CN111523880B - Digital asset remote branch management system and method - Google Patents

Digital asset remote branch management system and method Download PDF

Info

Publication number
CN111523880B
CN111523880B CN201911324225.1A CN201911324225A CN111523880B CN 111523880 B CN111523880 B CN 111523880B CN 201911324225 A CN201911324225 A CN 201911324225A CN 111523880 B CN111523880 B CN 111523880B
Authority
CN
China
Prior art keywords
server
key
encryption
digital asset
encryption machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911324225.1A
Other languages
Chinese (zh)
Other versions
CN111523880A (en
Inventor
杜晓楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201911324225.1A priority Critical patent/CN111523880B/en
Priority to US17/051,168 priority patent/US20220122066A1/en
Priority to PCT/CN2020/070530 priority patent/WO2021114445A1/en
Publication of CN111523880A publication Critical patent/CN111523880A/en
Application granted granted Critical
Publication of CN111523880B publication Critical patent/CN111523880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0022Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device
    • G06K17/0025Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device the arrangement consisting of a wireless interrogation device in combination with a device for optically marking the record carrier
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3678Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes e-cash details, e.g. blinded, divisible or detecting double spending
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Abstract

The invention relates to a digital asset allopatric branch management system, comprising: the system comprises a financial management server communicated with an external network, a management server and a wallet server communicated with the financial management server through a first communication channel, a key server communicated with the management server and the wallet server through a second communication channel, a local encryption machine communicated with the key server through a third communication channel, an online encryption machine communicated with the wallet server, and at least a first different-place encryption machine and a second different-place encryption machine communicated with the local encryption machine through a fourth channel. The invention also relates to a method for remote management of the digital assets. According to the invention, the digital assets are respectively stored in the online encryption machine and the allopatric encryption machine according to different proportions, so that the digital assets can be conveniently and quickly stored and accessed, and the safety is enhanced; the private key is stored in different remote encryptors, and the signature is also carried out in different remote encryptors, so that the private key cannot be disclosed even if part of the remote encryptors are broken.

Description

Digital asset remote branch management system and method
Technical Field
The invention relates to the field of remote branch management of digital assets, in particular to a remote branch management system and method of digital assets.
Background
Digital assets (Digital assets) refer to non-monetary assets that are owned or controlled by a business or individual, exist in electronic data, and are held in daily activities for sale or in the process of production. Such as software, firmware, executable instructions of the computerized device, digital certificates (e.g., public key certificates), cryptographic keys, bitcoins, and so forth. And the digital assets are usually stored in a plurality of digital asset allopatric branch management platforms.
Since the digital assets generally have higher value, many hackers attack the remote branch management platform of the digital assets by various technical means, thereby stealing the digital assets therein. The digital asset remote branch management platform in the prior art is easily attacked by a network, so that the potential safety hazard and the information leakage risk are high.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a system and a method for remote management of digital assets, aiming at the defects that a remote management platform of the digital assets in the prior art is easily attacked by a network and has larger potential safety hazard and information leakage risk, so that a secret key can be safely and efficiently protected, and the safety of the digital assets is further ensured.
The technical scheme adopted for solving the technical problem is to construct a digital asset remote branch management system, which comprises the following steps: a financial management server in communication with an external network, a management server and a wallet server in communication with the financial management server via a first communication channel, a key server in communication with the management server and the wallet server via a second communication channel, a local encryption engine in communication with the key server via a third communication channel, an online encryption engine in communication with the wallet server, and at least a first and a second remote encryption engine in communication with the local encryption engine via a fourth channel;
the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the local encryption machine and the online encryption machine; the online encryptor encrypts the key to generate a first encrypted private key and a first public key and stores the first encrypted private key internally and returns the first public key to the key server and the financial management server; the local encryptor encrypts the key to generate a second encryption private key and a second public key and returns the second public key to the key server, generates at least three private key information based on the second encryption private key, then stores the first private key information and sends the second private key information and the third private key information to a first different-place encryptor and a second different-place encryptor which are located in different machine rooms; the key server returns the second public key to the financial management server;
the wallet server receives a digital asset storing request, stores digital assets with a first proportion into the online encryption machine according to a set rule, and stores digital assets with a second proportion into at least one remote encryption machine; and/or
And the financial management server receives a digital asset taking-out request and sends the request to the wallet server, and the wallet server takes out the digital asset from the online encryption machine and/or the allopatric encryption machine according to a set rule and returns the digital asset to the financial management server.
In the digital asset allopatric branch management system, the wallet server analyzes first transaction data needing to be signed by the online encryption machine and/or second transaction data needing to be signed by the allopatric encryption machine based on the digital asset taking-out request and the set rule, the key server encrypts the first transaction data by adopting a first public key and then sends the first encrypted data to the online encryption machine through the wallet server, the online encryption machine signs the first encrypted data by adopting the first encryption private key and then returns the generated first signed data to the wallet server, and the wallet server returns the first signed data to the financial management server; the key server encrypts the second transaction data by adopting a second public key and then sends the second encrypted data to the local encryption machine through the third communication channel, the local encryption machine signs the second encrypted data by adopting the first private key information and then sends the first signed data to the remote encryption machine, the remote encryption machine signs again and then returns the second signed data to the local encryption machine, and the local encryption machine returns the second signed data to the financial management server along the original path.
In the digital asset allopatric management system of the present invention, the wallet server first determines whether the total digital assets stored in the online encryption engine satisfy the digital asset takeout request, if so, the digital assets are taken out from the online encryption engine and returned to the financial management server, otherwise, a first digital asset and a second digital asset are respectively taken out from the online encryption engine and the allopatric encryption engine and returned to the financial management server, wherein the sum of the first digital asset and the second digital asset is greater than or equal to the digital asset takeout request.
In the digital asset allopatric branch management system of the present invention, when the sum of the first digital asset and the second digital asset is greater than the digital asset withdrawal request, the financial management server returns the remaining digital assets to the online encryption engine for storage.
The digital asset allopatric branch management system comprises a plurality of allopatric encryption machines, and the wallet server stores digital assets in one or more allopatric encryption machines according to set rules.
In the digital asset allopatric branch management system, the local encryption machine is connected with the allopatric encryption machine through a special line.
In the remote digital asset management system of the present invention, the third communication channel includes a first acoustic transceiver disposed on the key server and a second acoustic transceiver disposed on the local encryption engine.
In the remote branch management system for digital assets, the third communication channel comprises a scanning device and a display device which are arranged on the key server, and the scanning device and the display device which are arranged on the local encryption machine; the key server encodes the second transaction data by the two-dimensional code after receiving the second transaction data, encrypts the obtained two-dimensional code by the second public key, and displays the encrypted two-dimensional code on a display device of the key server; the scanning device on the local encryption machine scans to obtain the encrypted two-dimensional code, a local encryption private key is used for decrypting the encrypted two-dimensional code to obtain second transaction data, the first private key information is used for signing, then the first-time signature data is sent to the remote encryption machine, the remote encryption machine signs again and then returns secondary signature data to the local encryption machine, the local encryption machine carries out two-dimensional code coding on the secondary signature data to generate a signature two-dimensional code, and then a display device of the local encryption machine is used for displaying the signature two-dimensional code; and scanning the two-dimensional signature code by a scanning device on the key server to obtain the secondary signature data, and returning the secondary signature data to the financial management server in an original way.
In the remote branch management system for digital assets, the scanning device and the display device on the local encryption machine are connected with the local encryption machine through USB interfaces, and the scanning device and the display device arranged on the key server are connected with the key server through the USB interfaces; a first firewall is arranged in the first communication channel, and the management server is arranged in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the local encryption machine.
Another technical solution adopted to solve the technical problem of the present invention is to construct a method for remote management of digital assets, comprising:
s1, constructing a remote branch management system according to the digital assets;
s2, the digital asset allopatric sub-management system is adopted to complete key application;
s3, completing digital asset storage by adopting the digital asset remote branch management system; and/or
And S4, adopting the remote branch management system of the digital assets to finish the taking out of the digital assets.
The digital assets are respectively stored in the online encryption machine and the remote encryption machine according to different proportions, so that the digital assets can be conveniently and quickly accessed, and the safety is enhanced. For digital assets stored in the online encryptors, the clients can quickly access; for digital assets stored in different-place encryption machines, private keys are stored in different-place encryption machines, and signatures are also carried out in different-place encryption machines, so that the private keys cannot be revealed even if part of the different-place encryption machines are broken, and the digital assets are isolated through a plurality of layers of networks, so that the defects of network attack, large potential safety hazards and information disclosure risks are avoided, and the safety of the digital assets is guaranteed. Furthermore, the key server and the local encryption machine can only communicate through sound wave communication or two-dimensional code scanning, the local encryption machine and the allopatric encryption machine can only communicate through a special line, the encryption process is complex, and the safety degree is high. Furthermore, the storage proportion and the access rule of the digital assets in the online encryptors and the remote encryptors can be set by self, the setting is flexible, and the taking is convenient.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
FIG. 1 is a functional block diagram of a first preferred embodiment of the digital asset offsite distribution management system of the present invention;
FIG. 2 is a schematic structural diagram of a preferred embodiment of a third communication channel of the digital asset offsite affiliation system of the present invention;
fig. 3 is a schematic method flow diagram of a first embodiment of the allopatric method of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.
Fig. 1 is a functional block diagram of a first embodiment of the digital asset offsite distribution management system of the present invention. As shown in fig. 1, the digital asset allopatric branch management system includes: a financial management server 100 communicating with an external network, a management server 300 and a wallet server 800 communicating with the financial management server 100 via a first communication channel 200, a key server 500 communicating with the management server 300 and the wallet server 800 via a second communication channel 400, a local encryption machine 710 communicating with the key server 500 via a third communication channel 600, an online encryption machine 900 communicating with the wallet server 800, and at least a first remote encryption machine 721 and a second remote encryption machine 722 communicating with the local encryption machine 710 via a fourth channel.
As shown in fig. 1, a first firewall is disposed in the first communication channel 200, and the management server 300 is disposed in an internal network; a second firewall is installed in the second communication channel 400, the key server 500 is installed in an isolated network, and the local encryptor 710, the first remote encryptor 721 and the second remote encryptor 722 are offline. In the present invention, offline means not communicating with any external network except for the communication means mentioned herein. The on-line encryption device 900 is connected to an external network via the wallet server 800 and the financial management server 100.
In the key application process, the financial management server 100 receives a key application and then transmits the key application to the management server 300 in the intranet via the first communication channel 200. The management server 300 transmits the key application to the key server 500 in the quarantine network through the second communication channel 400. The key server 500 generates a key and transmits the key to the local encryptor 710 and the wallet server 800 through a third communication channel 600. The wallet server 800 sends the key back to the online encryptor 900. The online encryptor 900 encrypts the key to generate a first encrypted private key and a first public key and stores the first encrypted private key internally and returns the first public key to the wallet server 800. And the wallet server 800 returns the first public key to the key server 500 and the financial management server 100 via the second communication channel 400 and the second communication channel 200, respectively. The local encryptor 710 encrypts the key to generate a second encrypted private key and a second public key and returns the second public key to the key server 500, and generates at least three pieces of private key information based on the second encrypted private key, then stores the first private key information and sends the second private key information and the third private key information to the first remote encryptor 721 and the second remote encryptor 722 located in different machine rooms. The key server 500 returns the second public key to the financial management server 100 via the second communication channel 400 and the management server 300. Of course, the key server 500 may return the second public key to the financial management server 100 via the second communication channel 400 and the wallet server 800. Four, five or more private key information may also be generated in further preferred embodiments of the invention. In these embodiments, a greater number of displaced encryption engines may be included, with each displaced encryption engine having stored therein one private key information. Since the first communication channel 200 and the second communication channel 400 are respectively provided with the firewalls, the security capability can be enhanced. Further, by isolating the external network from the internal network, isolating the internal network from the isolation network, and physically isolating the isolation network from the encryption equipment, multiple isolation can be achieved, and the local encryption equipment 710 is connected with the first different-place encryption equipment 721 and the second different-place encryption equipment 722 through a dedicated line, so that the security guarantee capability can be further enhanced. The private key information is stored in a plurality of encryption machines, so that the private key cannot be revealed even if part of the encryption machines are broken. The first remote encryption device 721 and the second remote encryption device 722 may be connected to each other by a dedicated line or may not be connected to each other.
When digital assets need to be deposited, the financial management server 100 receives a digital asset deposition request and transmits it to the wallet server 800, and the wallet server 800 deposits a first proportion of digital assets into the online encryptor 900 according to a set rule and deposits a second proportion of digital assets into at least one of the first and second remote encryptors 721 and 722. Of course, it is also possible to arrange for the wallet server 800 to credit a first percentage of digital assets to the online encryptor 900, a second percentage of digital assets to the first displaced encryptor 721, and a third percentage of digital assets to the second displaced encryptor 722 according to set rules. Other settings may be employed when there are multiple remote encryptors.
In a preferred embodiment of the present invention, a plurality of digital assets from respective user clients may be first received through the financial management server 100, and when a certain amount is accumulated, the financial management server 100 generates a digital asset deposit request. In another preferred embodiment of the present invention, the financial management server 100 may also receive a digital asset logging request from each user client. Typically, a small percentage (e.g., 5-10%) of the digital assets will be stored in the online encryptor to account for currency, while a large percentage (90-95%) will be stored in the offsite encryptor to secure the account. Of course, other arrangements can be performed according to actual needs. A large percentage of the digital assets (90-95%) can typically be stored in one or various off-site crypto-machines by way of an off-line bitcoin wallet address. The storage mode of the digital assets in the remote encryption machine can also be set according to actual needs, for example, all the digital assets can be written into the same bit coin wallet address, then a plurality of backup bit coin wallet addresses are set for subsequent asset taking-out operation, and all the digital assets can be written into different bit coin wallet addresses with equal or unequal amounts according to a certain proportion rule so as to facilitate subsequent asset taking-out operation. After the digital assets are signed and taken out, the corresponding bit currency wallet address is invalid.
When a digital asset needs to be retrieved, the financial management server 100 receives a digital asset retrieval request from one or more user clients, for example. At this point, it forwards the digital asset withdrawal request to the wallet server 800. The wallet server 800 fetches the digital assets from the first remote encryptor 721 and/or the second remote encryptor 722 of the online encryptor 900 according to a set rule, and returns to the financial management server 100, and then transmits to the client through a blockchain. For example, if the wallet server 800 finds that the total amount of digital assets to be retrieved by the digital asset retrieval request is lower than the total amount of digital assets stored in the online encryption engine 900 and does not fall below the minimum storage amount specified by the online encryption engine 900 after the online encryption engine 900 is withdrawn, the digital assets are directly withdrawn from the online encryption engine 900. If the wallet server 800 finds that the total amount of digital assets to be retrieved by a digital asset retrieval request is lower than the total amount of digital assets stored in the online encryptor 900 but will be lower than its specified minimum amount of storage after the online encryptor 900 is drawn, it draws directly from the online encryptor 900 and then draws certain digital assets from the first and/or second displaced encryptors 721, 722, for a predetermined period of time, to flush them into the online encryptor 900. For another example, if the wallet server 800 finds that the total amount of digital assets to be retrieved by a digital asset retrieval request is higher than the total amount of digital assets stored in the online encryptor 900, then a first digital asset is drawn from the online encryptor 900 and a second digital asset is drawn from the first or second displaced encryptor 721 or 722, respectively, according to certain rules (such as a certain proportion, or requirement). When the sum of the first digital asset and the second digital asset is larger than the digital asset taking-out request, the financial management server returns the rest of digital assets to the online encryption machine for storage. Of course, in another preferred embodiment of the present invention, for example, if it is found that the total amount of digital assets to be retrieved by a digital asset retrieval request is large and the digital assets stored by the online encryption engine 900 are already below or equal to their specified minimum storage amounts, then the digital assets may be retrieved from only the first displaced encryption engine 721 or the second displaced encryption engine 722. Of course, other rules and requirements may be set by those skilled in the art based on the teachings of the present invention. In a further preferred embodiment of the present invention, where a proportion of the digital assets are stored in the first displaced encryption engine 721 and the second displaced encryption engine 722, respectively, the wallet server 800 may be configured to withdraw a proportion of the digital assets from the first displaced encryption engine 721 and a proportion of the digital assets from the second displaced encryption engine 722 at a time.
In a preferred embodiment of the present invention, when a digital asset needs to be retrieved, the wallet server 800 parses, based on the digital asset retrieval request and the set rules, first transaction data that needs to be signed by the online encryptor 900 and/or second transaction data that needs to be signed by the offsite encryptors 721, 722. As previously described, only the first transaction data is parsed when only a withdrawal from the on-line encryptor 900 is required, and only the second transaction data is parsed when only a withdrawal from the off- site encryptor 721 or 722 is required. When the transaction data is required to be collected from the three devices, the first transaction data, the second transaction data and the third transaction data are analyzed.
When the first transaction data is analyzed, the key server 500 encrypts the first transaction data by using a first public key and then sends the first encrypted data to the online encryption machine 900 through the wallet server 800, the online encryption machine 900 signs the first encrypted data by using the first encryption private key and then returns the generated first signature data to the wallet server 800, and the wallet server 800 returns the first signature data to the financial management server 100. When the second transaction data is analyzed, the key server 500 encrypts the second transaction data by using a second public key and then sends the second encrypted data to the local encryption engine 710 through the third communication channel 600, the local encryption engine 710 signs the second encrypted data by using the first private key information and then sends the first signed data to the remote encryption engine (for example, the first remote encryption engine 721), the first remote encryption engine 721 signs again and then returns the second signed data to the local encryption engine 710, the local encryption engine 710 returns the second signed data to the key server 500, and the key server 500 returns the second signed data to the financial management server 100.
When the second transaction data and the third transaction data are simultaneously analyzed, the key server 500 encrypts the second transaction data and the third transaction data by using the second public key and then sends the second transaction data and the third transaction data to the local encryption machine 710 through the third communication channel 600, the local encryption machine 710 signs the second encryption data and the third encryption data by using the first private key information and then sends two pieces of primary signature data to the first different-place encryption machine 721 and the second different-place encryption machine 722 respectively, the first different-place encryption machine 721 and the second different-place encryption machine 722 respectively sign again and then return two pieces of secondary signature data to the local encryption machine 710, the local encryption machine 710 returns the two pieces of secondary signature data to the key server 500, and the key server 500 returns the two pieces of secondary signature data to the financial management server 100 originally. When the first and second transaction data are simultaneously parsed, or the first and third transaction data, and the first-third transaction data are simultaneously parsed, may be performed with reference to the above description.
In a preferred embodiment of the invention, the third communication channel 600 comprises a first acoustic transceiver means provided on the key server 500 and a second acoustic transceiver means provided on the local encryption engine.
The digital asset remote branch management system stores the digital assets in the online encryption machine and the remote encryption machine according to different proportions, so that the digital assets are conveniently and quickly accessed, and the safety is enhanced. For digital assets stored in an online encryptor, the customer can access quickly; for digital assets stored in different-place encryption machines, private keys are stored in different-place encryption machines, and signatures are also carried out in different-place encryption machines, so that the private keys cannot be revealed even if part of the different-place encryption machines are broken, and the digital assets are isolated through a plurality of layers of networks, so that the defects of network attack, large potential safety hazards and information disclosure risks are avoided, and the safety of the digital assets is guaranteed. Furthermore, the key server and the local encryption machine can only communicate through sound waves, and the local encryption machine and the allopatric encryption machine can only communicate through a special line, so that the encryption process is complex and the security degree is high. Furthermore, the storage proportion and the access rule of the digital assets in the online and different-place encryption machines can be set by self, the setting is flexible, and the taking is convenient.
Fig. 2 is a schematic configuration diagram of a preferred embodiment of the third communication channel of the digital asset offsite distribution management system of the present invention. As shown in fig. 2, the third communication channel 600 includes a scanning device 610 and a display device 620 provided on the key server 500, and a scanning device and a display device provided on the local encryption engine 710. The scanning device 610 and the display device 620 are disposed on the same side of the key server 500 and on the mounting structure 640, and communicate with the key server 500 through the USB interface 630. The scanning device and the display device provided on the local encryption engine 710 are also located on the same side of the local encryption engine 710 and on the mounting structure 650, and communicate with the local encryption engine 710 through the USB interface 660. The scanning device provided on the local encryption engine 710 is directly facing the display device 620 provided on the key server 500. Similarly, the display device provided on the local encryption engine 710 is directly opposite to the scanning device 610 provided on the key server 500.
In this embodiment, the key server 500 encodes the second transaction data with the two-dimensional code after receiving the second transaction data, encrypts the obtained two-dimensional code with the second public key, and displays the encrypted two-dimensional code on the display device 620; the scanning device on the local encryptor 710 scans and obtains the encrypted two-dimensional code, decrypts the encrypted two-dimensional code by using a local encryption private key to obtain the second transaction data, signs by using the first private key information, and then sends the once signed data to the different-place encryptor (i.e., the first different-place encryptor or the second different-place encryptor). And after the allopatric encryption machine signs again, returning the secondary signature data to the local encryption machine 710 through a private line. The local encryptor 710 performs two-dimensional code encoding on the secondary signature data to generate a signature two-dimensional code, and then displays the signature two-dimensional code by using a display device thereof. The scanning device 610 on the key server 500 scans and obtains the two-dimensional signature code to obtain the secondary signature data, and returns the secondary signature data to the financial management server. Similarly, in this embodiment, during the key application process, the same is true for the communication between the key server 500 and the local encryption engine 710, that is, the communication between the key server and the local encryption engine is realized through two-dimensional code display and code scanning, and thus, the description is not repeated here. Likewise, the processing procedure for the third transaction data is the same.
In a preferred embodiment of the present invention, any known encoding method may be used to encode the obtained transaction data into a two-dimensional code that can be displayed by a display device. Further, any encryption method may be used to encrypt the obtained two-dimensional code. For example, common DES and RSA hybrid encryption algorithms may be employed. Preferably, the encrypted two-dimensional code is updated and displayed, for example, at set time intervals. Preferably, the scanning device may scan and acquire the two-dimensional code in a timed polling manner. Of course, in another preferred embodiment of the present invention, the scanning device may keep scanning all the time, so as to obtain the two-dimensional code at the first time. Preferably, the scanning device is a scanner, the display device is a liquid crystal display screen, and an anti-peeping film is attached to the liquid crystal display screen. In this embodiment, the key server and the local encryption device can only communicate through two-dimensional code scanning, the local encryption device and the different-place encryption device can only communicate through a dedicated line, and the different-place encryption devices cannot communicate with each other, so that the encryption process is complex and the security degree is high.
Fig. 3 is a schematic method flow diagram of a first embodiment of the allopatric method of the invention. In step S1, a digital asset allopatric branch management system is constructed. In this embodiment, the digital asset allopatric triaging system may be constructed in accordance with any of the embodiments shown in fig. 1-2.
In step S2, the digital asset allopatric branch management system is adopted to complete key application. In a preferred embodiment of the present invention, in this step, the financial management server receives a key application and transmits it to the key server through the management server, and the key server generates a key and transmits it to the local encryptor and the online encryptor; the online encryptor encrypts the key to generate a first encrypted private key and a first public key and stores the first encrypted private key internally and returns the first public key to the key server and the financial management server; the local encryptor encrypts the key to generate a second encrypted private key and a second public key and returns the second public key to the key server, and generates at least three private key information based on the second encrypted private key, then stores the first private key information and sends the second private key information and the third private key information to a first different-place encryptor and a second different-place encryptor which are located in different machine rooms; the key server returns the second public key to the financial management server.
In step S3, the digital asset allopatric branch management system is adopted to finish digital asset logging. In a preferred embodiment of the present invention, in this step, the wallet server receives a digital asset crediting request and credits a first proportion of digital assets to the online encryptor and a second proportion of digital assets to at least one of the displaced encryptors according to set rules. In a preferred embodiment of the present invention, multiple off-site encryption engines may be provided, with the wallet server storing digital assets in one or more off-site encryption engines according to set rules.
In step S4, the digital asset allopatric branch management system is adopted to complete the digital asset taking out. In a preferred embodiment of the present invention, in this step, the financial management server receives a digital asset withdrawal request and transmits it to the wallet server, and the wallet server withdraws the digital asset from the online encryption machine and/or the displaced encryption machine according to a set rule and returns it to the financial management server. In a preferred embodiment of the present invention, the wallet server first determines whether the total number of digital assets stored in the online encryption engine satisfies the digital asset withdrawal request, and if so, withdraws the digital assets from the online encryption engine and returns to the financial management server, otherwise, withdraws first and second digital assets from the online encryption engine and the offsite encryption engine, respectively, and returns to the financial management server, wherein the sum of the first and second digital assets is greater than or equal to the digital asset withdrawal request. When the sum of the first digital asset and the second digital asset is greater than the digital asset retrieval request, the financial management server returns the remaining digital assets to the online encryption engine for storage.
Further, in the preferred embodiment of the present invention, the digital asset allopatric management method of the present invention can be implemented with reference to any of the embodiments of fig. 1-2. Based on the teaching of the present invention, those skilled in the art can implement the method for allopatric management of digital assets of the present invention.
The implementation of the method for the remote management of the digital assets of the invention not only facilitates the quick access, but also enhances the safety by respectively storing the digital assets in the online encryption machine and the remote encryption machine according to different proportions. For digital assets stored in the online encryptors, the clients can quickly access; for the digital assets stored in the different-place encryption machine, the private key is stored in different-place encryption machines, and the signature is also carried out in different-place encryption machines, so that the private key cannot be disclosed even if part of the different-place encryption machines are broken, and the defects of network attack, large potential safety hazard and information leakage risk are avoided through multi-layer network isolation, and the safety of the digital assets is ensured. Furthermore, the key server and the local encryption machine can only communicate through sound wave communication or two-dimensional code scanning, the local encryption machine and the allopatric encryption machine can only communicate through a special line, the encryption process is complex, and the safety degree is high. Furthermore, the storage proportion and the access rule of the digital assets in the online encryptors and the remote encryptors can be set by self, the setting is flexible, and the taking is convenient.
Accordingly, the present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in at least one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods of the present invention is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
The present invention may also be implemented by a computer program product, comprising all the features enabling the implementation of the methods of the invention, when loaded in a computer system. The computer program in this document refers to: any expression, in any programming language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following: a) Conversion to other languages, codes or symbols; b) Reproduced in a different format.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the invention. In addition, many modifications may be made to adapt a particular situation or material to the teachings of the invention without departing from its scope. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed, but that the invention will include all embodiments falling within the scope of the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (10)

1. A system for remotely distributing digital assets, comprising: a financial management server in communication with an external network, a management server and a wallet server in communication with the financial management server via a first communication channel, a key server in communication with the management server and the wallet server via a second communication channel, a local encryptor in communication with the key server via a third communication channel, an online encryptor in communication with the wallet server, and at least a first and a second different-location encryptors in communication with the local encryptor via a fourth channel;
the financial management server receives a key application and transmits the key application to the key server through the management server, and the key server generates a key and transmits the key to the local encryption machine and the online encryption machine; the online encryptor encrypts the key to generate a first encryption private key and a first public key, stores the first encryption private key internally and returns the first public key to the key server and the financial management server; the local encryptor encrypts the key to generate a second encryption private key and a second public key and returns the second public key to the key server, generates at least three private key information based on the second encryption private key, then stores the first private key information and sends the second private key information and the third private key information to a first different-place encryptor and a second different-place encryptor which are located in different machine rooms; the key server returns the second public key to the financial management server;
the wallet server receives a digital asset storing request, stores digital assets with a first proportion into the online encryption machine according to a set rule, and stores digital assets with a second proportion into at least one different-place encryption machine; and/or
And the financial management server receives a digital asset taking-out request and sends the request to the wallet server, and the wallet server takes out the digital asset from the online encryption machine, the first different-place encryption machine and/or the second different-place encryption machine according to a set rule and returns the digital asset to the financial management server.
2. The system according to claim 1, wherein the wallet server parses, based on the digital asset retrieval request and the set rule, first transaction data that needs to be signed by the online encryptor and/or second transaction data that needs to be signed by the first remote encryptor and/or the second remote encryptor, the key server encrypts the first transaction data with a first public key and then sends the first encrypted data to the online encryptor via the wallet server, the online encryptor signs the first encrypted data with the first private key and then returns the generated first signed data to the wallet server, and the wallet server returns the first signed data to the financial management server; the key server encrypts the second transaction data by adopting a second public key and then sends the second encrypted data to the local encryption machine through the third communication channel, the local encryption machine signs the second encrypted data by adopting the first private key information and then sends the first signed data to the first different-place encryption machine and/or the second different-place encryption machine, the first different-place encryption machine and/or the second different-place encryption machine signs again and then returns the second signed data to the local encryption machine, and the local encryption machine returns the second signed data to the financial management server along the original path.
3. The system of claim 2, wherein the wallet server first determines whether the total number of digital assets stored in the online encryption engine satisfies the digital asset takeout request, and if so, takes out the digital assets from the online encryption engine and returns the digital assets to the financial management server, otherwise, takes out a first digital asset from the online encryption engine, takes out a second digital asset from the first displaced encryption engine and/or the second displaced encryption engine, and returns the digital asset to the financial management server, wherein the sum of the first digital asset and the second digital asset is greater than or equal to the number of digital asset takeout requests.
4. The system of claim 3, wherein the financial management server returns remaining digital assets to the online encryption engine for storage when the sum of the first digital asset and the second digital asset is greater than the number of digital asset retrieval requests.
5. The system of claim 4, comprising a plurality of placeshifting encryption engines, wherein the wallet server stores the digital assets in one or more placeshifting encryption engines according to the set rules.
6. The system of claim 5, wherein the local encryption engine is coupled to the first and second placeshifting encryption engines via a dedicated line.
7. The digital asset allopatric breakout system according to claim 6, wherein the third communication channel comprises a first sonic transceiver disposed on the key server and a second sonic transceiver disposed on the local encryptor.
8. The digital asset allopatric affiliation system of claim 7, wherein the third communication channel includes a scanning device and a display device disposed on the key server and a scanning device and a display device disposed on the local encryption engine; the key server encodes the second transaction data by the two-dimensional code after receiving the second transaction data, encrypts the obtained two-dimensional code by the second public key, and displays the encrypted two-dimensional code on a display device of the key server; a scanning device on the local encryption machine scans to obtain the encrypted two-dimensional code, a local encryption private key is used for decrypting the encrypted two-dimensional code to obtain second transaction data, the first private key information is used for signing, then, primary signature data are sent to the first different-place encryption machine and/or the second different-place encryption machine, the first different-place encryption machine and/or the second different-place encryption machine signs again and then return secondary signature data to the local encryption machine, the local encryption machine carries out two-dimensional code encoding on the secondary signature data to generate a signed two-dimensional code, and then, a display device of the local encryption machine is used for displaying the signed two-dimensional code; and a scanning device on the key server scans and acquires the two-dimensional signature code to obtain the secondary signature data, and returns the secondary signature data to the financial management server.
9. The system according to claim 8, wherein the scanning device and the display device on the local encryption machine are connected with the local encryption machine through a USB interface, and the scanning device and the display device provided on the key server are connected with the key server through a USB interface; a first firewall is arranged in the first communication channel, and the management server is arranged in an internal network; and a second firewall is arranged in the second communication channel, the key server is arranged in an isolation network, and the key server is physically isolated from the local encryption machine.
10. A method for remote management of digital assets is characterized by comprising the following steps:
s1, constructing a digital asset allopatric branch management system according to any one of claims 1-9;
s2, the digital asset allopatric sub-management system is adopted to complete key application;
s3, completing digital asset storage by adopting the digital asset remote branch management system; and/or
And S4, adopting the remote branch management system of the digital assets to finish the taking out of the digital assets.
CN201911324225.1A 2019-12-13 2019-12-23 Digital asset remote branch management system and method Active CN111523880B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201911324225.1A CN111523880B (en) 2019-12-23 2019-12-23 Digital asset remote branch management system and method
US17/051,168 US20220122066A1 (en) 2019-12-13 2020-01-06 System and method for remote management of digital assets
PCT/CN2020/070530 WO2021114445A1 (en) 2019-12-13 2020-01-06 Remote management system and method for digital asset

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911324225.1A CN111523880B (en) 2019-12-23 2019-12-23 Digital asset remote branch management system and method

Publications (2)

Publication Number Publication Date
CN111523880A CN111523880A (en) 2020-08-11
CN111523880B true CN111523880B (en) 2023-03-07

Family

ID=71900680

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911324225.1A Active CN111523880B (en) 2019-12-13 2019-12-23 Digital asset remote branch management system and method

Country Status (1)

Country Link
CN (1) CN111523880B (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110533417B (en) * 2018-05-24 2023-03-10 上海赢亥信息科技有限公司 Digital asset management device, issuing method and system
WO2019043466A1 (en) * 2018-06-12 2019-03-07 フレセッツ株式会社 Wallet device for cryptocurrency, and signature method using said device
CN110084594A (en) * 2019-04-01 2019-08-02 杜晓楠 A kind of block chain method of commerce and device by lightning network
CN110351081A (en) * 2019-07-12 2019-10-18 上海翎阳网络科技有限公司 Monetary assets management method and system

Also Published As

Publication number Publication date
CN111523880A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
RU2720354C1 (en) Control of confidential blockchain transactions
CN109949155B (en) Method and system for trust-based payment via blockchain
Sun et al. Data security and privacy in cloud computing
US20200027080A1 (en) Scalable reconciliation of crypto assets in a blockchain network
CN109670803A (en) Method, apparatus, medium and the electronic equipment tested before online trading
JP6880255B2 (en) Blockchain confidential transaction management
US11720689B2 (en) Data registration method, data decryption method, data structure, computer, and program
US20220129886A1 (en) System and method for isolated management of digital assets
CN111507707B (en) Digital asset isolation and sub-management system and method
CN112000978A (en) Private data output method, data processing system, and storage medium
CN111523880B (en) Digital asset remote branch management system and method
CN111523882B (en) Digital asset remote isolation and management system and method
CN116975125A (en) Data statistics method, device, system, storage medium and program product
CN111523881B (en) Digital asset management system and method
CN111144885B (en) Digital asset hosting method and system
US20220122066A1 (en) System and method for remote management of digital assets
CN112800479B (en) Multi-party combined data processing method and device by using trusted third party
CN111523879B (en) Digital asset security isolation hosting system and method
CN111178882B (en) Digital asset safety hosting system and method
CN111523883B (en) Digital asset remote isolation trusteeship system and method
CN114503093A (en) Method and system for distributing consistent ledger across multiple blockchains
CN110322247A (en) Monetary assets manage storage system and safety protection detection
CN113065156B (en) Multi-party combined data processing method and device for controlling time delay
US11367148B2 (en) Distributed ledger based mass balancing via secret sharing
CN113486408B (en) Deposit receipt management system and method based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40027300

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant