CN101483513B - Network backup system, data backup and recovery method - Google Patents
Network backup system, data backup and recovery method Download PDFInfo
- Publication number
- CN101483513B CN101483513B CN2009100460644A CN200910046064A CN101483513B CN 101483513 B CN101483513 B CN 101483513B CN 2009100460644 A CN2009100460644 A CN 2009100460644A CN 200910046064 A CN200910046064 A CN 200910046064A CN 101483513 B CN101483513 B CN 101483513B
- Authority
- CN
- China
- Prior art keywords
- identity token
- user
- backup
- key
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present invention discloses a network backup management system which comprises the following components: an identity token which is used for storing user information and identity token common key corresponding with the user; a network backup manager which is used for storing user information and the identity token private key corresponding with the user. When data backup instruction of logging-on user is received, the backup data of logging-on user is enciphered and backed up; and when data recovering instruction of logging-on user is received, deciphering and recovering the backup data of logging-on user according to the identity token common key which is stored in the identity token and is corresponding with the logging-on user. The system adopts the identity token based on the common key cryptography as identification base and has the advantages of extraordinarily high safety, no requirement for memorizing the key by user and extraordinarily high using easiness. The invention simultaneously discloses the data backup for network backup management system and a method for recovering data.
Description
Technical field
The present invention relates to the redundancy technique field, particularly a kind of network backup system and data backup and data reconstruction method.
Background technology
Fail safe in order to ensure the network backup system, the network backup system can introduce multi-user access mechanism usually, to guarantee each user ID safety of data, in multi-user access mechanism, after certain user's login, then addressable Backup Data backs up and recovers; Meanwhile, for the data that guarantee each user ID are kept at fail safe on the storage medium, the network backup system allows the user to specify the encrypted backup data usually when Backup Data.
Carrying out the user when logining authentication and Backup Data and encrypting, the authentication techniques that generally access to your password realize, the network backup system generally all can the technology of accessing to your password logins and carries out data enciphering back-up as encrypted ones, yet, through after significantly developing, the fail safe of password is subjected to great challenge, under existing conditions at various technology, the decryption technologies of cracking, the fail safe of password has become a very big problem, makes that the fail safe of existing network standby system is on the low side.In addition, password needs artificial memory, makes that the management of password is very difficult, and the situation of password loss happens occasionally.
Summary of the invention
The embodiment of the invention provides a kind of network backup management system, can realize the data backup and the recovery of high security.
The embodiment of the invention provides a kind of data back up method that is used for the network backup management system, can realize the data backup of high security.
The embodiment of the invention provides a kind of data reconstruction method that is used for the network backup management system, can realize that the data of high security are recovered.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
A kind of network backup management system, this system comprises:
Identity token is used to preserve user profile and reaches and this user's identity token common key corresponding;
The identity token administrative unit links to each other with described identity token, is used for according to user profile, creates and maintenance and this user's identity token common key corresponding and identity token private key; According to the digital signature that login authentication unit sends, described identity token is verified, and returned the checking result to login authentication unit;
Login authentication unit links to each other respectively with described identity token and identity token administrative unit, and the information that is used for reading identity token generates digital signature and to described identity token administrative unit transmission; According to the checking result that the identity token administrative unit is returned, determine whether to allow the user to login;
The Backup Data ciphering unit, link to each other with described identity token administrative unit, be used to receive the data backup command of login user, preserve according to described identity token administrative unit with the login user identity token private key corresponding, the Backup Data of login user is carried out encrypted backup;
The restore data decrypting device links to each other with described identity token, and the data that are used to receive login user are recovered instruction, according to preserve in the described identity token with the login user identity token common key corresponding, the Backup Data of login user is decrypted recovery.
A kind of data back up method that is used for the network backup management system, this method comprises:
Receive the data backup command of login user;
Generate the Backup Data key, utilize the Backup Data key that generates to adopt symmetric encipherment algorithm that Backup Data is encrypted;
Obtain and the login user identity token private key corresponding, use hash function to calculate the hashed value of described Backup Data key, use identity token private key to adopt asymmetrical encryption algorithm that described Backup Data key is encrypted;
Backup Data, the hashed value of Backup Data key and the Backup Data key of encryption encrypted are kept in the backup medium.
A kind of data reconstruction method that is used for the network backup management system, this method comprises:
The data that receive login user are recovered instruction;
From the identity token of login user, obtain and the login user identity token common key corresponding;
The Backup Data key of reading encrypted and the hashed value of Backup Data key;
Use described identity token common key to adopt asymmetrical encryption algorithm that the Backup Data key of encrypting is decrypted;
The hashed value of the Backup Data key of secure processing device encrypts, the hashed value of the Backup Data key of the deciphering hashed value with the Backup Data key that reads is compared, if identical, then use the Backup Data key of deciphering to adopt symmetric encipherment algorithm that the Backup Data of encrypting is decrypted recovery.
As seen from the above technical solutions, this network backup management system of the present invention and data backup and restoration methods, by having introduced strong identity authentication in the link of data backup and recovery, adopting public key cryptography technology be that basic identity token is as authentication infrastructure, the function that makes data backup that the network backup management system provides and data recover has very high fail safe, and need not user's memory cipher, only need provide the identity token that is pre-created to use function corresponding easily, very high ease for use is arranged.
Description of drawings
Fig. 1 is the network backup management system structural representation of the embodiment of the invention;
Fig. 2 is the login authentication unit concrete structure schematic diagram of the embodiment of the invention;
Fig. 3 is the identity token administrative unit concrete structure schematic diagram of the embodiment of the invention;
Fig. 4 is the identity token administrative unit concrete structure schematic diagram of another embodiment of the present invention;
Fig. 5 is the Backup Data ciphering unit concrete structure schematic diagram of the embodiment of the invention;
Fig. 6 is the Backup Data recovery unit concrete structure schematic diagram of the embodiment of the invention;
Fig. 7 is that the identity token of the embodiment of the invention generates method flow diagram;
Fig. 8 is the user login method flow chart of the embodiment of the invention;
Fig. 9 is the digital signature authentication method flow diagram of the embodiment of the invention;
Figure 10 is the data back up method flow chart of the embodiment of the invention;
Figure 11 is the Backup Data restoration methods flow chart of the embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
The present invention is the identity token on basis by adopting based on public key cryptography technology, carry out the authentication and the encryption and decryption Backup Data of network backup management system, improved the fail safe of network data backup greatly, because public key cryptography technology has high security, unforgeable, non-repudiation, and characteristic, the fail safe that can improve backup management system authentication and Backup Data greatly such as identity token has more high strength with respect to conventional cipher and be difficult for forgetting.
Fig. 1 is the Backup Data management system structural representation of the embodiment of the invention, and as shown in the figure, this system comprises: identity token 101 and network backup manager 106;
Identity token is meant a kind of representative of consumer identity in the present invention, and preserving the information carrier of user profile and corresponding encryption and decryption information, the user need use identity token to login and use functions such as data backup that backup management system of the present invention provides and data recovery.Login successful user and can be described as login user.In the present invention, identity token can be digital certificate or smart card or USB-Key equipment, and wherein digital certificate can be X.509 or the X.500 general-purpose digital certificates of form based on the PKI system, also can be the privately owned digital certificate of user-defined format.
Wherein can comprise in the network backup manager 106: identity token administrative unit 102, Backup Data ciphering unit 104 and restore data decrypting device 105.
Identity token administrative unit 102 links to each other with described identity token, is used for the user profile according to input, creates and this user's identity token common key corresponding and identity token private key; Described identity token common key and user profile are stored in the identity token 101, described identity token private key and user profile are stored in identity token administrative unit 102.Certainly creating the right function of key also can be finished by miscellaneous equipment.
Backup Data ciphering unit 104, link to each other with described identity token administrative unit 102, be used to receive the data backup command of login user, according to described identity token administrative unit 102 that preserve with the login user identity token private key corresponding, the Backup Data of login user is carried out encrypted backup.
Restore data decrypting device 105, link to each other with described identity token 101, the data that are used to receive login user are recovered instruction, according to preserve in the described identity token 101 with the login user identity token common key corresponding, the Backup Data of login user is decrypted recovery.
In addition, network backup manager 106 can also have the function of user log-in authentication concurrently, at this moment, network backup manager 106 can further include login authentication unit 103, link to each other respectively with described identity token 101 and identity token administrative unit 102, be used for reading the user profile of identity token 101 and generate digital signature with this user's identity token common key corresponding and send to described identity token administrative unit 102; According to the checking result that identity token administrative unit 102 is returned, determine whether to allow the user to login.The user who is proved to be successful will be allowed to log on as login user.At this moment, described identity token administrative unit 102 is further verified the digital signature that login authentication unit sends according to identity token private key of preserving and user profile, and is returned the checking result to login authentication unit 103.
Fig. 2 is the login authentication unit concrete structure schematic diagram of the embodiment of the invention, and as shown in Figure 2, login authentication unit comprises:
Identity token read module 201, be used for reading identity token 101 user profile and with user's identity token common key corresponding;
Digital signature generation module 202 links to each other with described identity token read module 201 and identity token administrative unit 102, is used to use the user profile and the identity token common key that read to generate digital signature, and sends to identity token administrative unit 102;
If be proved to be successful, then allow the user to log on as login user, otherwise do not allow the user to login.
Fig. 3 is the identity token administrative unit concrete structure schematic diagram of the embodiment of the invention, and as shown in Figure 3, the identity token administrative unit comprises:
User profile can be manual creation and typing, comprises that specifically what content can set arbitrarily.The maintenance of identity token comprises cancelling, cancelling of identity token, identity token any revocation list management etc.After wherein identity token was cancelled and is used for identity token and loses or damage, former identity token cancelled.Create the identity token password to the time, can adopt open or undocumented asymmetrical encryption algorithm as RSA, DSA etc.The identity token password centering of creating, identity token common key can be kept in user's the identity token, and identity token private key then can be kept in the identity token administration module 301 with secured fashion.Certainly, also can preserve identity token common key in the token management module 301.
Digital signature authentication module 302, link to each other respectively with described login management module 203 and token management module 301, be used to use from described token management module 301 is that read and the digital signature that described digital signature generation module 202 generates verified, and return the checking result to described login management module 203 with user's identity token private key corresponding.
Concrete verification method can be: use and this user's identity token private key corresponding, adopt the asymmetrical encryption algorithm identical with described generation digital signature that the user profile of encrypting is decrypted; Use the hashed value of the user profile of the hash function secure processing device encrypts identical with described generation digital signature; The hashed value of the user profile of the described deciphering that the hashed value of the user profile of calculating during with described generation digital signature is calculated during with checking compares, if identical, then is proved to be successful, otherwise authentication failed.
Fig. 4 is the identity token administrative unit concrete structure schematic diagram of another embodiment of the present invention, as shown in Figure 4, the identity token administrative unit except comprising token management module 401, digital signature authentication module 402, further comprises on the basis of embodiment shown in Figure 3:
Discarded identity token is preserved module 403, is used to preserve discarded identity token;
Discarded identity token is searched module 404, preserves module 403 with described discarded identity token and links to each other, and is used for preserving module 403 at described discarded identity token and searches the identity token that the user discards;
Described digital signature authentication module 402 is further searched module 404 with discarded identity token and is linked to each other, be used for using when described token management module 401 reads the digital signature authentication failure that described digital signature generation module 202 is generated with this user's identity token private key corresponding, use described discarded identity token to search the identity token that user that module 404 finds out discards the digital signature that described digital signature generation module 202 generates is verified, and return the checking result to described login management module 203.
Fig. 5 is the Backup Data ciphering unit concrete structure schematic diagram of the embodiment of the invention, and as shown in Figure 5, this Backup Data ciphering unit comprises:
Backup instruction receiver module 501 is used to receive the data backup command of login user;
Private key acquisition module 504 links to each other with described identity token administrative unit 102, is used to obtain and the login user identity token private key corresponding,
Hashed value generation module 505 links to each other with described key production module 502, is used to use hash function to calculate the hashed value of described Backup Data key,
Cipher key encryption block 506 links to each other with described key production module 502 and private key acquisition module 504, and the described identity token private key that is used to use described private key acquisition module 504 to obtain adopts asymmetrical encryption algorithm that described Backup Data key is encrypted;
Data are preserved module 507, link to each other respectively with described data encryption module 503, hashed value generation module 505 and cipher key encryption block 506, be used for the Backup Data of described encryption, the hashed value of Backup Data key and the Backup Data key of encryption are kept at backup medium.
Fig. 6 is the Backup Data recovery unit concrete structure schematic diagram of the embodiment of the invention, and as shown in Figure 6, this Backup Data recovery unit comprises:
Recover command reception module 601, be used to receive user's data and recover instruction;
Public key acquisition module 602 links to each other with described recovery command reception module 601, is used for obtaining the identity token common key corresponding with the user from the identity token 101 of login user;
Cipher key decryption block 604 links to each other respectively with described key read module 603 and public key acquisition module 602, is used to use identity token common key to adopt asymmetrical encryption algorithm that the Backup Data key of encrypting is decrypted;
Hashed value computing module 605 links to each other with described cipher key decryption block 604, is used for the hashed value of the Backup Data key of secure processing device encrypts;
In above-mentioned network backup management system, can realize the encrypted backup and the deciphering restore funcitons of data, will specifically introduce the encrypted backup of realization data and the method for decryption restoration below.
At first, realize that the encrypted backup of data and the prerequisite of decryption restoration are that the user uses legal identity token to log on as login user, and identity token is to generate in advance, at first introduces the concrete generation method of identity token below.
Fig. 7 is that the identity token of the embodiment of the invention generates method flow diagram, and as shown in Figure 7, this method comprises the steps:
Step 701 is created identity token according to user profile.
The identity token administrative unit can be created identity token that should the user according to the user profile of manual entry, contains this user's user profile in the identity token.
It is right that the identity token administrative unit uses asymmetrical encryption algorithm to generate a key, comprises identity token common key and identity token private key, and asymmetrical encryption algorithm can be RSA, DSA etc.
Identity token is preserved user profile and identity token private key after creating and finishing in the identity token administrative unit, preserve user profile and identity token common key in the identity token, specifically preserves the identity token type that form depends on employing.
When the user logins use network backup system, must use identity token to carry out login authentication, have only the identity token checking to pass through, the network backup system just allows the function of this customer access network standby system.
Fig. 8 is the user login method flow chart of the embodiment of the invention, and as shown in Figure 8, this method comprises the steps:
Step 801, the identity token of calling party.
If the user identity token adopts the digital certificate form, then visit the memory location of preserving digital certificate in the current computer, obtain the digital certificate that the network backup system can discern.If the user identity token adopts USB-KEY or smart card, then visit the equipment of all circumscribed USB mouths in the current computer or smart card slot, obtain USB-KEY or smart card that the network backup system can discern.When user's identity token can have access to, execution in step 802, otherwise can't continue to verify the user was thought login failure, process ends.
Step 802, read in the user identity token user profile and with user's identity token common key corresponding.
Step 803 generates digital signature.
Generate digital signature according to user profile and identity token common key, specific algorithm can be:
Use asymmetrical encryption algorithm and identity token common key that user profile is encrypted, asymmetrical encryption algorithm can be RSA, DSA etc., and with create the identity token key to the time algorithm identical; Use hash function to calculate the hashed value of user profile, hash function can be MD4, MD5, SHA etc.; The user profile of encryption and the hashed value of user profile are formed digital signature to be verified.Certainly concrete which kind of algorithm generation digital signature of using can be decided according to the actual requirements.
Step 804, certifying digital signature.
The digital signature that generates is sent to the identity token administrative unit to be verified, the identity token administrative unit will be used with this user's identity token private key corresponding digital signature will be verified, the checking result who returns when the identity token administrative unit is correct for digital signature, when promptly being proved to be successful, execution in step 805, otherwise think login failed for user, process ends.The checking result of the failure that the identity token administrative unit can be returned can be that the invalid or identity token of digital signature cancels, all will think login failure this moment.Concrete proof procedure will be introduced afterwards in detail.
Step 805 allows the user to log on as login user.
The user who is proved to be successful will be allowed to login becomes login user.
Fig. 9 is the digital signature authentication method flow diagram of the embodiment of the invention, and as shown in Figure 9, this flow process comprises the steps:
Step 902 is used with user's identity token private key corresponding digital signature is verified.
If be proved to be successful, then return the correct checking result of digital signature, otherwise execution in step 903.
Concrete verification method is: use and this user's identity token private key corresponding, adopt the asymmetrical encryption algorithm identical with described generation digital signature that the user profile of encrypting is decrypted; Use the hashed value of the user profile of the hash function secure processing device encrypts identical with described generation digital signature; The hashed value of the user profile of the described deciphering that the hashed value of the user profile of calculating during with described generation digital signature is calculated during with checking compares, if identical, then is proved to be successful, otherwise authentication failed.
Step 903 is searched the user and whether is had discarded identity token.
From the discarded tabulation of identity token, seek this user and whether have discarded identity token, this discarded tabulation can be safeguarded by the identity token administrative unit, also can adopt other form to preserve the identity token of discarding with the maintenance customer, specifically how to safeguard to belong to existing mature technology, just repeated no more here.If this user does not have discarded identity token, then return the invalid checking result of digital signature, this checking result belongs to authentication failed.As the identity token that finds the user to discard, then execution in step 904.
Step 904 uses discarded identity token private key that described digital signature is verified.
As authentication failed, then return the invalid checking result of digital signature, as be proved to be successful, then return the checking result that identity token has cancelled; These two kinds checking results belong to authentication failed.Certainly, can also continue after the authentication failed to check whether this user also has other discarded identity token,, then continue to use the identity token private key in other discarded identity token to verify, till not having other discarded identity token if having.
In addition, step 903~904 are not necessary yet, through getting final product process ends after the step 902, can need not the identity token that the user discards is searched and verified.
After the user successfully logs on as login user, just can normally use the network backup Functions of Management System, the concrete function implementation method is described below:
Figure 10 is the data back up method flow chart of the embodiment of the invention, and as shown in figure 10, this flow process comprises:
Step 1001, the data backup command of reception login user.
Step 1002 generates the Backup Data key.
The Backup Data key can be the random value that generates at random, and perhaps according to the characteristic value of login user information and backup information generation, the generation method of Backup Data key is arbitrarily.
Step 1003 utilizes the Backup Data key that generates that Backup Data is encrypted.
Cryptographic algorithm can be decided as required, adopts symmetric encipherment algorithm in the present embodiment.
Step 1004 is obtained and the login user identity token private key corresponding.
Step 1005, the hashed value of calculating Backup Data key.
Calculate hashed value and can use hash function to calculate, the computational methods of concrete hashed value belong to existing mature technology, have just repeated no more here.
Step 1006 uses identity token private key that described Backup Data key is encrypted;
Cryptographic algorithm can be decided as required, adopts asymmetrical encryption algorithm in the present embodiment.
Step 1007 is kept at Backup Data, the hashed value of Backup Data key and the Backup Data key of encrypting of encryption in the backup medium.
In the above-mentioned backup method, generate the Backup Data key and also can carry out simultaneously, do not limit the execution sequence of these two processes among the present invention with obtaining with the step of login user identity token private key corresponding.
Because user data backup is to automatically perform, so the ciphering process of data backup does not need user's identity token to participate in.And when the user carries out the data recovery by the network backup system, must provide this user's identity token in the computer system of using, otherwise data can't be recovered.Concrete data reconstruction method is described below:
Figure 11 is the Backup Data restoration methods flow chart of the embodiment of the invention, and as shown in figure 11, this flow process comprises:
From the identity token of login user, obtain and the login user identity token common key corresponding,, then do not allow the user to use data recovery function, process ends if do not read information in user's the identity token.
The position of the Backup Data key of reading encrypted and the hashed value of Backup Data key can be different and different according to the position of when backup storage, are the Backup Data key of reading encrypted on the backup medium and the hashed value of Backup Data key in the present embodiment.
The cryptographic algorithm that decipherment algorithm and when backup adopt is identical, adopts asymmetrical encryption algorithm in the present embodiment.
Step 1105, the hashed value of the Backup Data key of secure processing device encrypts.
The hashed value of the Backup Data key of the deciphering that the calculates hashed value with the Backup Data key that reads is compared, if identical, then execution in step 1107, otherwise think that the identity token that the user provides is invalid, process ends.
The cryptographic algorithm that decipherment algorithm and when backup adopt is identical, adopts symmetric encipherment algorithm to be decrypted in the present embodiment.Concrete data reconstruction method can adopt any existing mature technology to realize, has just repeated no more here.
Among all above-mentioned embodiment, asymmetrical encryption algorithm can use open or undocumented algorithm such as any existing RSA or DSA to realize; Hash function can use open or undocumented hash function such as any existing MD4, MD5 or SHA to realize; Symmetry algorithm can use open or undocumented algorithm such as any existing DES or AES to realize; As long as all use the link of asymmetric algorithm all to use identical asymmetric algorithm to realize in the assurance system, for hash function and symmetry algorithm, also are in like manner.
In addition, because asymmetric enciphering and deciphering algorithm speed is slower, and symmetrical enciphering and deciphering algorithm speed is very fast, therefore adopt symmetric encipherment algorithm for the encryption and decryption of the very large Backup Data of data volume, and the very little symmetry algorithm key of data volume is carried out asymmetric cryptosystem, can under the prerequisite that guarantees fail safe, not influence the performance of encryption and decryption.
By the above embodiments as seen, this network backup management system of the present invention and data backup and restoration methods, by having introduced strong identity authentication in the link of data backup and recovery, adopting public key cryptography technology be that basic identity token is as authentication infrastructure, the function that makes data backup that the network backup management system provides and data recover has very high fail safe, and need not user's memory cipher, only need provide the identity token that is pre-created to use function corresponding easily, very high ease for use is arranged.
Institute is understood that; the above is a better embodiment of the present invention only, and is not intended to limit the scope of the invention, and is within the spirit and principles in the present invention all; any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a network backup management system is characterized in that, this system comprises:
Identity token is used to preserve user profile and reaches and this user's identity token common key corresponding;
Network backup manager is used to preserve user profile and reaches and this user's identity token private key corresponding; When receiving the data backup command of login user, preserve according to self with the login user identity token private key corresponding, the Backup Data of login user is carried out encrypted backup; When the data that receive login user are recovered instruction, according to preserve in the described identity token with the login user identity token common key corresponding, the Backup Data of login user is decrypted recovery.
2. network backup management system as claimed in claim 1 is characterized in that, described network backup manager comprises:
The identity token administrative unit links to each other with described identity token, is used for the user profile according to input, creates and this user's identity token common key corresponding and identity token private key; Described identity token common key and user profile are stored in the identity token, described identity token private key and user profile are stored in the identity token administrative unit;
The Backup Data ciphering unit, link to each other with described identity token administrative unit, be used to receive the data backup command of login user, preserve according to described identity token administrative unit with the login user identity token private key corresponding, the Backup Data of login user is carried out encrypted backup;
The restore data decrypting device links to each other with described identity token, and the data that are used to receive login user are recovered instruction, according to preserve in the described identity token with the login user identity token common key corresponding, the Backup Data of login user is decrypted recovery.
3. network backup management system as claimed in claim 2 is characterized in that, described network backup manager further comprises:
Login authentication unit links to each other respectively with described identity token and identity token administrative unit, is used for reading user profile and the identity token common key generation digital signature that identity token is preserved, and sends to the identity token administrative unit and verify; According to the checking result that the identity token administrative unit is returned, determine whether to allow the user to login;
Described identity token administrative unit is further verified the digital signature that login authentication unit sends according to identity token private key of preserving and user profile, and is returned the checking result to login authentication unit.
4. network backup management system as claimed in claim 3 is characterized in that, described login authentication unit comprises:
The identity token read module, be used for reading identity token user profile and with user's identity token common key corresponding;
The digital signature generation module links to each other with described identity token read module and identity token administrative unit, is used to use user profile and identity token common key to generate digital signature, and sends to the identity token administrative unit;
The login management module links to each other with described identity token administrative unit, is used for the checking result that returns according to the identity token administrative unit, confirms whether allow the user to login.
5. network backup management system as claimed in claim 4 is characterized in that, described identity token administrative unit comprises:
The token management module is used for according to user profile, establishment and maintenance and user's identity token common key corresponding and identity token private key;
The digital signature authentication module, link to each other respectively with described login management module and token management module, be used to use the digital signature that described digital signature generation module generates being verified of reading from described token management module, and return the checking result to described login management module with user's identity token private key corresponding.
6. network backup management system as claimed in claim 5 is characterized in that, described identity token administrative unit further comprises:
Discarded identity token is preserved module, is used to preserve discarded identity token;
Discarded identity token is searched module, preserves module with described discarded identity token and links to each other, and is used for preserving module at described discarded identity token and searches the identity token that the user discards;
Described digital signature authentication module is further searched module with described discarded identity token and is linked to each other, be used for using when described identity token administrative unit reads the digital signature authentication failure that described digital signature generation module is generated with this user's identity token private key corresponding, use described discarded identity token to search the identity token that user that module searches goes out discards the digital signature that described digital signature generation module generates is verified, and return the checking result to described login management module.
7. as the described network backup management system of each claim in the claim 2~6, it is characterized in that described Backup Data ciphering unit comprises:
The backup instruction receiver module is used to receive the data backup command of login user;
Key production module links to each other with described backup instruction receiver module, is used to generate the Backup Data key;
Data encryption module links to each other with described key production module, is used to utilize the Backup Data key of generation to adopt symmetric encipherment algorithm that Backup Data is encrypted;
The private key acquisition module links to each other with described identity token administrative unit, is used to obtain and the login user identity token private key corresponding;
The hashed value generation module links to each other with described key production module, is used to use hash function to calculate the hashed value of described Backup Data key;
Cipher key encryption block links to each other with described key production module and private key acquisition module, and the described identity token private key that is used to use described private key acquisition module to obtain adopts asymmetrical encryption algorithm that described Backup Data key is encrypted;
Data are preserved module, link to each other respectively with cipher key encryption block with described data encryption module, hashed value generation module, are used for the Backup Data of described encryption, the hashed value of Backup Data key and the Backup Data key of encryption are kept at backup medium.
8. as the described network backup management system of each claim in the claim 2~6, it is characterized in that described Backup Data recovery unit comprises:
Recover the command reception module, be used to receive user's data and recover instruction;
The public key acquisition module links to each other with described recovery command reception module, is used for obtaining the identity token common key corresponding with the user from the identity token of login user;
The key read module links to each other with described recovery command reception module, is used for the Backup Data key of reading encrypted on the backup medium and the hashed value of Backup Data key;
Cipher key decryption block links to each other respectively with described key read module and public key acquisition module, is used to use identity token common key to adopt asymmetrical encryption algorithm that the Backup Data key of encrypting is decrypted;
The hashed value computing module links to each other with described cipher key decryption block, is used for the hashed value of the Backup Data key of secure processing device encrypts;
Comparison module, link to each other respectively with described hashed value computing module and key read module, the hashed value that is used for the Backup Data key of deciphering that described hashed value computing module is calculated, the hashed value of the Backup Data key that reads with described key read module compares;
Data recovery module links to each other respectively with described comparison module and cipher key decryption block, if the comparative result of described comparison module is identical, then the Backup Data key of use deciphering adopts symmetric encipherment algorithm that the Backup Data of encrypting is decrypted and recovers.
9. a data back up method that is used for the network backup management system is characterized in that, this method comprises:
Receive the data backup command of login user;
Generate the Backup Data key, utilize the Backup Data key that generates to adopt symmetric encipherment algorithm that Backup Data is encrypted;
Obtain and the login user identity token private key corresponding, use hash function to calculate the hashed value of described Backup Data key, use identity token private key to adopt asymmetrical encryption algorithm that described Backup Data key is encrypted;
Backup Data, the hashed value of Backup Data key and the Backup Data key of encryption encrypted are kept in the backup medium.
10. the network backup method that is used for the network backup management system as claimed in claim 9 is characterized in that, the concrete grammar of described generation Backup Data key comprises:
Generate a random value as the Backup Data key, perhaps the characteristic value that generates according to login user information and backup information is as the Backup Data key.
11. a data reconstruction method that is used for the network backup management system is characterized in that, this method comprises:
The data that receive login user are recovered instruction;
From the identity token of login user, obtain and the login user identity token common key corresponding;
The Backup Data key of reading encrypted and the hashed value of Backup Data key;
Use described identity token common key to adopt asymmetrical encryption algorithm that the Backup Data key of encrypting is decrypted;
The hashed value of the Backup Data key of secure processing device encrypts, the hashed value of the Backup Data key of the deciphering hashed value with the Backup Data key that reads is compared, if identical, then use the Backup Data key of deciphering to adopt symmetric encipherment algorithm that the Backup Data of encrypting is decrypted recovery.
12. the data reconstruction method that is used for the network backup management system as claimed in claim 11 is characterized in that, the data of described reception login user are recovered before the instruction, and this method further comprises:
User to the request login authenticates, and concrete verification process comprises:
Read in the user identity token user profile and with user's identity token common key corresponding; Use described user profile and identity token common key to generate digital signature;
Use with this user's identity token private key corresponding described digital signature is verified, the user's login that allows to be proved to be successful becomes login user.
13. the data reconstruction method that is used for the network backup management system as claimed in claim 12 is characterized in that, described use user profile and identity token common key generate digital signature, comprising:
Use identity token common key to adopt asymmetrical encryption algorithm that user profile is encrypted;
Use hash function to calculate the hashed value of user profile;
The user profile of encryption and the hashed value of user profile are formed digital signature;
Described use and this user's identity token private key corresponding are verified described digital signature, comprising:
Use and this user's identity token private key corresponding, adopt the asymmetrical encryption algorithm identical that the user profile of encrypting is decrypted with described generation digital signature;
Use the hashed value of the user profile of the hash function secure processing device encrypts identical with described generation digital signature;
The hashed value of the user profile of the described deciphering that the hashed value of the user profile of calculating during with described generation digital signature is calculated during with checking compares, if identical, then is proved to be successful, otherwise authentication failed.
14. the data reconstruction method that is used for the network backup management system as claimed in claim 13 is characterized in that, after the described authentication failed, this method further comprises:
Search the user and whether have discarded identity token, as do not have, then return the invalid authentication result of digital signature; If any, then use discarded identity token private key that described digital signature is verified, as authentication failed, then return the invalid authentication result of digital signature; As be proved to be successful, then return the checking result that identity token has cancelled to the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100460644A CN101483513B (en) | 2009-02-09 | 2009-02-09 | Network backup system, data backup and recovery method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100460644A CN101483513B (en) | 2009-02-09 | 2009-02-09 | Network backup system, data backup and recovery method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101483513A CN101483513A (en) | 2009-07-15 |
| CN101483513B true CN101483513B (en) | 2011-01-19 |
Family
ID=40880459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100460644A Active CN101483513B (en) | 2009-02-09 | 2009-02-09 | Network backup system, data backup and recovery method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101483513B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102024105A (en) * | 2010-11-16 | 2011-04-20 | 深圳市文鼎创数据科技有限公司 | Security certification method and device |
| CN102769525B (en) * | 2011-05-04 | 2015-12-02 | 国民技术股份有限公司 | The user key backup of a kind of TCM and restoration methods |
| CN103686803A (en) * | 2012-09-21 | 2014-03-26 | 成都林海电子有限责任公司 | Satellite mobile communication terminal user identification and authentication function test method |
| CN103248491B (en) * | 2013-05-23 | 2016-04-13 | 天地融科技股份有限公司 | A kind of backup method of electronic signature token private key and system |
| CN103778385A (en) * | 2014-02-24 | 2014-05-07 | 联想(北京)有限公司 | Data protection method and device as well as electronic device |
| US10108820B2 (en) * | 2015-01-20 | 2018-10-23 | Mediatek Inc. | Snapshot data and hibernation data processing methods and devices |
| CN104699568A (en) * | 2015-02-12 | 2015-06-10 | 广东欧珀移动通信有限公司 | Data backup method and terminal |
| CN106921623B (en) * | 2015-12-25 | 2020-06-05 | 航天信息股份有限公司 | Identification key updating method and system |
| CN106845177A (en) * | 2016-12-26 | 2017-06-13 | 广州市申迪计算机系统有限公司 | Cipher management method and system |
| CN106959910A (en) * | 2017-05-09 | 2017-07-18 | 广州响动信息科技有限公司 | Remote data management method and system |
| WO2019033374A1 (en) * | 2017-08-17 | 2019-02-21 | 深圳市优品壹电子有限公司 | Backup recovery method and system |
| CN109684129B (en) * | 2018-11-20 | 2020-05-05 | 北京深思数盾科技股份有限公司 | Data backup recovery method, storage medium, encryption machine, client and server |
| CN113778757A (en) * | 2021-09-17 | 2021-12-10 | 中国长江三峡集团有限公司 | Financial staff operation record black box storage method based on PKI system |
| CN115225323A (en) * | 2022-06-15 | 2022-10-21 | 福建海峡基石科技集团有限公司 | Public certificate-based password-free authentication method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607511A (en) * | 2003-10-14 | 2005-04-20 | 联想(北京)有限公司 | Data protection method and system |
| CN1678967A (en) * | 2002-02-22 | 2005-10-05 | 英特尔公司 | Multi-token seal and unseal |
| CN1866822A (en) * | 2005-05-16 | 2006-11-22 | 联想(北京)有限公司 | Method for realizing uniform authentication |
| CN1980458A (en) * | 2005-11-30 | 2007-06-13 | 中兴通讯股份有限公司 | Method for realizing information back-up at network side |
-
2009
- 2009-02-09 CN CN2009100460644A patent/CN101483513B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1678967A (en) * | 2002-02-22 | 2005-10-05 | 英特尔公司 | Multi-token seal and unseal |
| CN1607511A (en) * | 2003-10-14 | 2005-04-20 | 联想(北京)有限公司 | Data protection method and system |
| CN1866822A (en) * | 2005-05-16 | 2006-11-22 | 联想(北京)有限公司 | Method for realizing uniform authentication |
| CN1980458A (en) * | 2005-11-30 | 2007-06-13 | 中兴通讯股份有限公司 | Method for realizing information back-up at network side |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101483513A (en) | 2009-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101483513B (en) | Network backup system, data backup and recovery method | |
| CN110519260B (en) | Information processing method and information processing device | |
| CN106612180B (en) | Method and device for realizing session identification synchronization | |
| US7793340B2 (en) | Cryptographic binding of authentication schemes | |
| KR101685810B1 (en) | System and method for key exchange based on authtication information | |
| CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
| CN109921902B (en) | Key management method, security chip, service server and information system | |
| KR101367621B1 (en) | System and method for authentication based on one-time password | |
| CN104660605A (en) | Multi-factor identity authentication method and system | |
| WO2020065633A1 (en) | Method, user device, management device, storage medium and computer program product for key management | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
| CN111181723B (en) | Method and device for offline security authentication between Internet of things devices | |
| WO2016054905A1 (en) | Method for processing data | |
| CN111865579B (en) | SM2 algorithm transformation-based data encryption and decryption method and device | |
| CN101552676A (en) | Host module legitimacy verification method, system and device using a card module | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| CN104125239A (en) | Network authentication method and system based on data link encryption transmission | |
| CN111291398B (en) | Block chain-based authentication method and device, computer equipment and storage medium | |
| CN112487380A (en) | Data interaction method, device, equipment and medium | |
| CN116566705A (en) | Authentication method, system, client and server based on key derivation function | |
| Jabbar et al. | Design and Implementation of Hybrid EC-RSA Security Algorithm Based on TPA for Cloud Storage | |
| CN113965327B (en) | Key grouping method and key grouping management system of hardware password equipment | |
| CN115455497A (en) | Computer hard disk data encryption system and method | |
| CN112968774B (en) | Method, device storage medium and equipment for encrypting and decrypting configuration file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP03 | Change of name, title or address |
Address after: 201112 Shanghai, Minhang District, United Airlines route 1188, building second layer A-1 unit 8 Patentee after: SHANGHAI EISOO INFORMATION TECHNOLOGY CO., LTD. Address before: 201103, room 25, 204 Zhenkang Road, Cambridge, Shanghai, Pudong New Area Patentee before: Shanghai Eisoo Software Co.,Ltd. |