WaitForInputIdle, WinHelpA, WinHelpW, keybd_event, mouse_event, wvsprintfA, wvsprintfW, IsCharUpperW, IsDialogMessageW, LoadBitmapA, LoadCursorA, LoadCursorFromFileA, LoadIconA, LoadImageA, LoadImageW, LoadKeyboardLayoutA, LoadMenuIndirectA, LoadMenuIndirectA, ChangeDisplaySettingsExW, IsCharLowerW, LoadStringA, LookupIconIdFromDirectoryEx, MapVirtualKeyExA, MessageBoxExA4.1.3 Advapi32.dllSetFileSecurityW, SetFileSecurityA, RevertToSelf, RegisterEventSourceW, RegisterEventSourceA, RegUnLoadKeyW, RegUnLoadKeyA, RegSetValueW, RegSetValueA, RegSetKeySecurity, RegSaveKeyW, RegSaveKeyExW, RegSaveKeyExA, RegSaveKeyA, RegRestoreKeyW, RegRestoreKeyA, RegReplaceKeyW, RegReplaceKeyA, RegQueryValueW, RegQueryValueExW, RegQueryValueExA, RegQueryValueA, RegQueryMultipleValuesW, RegQueryMultipleValuesA, RegQueryInfoKeyW, RegQueryInfoKeyA, RegOpenUserClassesRoot, RegOpenKeyExW, RegOpenKeyExA, RegNotifyChangeKeyValue, RegLoadKeyW, RegLoadKeyA, RegGetKeySecurity, RegFlushKey, RegEnumValueW, RegEnumValueA, RegEnumKeyW, RegEnumKeyExW, RegEnumKeyExA, RegEnumKeyA, RegDeleteValueW, RegDeleteValueA, RegDeleteKeyW, RegDeleteKeyA, RegCreateKeyExW, RegCreateKeyExA, RegCreateKeyA, RegConnectRegistryW, RegConnectRegistryA, ReadEventLogW, ReadEventLogA, PrivilegedServiceAuditAlarm, PrivilegeCheck, OpenEventLogW, OpenEventLogA, OpenEncryptedFileRawA, OpenBackupEventLogW, OpenBackupEventLogA, ObjectPrivilegeAuditAlarmW, ObjectPrivilegeAuditAlarmA, ObjectOpenAuditAlarmW, ObjectOpenAuditAlarmA, ObjectDeleteAuditAlarmW, ObjectDeleteAuditAlarmA, ObjectCloseAuditAlarmW, ObjectCloseAuditAlarmA, MakeAbsoluteSD, LookupPrivilegeValueW, LookupPrivilegeValueA, LookupPrivilegeNameW, LookupPrivilegeNameA, LookupPrivilegeDisplayNameW, LookupAccountSidW, LookupAccountSidA, LookupAccountNameW, LookupAccountNameA, LogonUserW, LogonUserExW, LogonUserExA, LogonUserA, IsTokenUntrusted, IsTokenRestricted, InitiateSystemShutdownW, InitiateSystemShutdownExW, InitiateSystemShutdownExA, InitiateSystemShutdownA, ImpersonateNamedPipeClient, ImpersonateLoggedOnUser, GetTokenInformation, GetSecurityDescriptorSacl, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorDacl, GetPrivateObjectSecurity, GetKernelObjectSecurity, GetFileSecurityW, GetFileSecurityA, GetEventLogInformation,AbortSystemShutdownA, AccessCheck, AccessCheckAndAuditAlarmA, AccessCheckAndAuditAlarmW, AddAce, AddAuditAccessAce, AdjustTokenGroups, AdjustTokenPrivileges, AllocateAndInitializeSid, BackupEventLogA, BackupEventLogW, CheckTokenMembership, ClearEventLogA, ClearEventLogW, CreatePrivateObjectSecurity, CreateProcessAsUserW, FileEncryptionStatusA, EncryptFileA, DuplicateTokenEx, DecryptFileA, CreateRestrictedToken。

研究与设计 电　子　测　量　技　术 ＥＬＥＣＴＲＯＮＩＣ　ＭＥＡＳＵＲＥＭＥＮＴ　ＴＥＣＨＮＯＬＯＧＹ第３６卷第２期２０１３年２月　一种ＵＳＢＫｅｙ的文件加密软件方案的设计郭利芳　赵　凡　李小兵　汪成明（兰州交通大学电子与信息工程学院　兰州　７３００７０）摘　要：随着信息技术的飞速发展，文件的安全性越来越被重视，防止个人信息文件被窃取已经成为一个重要的研究课题。

将以硬、软件结合的方式，硬件上基于磐石科技的ＮＴ１１９的ＵＳＢＫｅｙ，对其进行识别与密码读写，软件上以Ｍｉｃｒｏｓｏｆｔ　Ｖｉｓｕａｌ　Ｓｔｕｄｉｏ　２００８为平台，实现ＵＳＢＫｅｙ的识别与读写功能，最终硬软件结合保护文件。

达到只有在拥有相应ＵＳＢＫｅｙ和密码后才能打开文件看到相关的信息，实现文件的保护功能。

关键词：ＵＳＢＫｅｙ；Ｍｉｃｒｏｓｏｆｔ　Ｖｉｓｕａｌ　Ｓｔｕｄｉｏ　２００８；识别；Ｃ＃中图分类号：ＴＮ４０２ 文献标识码：Ａ 国家标准学科分类代码：５２０．４０６０Ｄｅｓｉｇｎ　ｏｆ　ＵＳＢＫｅｙ　ｆｉｌｅ　ｅｎｃｒｙｐｔｉｏｎ　ｓｏｆｔｗａｒｅ　ｐｒｏｇｒａｍＧｕｏ　Ｌｉｆａｎｇ　Ｚｈａｏ　Ｆａｎ　Ｌｉ　Ｘｉａｏｂｉｎｇ　Ｗａｎｇ　Ｃｈｅｎｇｍｉｎｇ（Ｓｃｈｏｏｌ　ｏｆ　Ｅｌｅｃｔｒｏｎｉｃ　ａｎｄ　Ｉｎｆｏｒｍａｔｉｏｎ　Ｅｎｇｉｎｅｅｒｉｎｇ，Ｌａｎｚｈｏｕ　Ｊｉａｏｔｏｎｇ　Ｕｎｉｖｅｒｓｉｔｙ，Ｌａｎｚｈｏｕ　７３００７０，Ｃｈｉｎａ）Ａｂｓｔｒａｃｔ：Ｗｉｔｈ　ｔｈｅ　ｒａｐｉｄ　ｄｅｖｅｌｏｐｍｅｎｔ　ｏｆ　ｉｎｆｏｒｍａｔｉｏｎ　ｔｅｃｈｎｏｌｏｇｙ，ｄｏｃｕｍｅｎｔ　ｓｅｃｕｒｉｔｙ　ｉｓ　ｍｏｒｅ　ａｎｄ　ｍｏｒｅ　ｉｍｐｏｒｔａｎｔ．Ｐｒｅｖｅｎｔｉｎｇ　ｐｅｒｓｏｎａｌ　ｉｎｆｏｒｍａｔｉｏｎ　ｆｒｏｍ　ｄｏｃｕｍｅｎｔｓ　ｓｔｏｌｅｎ　ｈａｓ　ｂｅｃｏｍｅ　ａｎ　ｉｍｐｏｒｔａｎｔ　ｒｅｓｅａｒｃｈ　ｔｏｐｉｃ．Ｔｈｉｓ　ａｒｔｉｃｌｅ　ｉｓ　ｔｏ　ｕｓｅｔｈｅ　ｃｏｍｂｉｎａｔｉｏｎ　ｏｆ　ｈａｒｄｗａｒｅ　ａｎｄ　ｓｏｆｔｗａｒｅ．Ｔｈｅ　ｈａｒｄｗａｒｅ　ｏｆ　ｔｈｅ　ｓｃｉｅｎｃｅ　ａｎｄ　ｔｅｃｈｎｏｌｏｇｙ　ｂａｓｅｄ　ｏｎ　ｔｈｅ　ｒｏｃｋ　ＮＴ１１９ＵＳＢＫｅｙ，ｗｈｉｃｈ　ｉｓ　ｃａｒｒｉｅｄ　ｏｎ　ｔｈｅ　ｉｄｅｎｔｉｆｉｃａｔｉｏｎ　ａｎｄ　ｐａｓｓｗｏｒｄ　ｔｏ　ｒｅａｄ．Ｓｏｆｔｗａｒｅ　ｗｈｉｃｈ　ｕｓｅ　Ｍｉｃｒｏｓｏｆｔ　ｖｉｓｕａｌ　ｓｔｕｄｉｏ　２００８ａｓｔｈｅ　ｐｌａｔｆｏｒｍ　ｔｏ　ｒｅａｌｉｚｅ　ｔｈｅ　ｆｕｎｃｔｉｏｎ　ｏｆ　ｔｈｅ　ｉｄｅｎｔｉｆｉｃａｔｉｏｎ　ａｎｄ　ｔｈｅ　ｒｅａｄｉｎｇ　ａｎｄ　ｗｒｉｔｉｎｇ，ｗｈｉｃｈ　ｆｉｎａｌｌｙ　ｐｒｏｔｅｃｔ　ｄｏｃｕｍｅｎｔｓｗｉｔｈ　ｈａｒｄｗａｒｅ　ａｎｄ　ｓｏｆｔｗａｒｅ．Ｏｎｌｙ　ｗｉｔｈ　ｃｏｒｒｅｓｐｏｎｄｉｎｇ　ＵＳＢＫｅｙ　ａｎｄ　ｐａｓｓｗｏｒｄ　ｔｏ　ｏｐｅｎ　ｆｉｌｅｓ　ｃａｎ　ｓｅｅ　ｒｅｌｅｖａｎｔ　ｉｎｆｏｒｍａｔｉｏｎ，ａｎｄ　ｒｅａｌｉｚｅ　ｔｈｅ　ｄｏｃｕｍｅｎｔｓ　ｏｆ　ｔｈｅ　ｐｒｏｔｅｃｔｉｏｎ　ｆｕｎｃｔｉｏｎ．Ｋｅｙｗｏｒｄｓ：ＵＳＢＫｅｙ；Ｍｉｃｒｏｓｏｆｔ　Ｖｉｓｕａｌ　Ｓｔｕｄｉｏ　２００８；ｉｄｅｎｔｉｆｉｃａｔｉｏ；Ｃ＃　收稿日期：２０１３－０１１　引 言当前软件加密的种类很多，在国外，电子授权和加密锁的占有率旗鼓相当；在国内，软件开发商使用加密锁的比率较高。

基于USBKey的网游数据加密技术的研究与应用随着互联网的迅猛发展，网游产业成为一个蓬勃发展的行业。

然而，随之而来的问题是网游数据的安全性问题，尤其是游戏账号和虚拟物品的盗窃问题。

为了保护玩家的利益和游戏的可持续发展，研究和应用基于USBKey的网游数据加密技术变得尤为重要。

基于USBKey的网游数据加密技术是一种通过使用USBKey 来加密和保护网游数据的技术。

USBKey是一种可移动存储设备，具有高度的安全性和可靠性。

通过将USBKey与玩家的游戏账号绑定，可以实现数据的加密和防篡改。

当玩家登录游戏时，系统会自动识别并验证USBKey的身份，确保只有合法的用户才能访问游戏数据。

该技术的核心是通过加密算法对网游数据进行加密。

只有在正确的USBKey插入的情况下，才能解密数据并进行游戏。

这种加密技术不仅可以保护游戏账号和虚拟物品的安全，还可以防止外部黑客攻击和数据泄露。

基于USBKey的网游数据加密技术在实际应用中有着广泛的应用前景。

首先，它可以有效地防止游戏账号的盗窃和虚拟物品的非法交易，维护游戏的公平性和玩家的利益。

其次，它可以提高游戏数据的安全性，减少黑客攻击和数据泄露的风险，保护游戏平台和玩家的隐私。

此外，基于USBKey的网游数据加密技术还可以为游戏平台提供更多的商业机会，例如推出特殊定制的USBKey，为玩家提供更多的选择和个性化服务。

当然，基于USBKey的网游数据加密技术也面临一些挑战。

例如，技术的成本较高，需要为每个玩家提供专用的USBKey，增加了运营成本。

此外，技术的可靠性和稳定性需要进一步的研究和验证。

综上所述，基于USBKey的网游数据加密技术是一项具有重要意义和广泛应用前景的研究领域。

通过应用该技术，可以有效地提高网游数据的安全性和玩家的体验，进一步推动网游产业的可持续发展。

基于USB KEY的文件加密工具—— USB key管理系统摘要随着信息技术的飞速发展，文件的安全性越来越被重视。

为了实现对个人重要信息的加密，防止别人窃取个人的文件信息，提高文件的安全性，文件加密成为了一个重要的课题。

本设计为了解决用户记忆烦琐的密码问题，以软、硬件相结合的方式，实现了文件加密和解密的功能。

具有操作简单、稳定性高、兼容性好、速度快等特点。

该系统使用Rockey2加密锁，用Delphi进行开发。

本系统分为两部分，一部分是文件的加密解密；另一部分是加密锁的管理工具。

后一部分由本人完成。

本文主要介绍了USB KEY文件加密工具的总体设计和详细设计思路以及应用和编码。

在总体设计中主要介绍了设计该工具的需求分析、系统的选型、以及Rockey2加密锁的介绍。

在详细设计中主要介绍了系统功能的分析、Rockey2加密锁的内存分配、以及数据库的相关设计。

在应用和编码部分主要介绍了硬件的安装，初始化、写用户名和密码的应用和编码，管理界面的设计以及数据库的相关操作。

最后介绍了系统的不足以及改进方案。

关键字：USB；加密；Delphi；管理The Files Encryption Tool Based on USB-KEY——USB -KEY Management SystemAbstractWith the rapid development of IT, the security of the files has been increasingly attention. To implement encryption for important personal information, preventing others that steal personal information, improving the security of the document, encryption has been a very important topic.This design aims to solve the problem that users passwords are remembered difficulty, implement the functions of encryption and decryption for documents by the combination of software and hardware. It has many characteristics, such as simple, stable, good compatibility, speed and so on. The system uses Rockey2 USB Key, developed with Delphi. This system has two parts, one part mark is the document encryption deciphering; another part of the administration implement being to encrypt a lock. The queen part is completed by me.This paper introduces the brief design, detailed design, the application and coding of USB KEY file encryption tool. It introduces the requirements analysis, the system selection for the design, and Rockey2 encryption in the brief design. And it introduces the main functions of the system analysis, the memory allocation of encryption Rockey2, and the related database design in the detailed design. Besides, in the aspect of application and coding, it main introduces the hardware installation, initialization, writing users’ name, passwords for application and coding, and design of management interface, operation of the database. Finally, it introduces the shortcomings of the system and how to improve it.Key word:USB; Encryption; Delphi; Management.目录论文总页数：22页1 引言 (1)1.1选题背景 (1)1.2国内外研究现状 (1)1.3本设计研究的意义 (1)1.4本设计研究的方法 (1)2 USB KEY文件加密工具总体设计 (2)2.1USB KEY文件加密工具需求分析 (2)2.2系统选型 (3)2.2.1设计语言：Delphi (3)2.2.2数据库的选择 (4)2.2.3开发工具的选择 (4)2.2.4开发硬件的选择 (5)2.3 ROCKEY2加密锁 (5)2.3.1 Rockey2加密锁简介 (5)2.3.2 Rockey2加密锁特点 (5)2.3.3 Rockey2加密锁优点 (5)2.3.4 Rockey2 加密锁要点说明 (6)3 USB KEY文件加密工具系统详细设计 (6)3.1 系统功能模块分析 (6)3.2ROCKEY2加密锁内存分配 (7)3.2数据库设计 (8)3.2.1数据库需求分析 (8)3.2.2数据库实体关系设计 (8)3.2.3数据库逻辑设计 (9)4应用以及编码 (10)4.1初始化以及写密码的过程的应用与编码 (10)4.2管理界面的设计 (12)4.2.1管理主界面设计 (12)4.2.2分类管理模块的设计 (13)4.2.3添加客户模块的设计 (14)4.2.4编辑客户模块的设计 (15)4.2.5查看客户模块的设计 (16)4.2.6 Rockey 初始化模块 (16)4.3数据库操作 (18)结论 (19)参考文献 (20)致谢 (21)声明 (22)1 引言1.1选题背景随着社会高科技，商品经济化突飞猛进的发展，计算机的应用已经普及到经济和社会生活的各个领域。

基于USBKEY的BIOS与系统安全解决方案关键字：USBKEY LinuxBIOS引导程序实时监控BootStrap目前，由于计算机技术的迅速发展，其相关产品越来越多地应用于社会的各行各业，因此随之而生的主机安全防护功能要求逐渐成为各个部门极为关心的问题。

针对不同的安全威胁，目前存在多种主机安全技术和相关安全产品，如防病毒技术、个人防火墙、安全应用程序(如文件加密程序)、安全操作系统等。

这些技术和产品在一定程度上满足人们的安全需求，却没有很好地解决以下两个问题：1.系统访问，即开机时的保护问题，目前普遍采用的是基于口令的弱身份认证技术，很容易被攻破而造成泄密；2.运行时保护(runtime protection)，即在合法用户进入系统后因某种原因暂时离开计算机，此时任何人员均可在此系统之上进行操作，从而造成泄密。

本文采用BIOS和操作系统安全增强技术，利用USBKEY提供的高强度密码算法和独立于操作系统安全运算环境，实现了开机时的强身份认证和系统状态的实时监控和保护，有效解决了上述安全问题，目前已在“便携式专用嵌入式安全计算平台”系统中得到了应用。

本机安全解决方案在实际应用过程中，使用系统所带来的安全与性能问题主要集中在三个方面，即BIOS安全、系统本身安全与人为因素。

因此如何正确有效地将这三个问题予以解决是本机安全的关键所在。

考虑到正常的系统引导过程以及如何解决性能与安全的平衡，然后根据对这些相关难点的研究，我们认为将硬件引入到软件设计中来，可有效地增强系统本身的安全性，并可最大限度地防止软件运行所带来的安全隐患。

对于这些问题，主要的解决方法如下：1．基于USBKEY的BIOS安全机制BIOS安全是目前信息安全领域研究的一个热点。

BIOS作为固化在主板上ROM芯片中的一段软件代码，主要包括基本硬件驱动与初始化启动及引导部分代码，因此可在基本硬件检测完毕后，在初始化代码中要求插入正确的USBKEY，实现在BIOS层的身份认证。

USB Key保护进程的设计与实现贾凡;谢蒂【期刊名称】《计算机工程与应用》【年(卷),期】2011(047)015【摘要】针对使用USB Key件进行身份认证和数据签名时,存在PIN码明文传输被窃听及待签名数据有可能会被其他恶意程序篡改等安全威胁,提出了一种基于保护进程的USB Key软件安全架构,从USB Key动文件的完整性、防止USB Key进程被动态DLL注入和进程内存数据的非法修改等方面,确保USB Key进程的真实性和可信性,可以有效地防止PIN码的截获和USB Key进程内存数据被恶意程序修改,进而提高USB Key在使用过程中的安全性.%PIN code may be revealed and transaction data may be intercepted and modified when USB Key used in electronic payment and identification. To avoid that,a security architecture based on protection process is proposed to set up a secure execution environment for USB Key in client. Protection process can ensure the security and trust of USB Key process by verifying the integrity of the driver files,preventing the malicious DLL files inject to USB key process and deterring the interception of data using anti-Hook.【总页数】4页(P72-74,118)【作者】贾凡;谢蒂【作者单位】北京交通大学,电子信息工程学院,北京,100044;信息产业部,计算机安全技术检测中心,北京,100083【正文语种】中文【中图分类】TN918【相关文献】1.基于USB Key的身份认证系统设计与实现 [J], 王飞龙;尹青;郭玉东;庄宽2.基于USB Key的注册码软件保护方案设计与实现 [J], 赵路华;李志瑞3.基于USB KEY及加密驱动的文件加密系统设计与实现 [J], 倪菊华4.基于FPGA数据采集的USBKey安全评估系统设计与实现 [J], 董攀;白长虹5.基于USB Key认证的VPN网络自动连接的设计与实现 [J], 王华;饶传新;马思锐;汪军因版权原因，仅展示原文概要，查看原文内容请购买。

(19)中华人民共和国国家知识产权局(12)发明专利申请(10)申请公布号 (43)申请公布日 (21)申请号 201910156275.7(22)申请日 2019.03.01(71)申请人 浙江安点科技有限责任公司地址 313000 浙江省湖州市吴兴区区府路1188号总部自由港H幢8楼A(72)发明人 罗艳　(74)专利代理机构 杭州裕阳联合专利代理有限公司 33289代理人 姚宇吉(51)Int.Cl.G06F 21/12(2013.01)G06F 21/51(2013.01)(54)发明名称基于UsbKey对软件的授权方法(57)摘要本发明公开了一种基于UsbKey对软件的授权方法，在安装时，获取待授权计算机的第一计算机信息、UsbKey中存储的授权信息和软件包；根据第一计算机信息和授权信息将软件包安装到待授权的计算机中，同时将UsbKey中授权信息的已授权安装次数进行更新；在使用时，运行对应计算机中已经授权安装的软件包进行工作；在卸载时，获取待卸载计算机的第二计算机信息和UsbKey中存储的授权信息；根据第二计算机信息和授权信息将软件包从待卸载的计算机中进行卸载，同时将UsbKey中授权信息的已授权安装次数进行更新。

本发明能够降低UsbKey的使用频率，以降低出现硬件故障的几率，以延长使用寿命；并且能够避免重复安装卸载对已授权安装次数的影响，以降低维护成本，方便用户使用。

权利要求书2页 说明书6页 附图3页CN 109840399 A 2019.06.04C N 109840399A权　利　要　求　书1/2页CN 109840399 A1.一种基于UsbKey对软件的授权方法，其特征在于，包括以下步骤；在安装时，获取待授权计算机的第一计算机信息、UsbKey中存储的授权信息和软件包；根据所述第一计算机信息和授权信息将软件包安装到待授权的计算机中，同时将UsbKey中授权信息的已授权安装次数进行更新；在使用时，运行对应计算机中已经授权安装的软件包进行工作；在卸载时，获取待卸载计算机的第二计算机信息和UsbKey中存储的授权信息；根据所述第二计算机信息和授权信息将软件包从待卸载的计算机中进行卸载，同时将UsbKey中授权信息的已授权安装次数进行更新。

基于USBKey的应用安全解决方案基于USBKey的应用安全解决方案北京东方通科技公司金融方案中心2004-06目录1项目背景 (3)2方案介绍 (3)2.1 B/S应用USBKey安全解决 (4)2.2 C/S应用USBKey安全解决 (6)2.3 USBKey管理系统 (7)3应用USBKey安全改造 (7)3.1 新增应用的USBKey改造 (8)3.2 原有应用的USBKey改造 (8)4方案特点 (9)5方案总结 (10)1项目背景随着计算机网络通信技术和信息加密技术的快速发展，人们迫切需要一种具有高度安全性、小巧、灵活、易用及便携等特点的硬件设备来存储密钥等需要保密的安全信息。

USBKey 正是为了满足这种需求而设计的一种安全产品，其安全核心是智能卡技术。

USBKey又称电子钥匙，是基于USB接口的信息安全产品。

采用了国际上先进的智能卡技术，具有内部的操作系统和安全核心管理。

USBKey主要由微处理器、微型操作系统、USB通讯接口三部分组成，是将智能卡与智能卡读写器集成一体的便携式安全设备。

它体积小巧，式样美观高档，可以由用户随身携带。

USBKey作为用户身份认证时的核心凭证使用，由于借助了硬件（智能卡）的安全特性，所以极大地提高了身份认证安全强度，保障了应用安全性。

USBKey也能够和当今信息安全领域最尖端的PKI以及CA认证技术紧密结合，利用USBKey内极为安全的智能芯片来存储和使用用户的私有密钥和第三方认证机构所颁发的数字证书。

虽然现在有很多应用都把私有密钥和数字证书存储在计算机的硬盘或软盘当中，但出于安全性考虑，使用自动生成私有密钥和安全存储数字证书的USBKey 则会更好、更安全。

这样可以防止黑客通过植入病毒程序盗取合法用户的私有密钥，伪装成为合法用户的身份在网络上数字签名，进行诈骗和非法交易。

北京东方通科技公司为应用系统提供了一整套基于USBKey的安全解决方案，充分考虑到应用安全性的各个环节，从安全性和易用性出发，为多种应用系统（基于互联网的新兴B/S结构应用系统和传统基于C/S结构的应用系统）均搭建起强大的USBKey底层安全支撑平台。

基于USBKey的软件保护增强策略马征宇;严迎建【期刊名称】《计算机工程与设计》【年(卷),期】2017(38)1【摘要】To make sure computer software run in the trusted environment,through the software protection studied in the operating system of Linux,a strategy of software protection based on USBKey was BKey internal strong crypto-operation and secure storage capacity were combined,and identity authentication and trusted computing were introduced.Aiming at solving the deficiency in USBKey certification,the identity authentication scheme based on the blind was introduced,due to the blind factors participated,the freshness of certification was guaranteed and the replay attack was prevented.This strategy of software certification was modeled and the loopholes and defects existing in the strategy were illustrated from the enemy attack view point.A flow system model was proposed.Analysis verifies that this strategy of software protection satisfies the needs of security.%为使计算机软件在一个可信的环境中运行,通过对Linux操作系统下的软件保护进行研究,提出一种基于USBKey的软件保护策略.结合USBKey内部强大的密码运算和安全存储能力,注入身份认证和可信计算思想.针对USBKey认证中的不足进行改进,引入基于盲化的身份认证方案,盲化因子的参与保证认证的新鲜度,防止重放攻击,对软件认证策略进行建模,从敌手攻击上说明这种策略存在的漏洞和缺陷,提出一种流系统模型,协议分析验证了该增强保护策略满足安全性需求.【总页数】6页(P53-58)【作者】马征宇;严迎建【作者单位】信息工程大学密码工程学院专用芯片设计教研室,河南郑州 450001;信息工程大学密码工程学院专用芯片设计教研室,河南郑州 450001【正文语种】中文【中图分类】TP311.56【相关文献】1.基于USBKEY的网络存储用户数据保护的研究与实现 [J], 喻潇;田里;刘喆;王捷2.基于AES加密算法的USBKey解锁方案 [J], 邓明荣;刘进;李宇平;蔡梅松;孙玄;孟凡3.基于USBKEY的网络存储用户数据保护的研究与实现 [J], 喻潇;田里;刘喆;王捷;;;;;4.基于FPGA数据采集的USBKey安全评估系统设计与实现 [J], 董攀;白长虹5.基于指纹USBKEY和监控功能的强身份认证设计 [J], 张炜玲;林文畅;黄鸿因版权原因，仅展示原文概要，查看原文内容请购买。

基于USB Key的注册码软件保护方案设计与实现
赵路华;李志瑞
【期刊名称】《安阳工学院学报》
【年(卷),期】2014(000)002
【摘要】对一种基于RSA算法的注册码软件加密保护方案进行了分析，指出了原有方案中存在单纯考虑算法安全强度、忽略软件完整性检验和验证程序代码缺少安全保护等脆弱性问题，并针对这些安全隐患和本文需要保护的特殊软件，提出了一种基于USB Key的注册码软件保护方案。

借助USB Key电子钥匙，完整性技术和保护函数对软件进行保护，提高软件保护的安全性。

最后对软件保护方案的关键模块进行了设计和实现，并经过实验测试验证了设计方案的合理性和有效性。

【总页数】4页(P47-49,53)
【作者】赵路华;李志瑞
【作者单位】安阳工学院电子信息与电气工程学院，河南安阳455000;安阳工学院电子信息与电气工程学院，河南安阳455000
【正文语种】中文
【中图分类】TP391
【相关文献】
1.一种基于USB Key加解密技术的软件保护方案研究 [J], 王玮
2.基于RSA数字签名的注册码软加密保护方案在石油工控软件的应用 [J], 苏玉杰;杨飞;刘波涛
3.基于MD5的软件注册码的设计与实现 [J], 管丽娟
4.基于注册码的软件授权保护系统的设计与实现 [J], 何永瑾; 郭肖旺; 赵德政
5.基于注册码的软件授权保护系统的设计与实现 [J], 何永瑾; 郭肖旺; 赵德政因版权原因，仅展示原文概要，查看原文内容请购买。

二代USBKey产品调研报告1.二代USBKey介绍二代USBKey(又叫增强型USBKey)在一代USBKey的基础上，增加了液晶屏和按键两项新功能，除了具备一代USBKey的功能外,还能将网银系统传入的要签名的信息根据银行系统自定义的规则，通过液晶屏显示给客户进行交易按键确认，用户所见信息就是要传给网银验签服务器真正进行交易的信息，所见即所签，防止数据在客户端被黑客程序、木马病毒等纂改而导致非法交易。

因此，二代USBKey 较一代USBKey能够真正确保数据在客户端的安全性，使整个交易过程无懈可击。

2.监管要求针对电子银行信息安全管理及风险防范，中国人民银行于2010年1月19日制订并印发了《网上银行系统信息安全通用规范（试行）》（银发【2010】19号），其中6.1.2.1 部分对USB Key产品的技术规范、性能参数及业务运作安全规范提出了明确的要求，同时在分析各金融单位网上银行系统曾经发生过的一些风险案例后提出了增强要求，且明确规定增强要求必须在文件下发之日起三年内达标。

关于二代USBKey具体要求摘录如下：【基本要求】e）应保证私钥在生成、存储和使用等阶段的安全：●USB Key在执行签名等敏感操作前应经过客户身份鉴别。

●USB Key在执行签名等敏感操作时，应具备操作提示功能，包括但不限于声音、指示灯、屏幕等显示形式。

【增强要求】a)USB Key应能够防远程挟持，例如具有屏幕提示、语音提示、按键确认等功能，可以对交易指令完整性进行校验、对交易指令合法性进行鉴别、对关键交易数据进行输入和确认。

b)未经过按键确认，USB Key不能签名和输出，在等待一段时间后，可自动清除数据，并复位状态。

c)USB Key应能够自动识别待签名数据的格式，识别后在屏幕上显示签名数据或对其进行语音提示。

按照人民银行要求，截止2013年1月18日之前，我行必须完成网上银行系统USBKey的升级改造工作，以达到人民银行上述增强要求。