CN104967612A - Data encryption storage method, server and system - Google Patents

Data encryption storage method, server and system Download PDF

Info

Publication number
CN104967612A
CN104967612A CN201510279862.7A CN201510279862A CN104967612A CN 104967612 A CN104967612 A CN 104967612A CN 201510279862 A CN201510279862 A CN 201510279862A CN 104967612 A CN104967612 A CN 104967612A
Authority
CN
China
Prior art keywords
key
decryption information
server
decruption key
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510279862.7A
Other languages
Chinese (zh)
Inventor
李明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201510279862.7A priority Critical patent/CN104967612A/en
Publication of CN104967612A publication Critical patent/CN104967612A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data encryption storage method, a server and a system. The server receives a data bag, randomly generates an encryption key and a decryption key, utilizes the encryption key to encrypt the data bag to obtain and store an encryption data bag, and generates and releases first decryption information based on the decryption key; the server deletes the encryption key, the decryption key and the first decryption information, does not store the decryption key and the first decryption information including decryption key cryptographs, and can not decrypt the stored encryption data bag to obtain data bag plaintexts. Even the server is attacked illegally, the outside can not decrypt the encryption data bag stored in the server, thereby greatly guaranteeing user data security.

Description

A kind of data encryption storage means, server and system
Technical field
The present invention relates to a kind of data encryption field of storage, particularly relate to a kind of data encryption storage means, server and system.
Background technology
Cloud computing is that the one of IT resource and service is delivered for use model, it can realize whenever and wherever possible, easily, as required from structurized computing resource sharing pond, obtain required resource (as network, server, storage, application, service etc.) by network, these resources can be provided rapidly and are issued, and minimize the interference of management cost or service provider simultaneously.Along with the development of cloud computing technology and the continuous progress of cloud calculation service, cloud computing will play an increasingly important role in IT field.
Under cloud computing environment, the data of user are stored on cloud storage server, have departed from the control of user physically.Whether whether what user worried most is exactly, and whether the data of oneself obtain safeguard protection, used or revise, illegally leaked by unauthorized side.In order to security consideration, a kind of typical technical solution adopts encryption technology, to be stored on cloud storage server after data encryption, server storing encrypt data and password, when user is encrypted data read request, the clear crytpographic key that server receives user is uploaded, and itself and the password self preserved are carried out mating verify, be proved to be successful and rear operation be decrypted to enciphered data, obtain data clear text.But because password and enciphered data are all stored in server, once server data is revealed, the enciphered data of user and password all can be illegally accessed, cause the data leak outside expecting, there is potential safety hazard.
Summary of the invention
The present invention is intended to one of solve the problem.
Main purpose of the present invention is to provide a kind of data encryption storage means, it is characterized in that, comprises the following steps: A: server receives packet; B: server stochastic generation encryption key and decruption key, utilizes encryption keys packet, obtains encrypted packets and storage encryption packet; C: server generates the first decryption information and outgoing based on decruption key; D: server deletes encryption key, decruption key and the first decryption information;
In addition, the first decryption information comprises user's decruption key, after server generating solution decryption key, before outgoing first decryption information, also comprises step: server by utilizing client public key encrypted decryption key, generates user's decruption key;
In addition, the first decryption information also comprises the first signing messages, after server generating solution decryption key, before outgoing first decryption information, also comprises step: server at least carries out Hash operation to decruption key, obtains the first summary info; Server by utilizing privacy key encrypts the first summary info, obtains the first signing messages.
In addition, the first decryption information also comprises the second signing messages, after server generating solution decryption key, before the first decryption information described in outgoing, also comprises step: server at least carries out Hash operation to user's decruption key, obtains the second summary info; Server by utilizing privacy key encrypts the second summary info, obtains the second signing messages.
In addition, after server deletes encryption key, decruption key and the first decryption information, also comprise: server receives the second decryption information, second decryption information is decrypted and/or sign test operation, obtain decruption key, wherein, the second decryption information is the information generated based on decruption key; Server by utilizing decruption key is decrypted operation to encrypted packets, obtains packet.
In addition, at server by utilizing decruption key, operation is decrypted to encrypted packets, after obtaining packet, also comprises: server deletes encrypted packets, and returns step B.
Another object of the present invention is to provide a kind of server, it is characterized in that, comprise, receiver module, key production module, encrypting module, the first decryption information generation module, memory module, removing module and sending module, wherein, receiver module, for receiving packet; Key production module, for stochastic generation encryption key and decruption key; Encrypting module, is connected with receiver module, key production module, for utilizing encryption keys packet, obtains encrypted packets; First decryption information generation module, is connected with key production module, for generating the first decryption information based on decruption key; Memory module, is connected with encrypting module, for storage encryption packet; Sending module, is connected with the first decryption information generation module, for outgoing first decryption information; Removing module, is connected with key production module, the first decryption information generation module, for deleting encryption key, decruption key and the first decryption information;
In addition, the first decryption information comprises user's decruption key, the first decryption information generation module, also for utilizing client public key encrypted decryption key, generates user's decruption key;
In addition, the first decryption information also comprises the first signing messages, the first decryption information generation module, also at least carrying out Hash operation to decruption key, obtains the first summary info, and utilizes privacy key to encrypt the first summary info, obtains the first signing messages;
In addition, the first decryption information also comprises the second signing messages, the first decryption information generation module, also at least carrying out Hash operation to user's decruption key, obtain the second summary info, and utilize privacy key to encrypt the second summary info, obtain the second signing messages;
In addition, also comprise deciphering module, receiver module, also for receiving the second decryption information, wherein, the second decryption information is the information generated based on decruption key; Deciphering module, is connected with memory module with receiver module, for being decrypted the second decryption information and/or sign test operation, obtaining decruption key, and utilizing decruption key to be decrypted operation to encrypted packets, obtaining packet.
One aspect of the present invention provides a kind of data encryption storage system, comprises identity card reading device, server and intelligent key apparatus, and wherein, identity card reading device is used for reading identity card packet, and is uploaded onto the server by identity card packet; Server is for receiving identity card packet, and stochastic generation encryption key and decruption key, utilize encryption keys identity card packet, obtains encrypted packets and storage encryption packet; Utilize decruption key to generate the first decryption information, outgoing first decryption information, and delete encryption key, decruption key and the first decryption information; Intelligent key apparatus, for receiving the first decryption information, and carries out storage operation to the first decryption information.
In addition, the first decryption information comprises user's decruption key, server, also for utilizing client public key encrypted decryption key, generates user's decruption key; Intelligent key apparatus, also for extracting the user's decruption key in the first decryption information, utilizing private key for user to be decrypted operation to user's decruption key, obtaining the first decruption key.
In addition, the first decryption information also comprises the first signing messages, server, also at least carrying out Hash operation to decruption key, obtains the first summary info, and utilizes privacy key to encrypt the first summary info, obtains the first signing messages; Intelligent key apparatus, also for extracting the first signing messages in the first decryption information, utilizing private key for user to be decrypted operation to user's decruption key and obtaining decruption key, utilizing server public key and decruption key to carry out verification operation to the first signing messages, after being proved to be successful, store decrypted key.
In addition, the first decryption information also comprises the second signing messages, server, also at least carrying out Hash operation to user's decruption key, obtains the second summary info, and utilizes privacy key to encrypt the second summary info, obtains the second signing messages; Intelligent key apparatus, also for extracting the second signing messages in the first decryption information, server public key and user's decruption key is utilized to carry out verification operation, after being proved to be successful to the second signing messages, utilize private key for user to be decrypted operation to user's decruption key, obtain decruption key and store.
In addition, intelligent key apparatus also for after acquisition decruption key, is encrypted and/or signature operation decruption key, obtains the second decryption information and outgoing; Server also for receiving the second decryption information, is decrypted and/or signature operation the second decryption information, obtains decruption key, and utilizes decryption key decryption encrypted packets, obtains identity card packet.
As seen from the above technical solution provided by the invention, the invention provides a kind of data encryption storage means, server and system, server is at server end storage encryption packet, and after the first decryption information is carried out outgoing, delete the encryption key of server end, decruption key and the first decryption information, server self not store decrypted key and comprise the first decryption information of decruption key ciphertext, operation cannot be decrypted the encrypted packets stored and obtain packet expressly, only can initiate request with user orientation server, and when decruption key is uploaded onto the server, the decruption key that server can utilize user to upload is decrypted operation to encrypted packets, obtain packet expressly, even if server is by rogue attacks, the external world also cannot be decrypted operation to the encrypted packets of server stores, greatly ensure that the safety of user data.Further, server often carries out a packet read operation, encrypted packets before will deleting, generate new encrypted packets based on newly-generated encryption key simultaneously, decruption key before cannot continue to use, the validity of decruption key for once, this guarantees after user's request server carries out packet reading, even if decruption key is revealed, this decruption key also successfully cannot read the encrypted packets of server stores again, greatly improves the fail safe of the user data stored in server.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawings can also be obtained according to these accompanying drawings.
The data encryption storage means flow chart that Fig. 1 provides for the embodiment of the present invention 1;
The data encryption storage server structural representation that Fig. 2 provides for the embodiment of the present invention 2;
The data encryption memory system architecture schematic diagram that Fig. 3 provides for the embodiment of the present invention 3.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on embodiments of the invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to protection scope of the present invention.
In describing the invention, it will be appreciated that, term " " center ", " longitudinal direction ", " transverse direction ", " on ", D score, " front ", " afterwards ", " left side ", " right side ", " vertically ", " level ", " top ", " end ", " interior ", orientation or the position relationship of the instruction such as " outward " are based on orientation shown in the drawings or position relationship, only the present invention for convenience of description and simplified characterization, instead of indicate or imply that the device of indication or element must have specific orientation, with specific azimuth configuration and operation, therefore limitation of the present invention can not be interpreted as.In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance or quantity or position.
In describing the invention, it should be noted that, unless otherwise clearly defined and limited, term " installation ", " being connected ", " connection " should be interpreted broadly, and such as, can be fixedly connected with, also can be removably connect, or connect integratedly; Can be mechanical connection, also can be electrical connection; Can be directly be connected, also indirectly can be connected by intermediary, can be the connection of two element internals.For the ordinary skill in the art, concrete condition above-mentioned term concrete meaning in the present invention can be understood.
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in further detail.
Embodiment 1
The present embodiment provides a kind of data encryption storage means, as shown in Figure 1, comprises the following steps:
S101: server receives packet;
The packet that server receives user terminal sends, user terminal can be identity card reading device, PC, PAD (panel computer), smart mobile phone, intelligent wearable device, card reader etc., the data read upload onto the server as packet by user terminal, the content comprised in packet is userspersonal information, as user identity card information, customer transaction information, user communication information etc.
S102: server stochastic generation encryption key and decruption key, utilizes encryption keys packet, obtains encrypted packets and storage encryption packet;
Server is according to algorithm stochastic generation encryption and decryption double secret key, encryption key is utilized to be encrypted operation to the packet received, encrypted packets after encryption only can utilize the decruption key together generated with encryption key to carry out successful decryption, ensures the safety of encrypted packets.
S103: server generates the first decryption information and outgoing based on decruption key;
Server can under the prerequisite ensureing transmission security, directly decruption key is carried out outgoing as the first decryption information, also the first decryption information is generated and outgoing after can carrying out safe handling to decruption key, such as: server is encrypted decruption key, obtain the first decryption information, the ciphertext of decruption key is included in first decryption information, first decryption information is sent to storage device by server, also by user terminal, the first decryption information can be sent to storage device (such as industrial and commercial bank U shield, agricultural bank K is precious), after storage device obtains and includes the first enciphered message of decruption key ciphertext, operation is decrypted to the first decryption information, obtain decruption key expressly, server adopts encrypted test mode to send decruption key, ensure the fail safe of decruption key in transmitting procedure, even if other people intercept and capture the first decryption information, also decruption key cannot be obtained expressly, operation cannot be decrypted to encrypted packets.
S104: server deletes encryption key, decruption key and the first decryption information;
Above-mentioned user terminal and storage device can be integral structures, storage device is integrated in user terminal inside, be convenient to user carry and operate, user terminal and storage device also can be separate type, storage device is independent of user terminal, communicated with user terminal by wired or wireless mode, improve flexibility, and promote the fail safe being stored in the information of storage device.
Server is at server end storage encryption packet, and after the first decryption information is carried out outgoing, delete the encryption key of server end, decruption key and the first decryption information, that is, server end only can preserve the encrypted packets after encryption, server self is due to not store decrypted key and the first decryption information comprising decruption key ciphertext, server cannot be decrypted operation and obtain packet expressly to the encrypted packets stored, only can initiate request with user orientation server, and when decruption key is uploaded onto the server, the decruption key that server can utilize user to upload is decrypted operation to encrypted packets, obtain packet expressly, that is, even if server is by rogue attacks, the external world also cannot be decrypted operation to the encrypted packets of server stores, greatly ensure that the safety of user data.
Alternatively, in order to ensure fail safe and/or the authenticity of the first decryption information outgoing, after server generating solution decryption key, before outgoing first decryption information, process operation one of any as follows can also be done:
1, the first decryption information can comprise user's decruption key, after server generating solution decryption key, before outgoing first decryption information, can also comprise step: server by utilizing client public key encrypted decryption key, generates user's decruption key.
Now, the user's decruption key utilizing client public key encrypted decryption key to obtain is comprised in first decryption information of server outgoing, user's decruption key obtains based on asymmetric encryption, that is, user's decruption key only can use the private key for user be stored in intelligent key apparatus to be decrypted, which ensure that the user only having specific intelligence key device can be decrypted acquisition decruption key to the first decryption information, ensure that the fail safe of decruption key in transmitting procedure.
2, the first decryption information can comprise decruption key and the first signing messages, after server generating solution decryption key, before outgoing first decryption information, can also comprise step: server carries out Hash operation to decruption key, obtain the first summary info; Server by utilizing privacy key encrypts the first summary info, obtains the first signing messages.
Now, decruption key and the first signing messages is comprised in first decryption information of server outgoing, server by utilizing Hash operation at least carries out the first summary info of Hash operation acquisition to decruption key, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, after storage device receives the first decryption information, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, Hash calculation is carried out to decruption key, obtain the 3rd summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, the decruption key obtained is processed and preserved, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key, alternatively, first summary info can also be that server by utilizing hash algorithm carries out Hash operation acquisition to decruption key and packet.In the first decryption information, add the first signing messages, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user.
3, the first decryption information can also comprise user's decruption key and the first signing messages, after server generating solution decryption key, before outgoing first decryption information, can also step be comprised: server by utilizing client public key encrypted decryption key, generate user's decruption key; Server at least carries out Hash operation to decruption key, obtains the first summary info; Server by utilizing privacy key encrypts the first summary info, obtains the first signing messages.
Now, user's decruption key and the first signing messages is comprised in first decryption information of server outgoing, server by utilizing client public key encrypted decryption key, generate user's decruption key, simultaneously, server by utilizing Hash operation at least carries out the first summary info of Hash operation acquisition to decruption key, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, after storage device receives the first decryption information, utilize private key for user decrypted user key information, obtain decruption key, hash algorithm is utilized at least to carry out Hash operation to decruption key, obtain the 3rd summary info, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, the decruption key obtained is processed and preserved, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key.In the first decryption information, add the first signing messages, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user.
4, the first decryption information can comprise user's decruption key and the second signing messages, after server generating solution decryption key, before first decryption information described in outgoing, also comprise step: server by utilizing client public key encrypted decryption key, generate user's decruption key, server at least carries out Hash operation to user's decruption key, obtains the second summary info; Server by utilizing privacy key encrypts the second summary info, obtains the second signing messages.
User's decruption key and the second signing messages is comprised in first decryption information of server outgoing, server by utilizing client public key encrypted decryption key, generate user's decruption key, simultaneously, server by utilizing Hash operation at least carries out the second summary info of Hash operation acquisition to user's decruption key, and utilize privacy key to be encrypted the second summary info, obtain the second signing messages, after storage device receives the second decryption information, hash algorithm is utilized at least to carry out Hash operation to user's decruption key, obtain the 4th summary info, server public key is utilized to be decrypted computing to the second signing messages, obtain the second summary info, contrast the 4th summary info whether consistent with the second summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, private key for user is utilized to be decrypted operation to user's decruption key, obtain decruption key, to go forward side by side row relax and preservation, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key.The second signing messages is added in the first decryption information, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user, further, storage device carries out after certification passes through to server, recycling private key for user is decrypted operation to user's decruption key, thus ensure that when only having storage device confirmed service device genuine and believable, just utilize private key for user to be decrypted operation to user's decruption key, avoid the waste of storage device operand.
Alternatively, in step S104, after server deletes encryption key, decruption key and the first decryption information, in order to read data packet again, can also comprise step S105, server receives the second decryption information, second decryption information is decrypted and/or sign test operation, obtain decruption key, wherein, the second decryption information is the information generated based on decruption key; Server by utilizing decruption key is decrypted encrypted packets and/or sign test operation, obtains packet.
During storage device request server read data packet, the second decryption information can be sent to server, decruption key directly expressly can be included in the second decryption information and be sent to server by storage device, also after can signing to decruption key, decruption key plaintext and signing messages are included in the second decryption information and are sent to server, reduce operand that is local and server, certainly, storage device also can use private key for user or server public key to be encrypted operation to decruption key, ciphertext after encryption is included in the second decryption information and sends, thus ensure the safety of decruption key, after server receives the second decryption information, client public key or privacy key is utilized to be decrypted operation to the decruption key ciphertext in the second decryption information, obtain decruption key, utilize decryption key decryption encrypted packets, obtain packet expressly, realize the read operation to packet, certainly, private key for user or server public key is used to be encrypted operation simultaneously to decruption key at storage device, signature operation can also be carried out to the decruption key after decruption key or encryption, to guarantee the authenticity that decruption key is originated.
Alternatively, in step S105, server by utilizing decruption key is decrypted operation to encrypted packets, after obtaining packet, also comprises step S106, and server deletes encrypted packets, and returns step S102.
Server by utilizing decruption key encrypted packets is decrypted and/or sign test operation after, delete the encrypted packets being stored in server, regenerate new encryption and decryption double secret key simultaneously, and utilize encryption key to be encrypted packet, obtain new encrypted packets and store, that is, server often carries out a packet read operation, encrypted packets before will deleting, generate new encrypted packets based on newly-generated encryption key simultaneously, decruption key before cannot continue to use, the validity of decruption key for once, this guarantees after user's request server carries out packet reading, even if decruption key is revealed, this decruption key also successfully cannot read the encrypted packets of server stores again, greatly improve the fail safe of the user data stored in server.
Embodiment 2
The present embodiment provides a kind of server, as shown in Figure 2, comprises, receiver module 201, key production module 202, encrypting module 203, first decryption information generation module 204, memory module 205, sending module 206 and removing module 207, wherein, receiver module 201, for receiving packet;
Receiver module 201 receives the packet that user terminal sends, user terminal can be identity card reading device, PC, PAD (panel computer), smart mobile phone, intelligent wearable device, electronic signature equipment (such as industrial and commercial bank U shield, agricultural bank K treasured etc.), card reader etc., the data read upload onto the server as packet by user terminal, the content comprised in packet is userspersonal information, as user identity card information, customer transaction information, user communication information etc.
Key production module 202, for stochastic generation encryption key and decruption key;
Key production module 202 is according to algorithm stochastic generation encryption and decryption double secret key, the extraneous double secret key cannot inferring each stochastic generation of key production module 202, because each double secret key is stochastic generation, can think that key production module 202 can not generate an identical group key pair.
Encrypting module 203, is connected with receiver module 201, key production module 202, for utilizing encryption keys packet, obtains encrypted packets;
Encrypting module 203 utilizes encryption key to be encrypted operation to the packet received, and the encrypted packets after encryption only can utilize the decruption key together generated with encryption key to carry out successful decryption, ensures the safety of encrypted packets.
First decryption information generation module 204, is connected with key production module 202, for generating the first decryption information based on decruption key;
First decryption information generation module 204 pairs decruption key is encrypted, obtain the first decryption information, the ciphertext of decruption key is included in first decryption information, encrypted test mode is adopted to send decruption key, ensure the fail safe of decruption key in transmitting procedure, even if other people intercept and capture the first decryption information, also cannot obtain decruption key expressly, operation cannot be decrypted to encrypted packets.
Memory module 205, is connected with encrypting module 203, for storage encryption packet;
After encrypting module 203 obtains encrypted packets, encrypted packets is sent to memory module 205 to store, be tampered for preventing user encryption packet, memory module 205 is read-only memory module, the external world can only read the content in memory module, content in memory module cannot be modified, ensure integrality and the reliability of content in memory module.
Sending module 206, is connected with the first decryption information generation module 204, for outgoing first decryption information; Removing module 207, is connected with key production module 202, first decryption information generation module 204, for deleting encryption key, decruption key and the first decryption information;
At memory module 205 storage encryption packet, after first decryption information is carried out outgoing by sending module 206, removing module 207 deletes the encryption key of server end, decruption key and the first decryption information, that is, server only can preserve the encrypted packets after encryption, server self is due to not store decrypted key and the first decryption information comprising decruption key ciphertext, server cannot be decrypted operation and obtain packet expressly to the encrypted packets be stored in memory module 205, only can initiate request with user orientation server, and when decruption key is uploaded onto the server, the decruption key that server can utilize user to upload is decrypted operation to encrypted packets, obtain packet expressly, that is, even if server is by rogue attacks, the external world also cannot be decrypted operation to the encrypted packets of server stores, greatly ensure that the safety of user data.
Alternatively, in order to ensure fail safe and/or the authenticity of the first decryption information outgoing, after server generating solution decryption key, before outgoing first decryption information, process operation one of any as follows can also be done:
1, the first decryption information can comprise user's decruption key, the first decryption information generation module 204, also for utilizing client public key encrypted decryption key, generates user's decruption key;
Now, the user's decruption key utilizing client public key encrypted decryption key to obtain is comprised in first decryption information of sending module 206 outgoing, user's decruption key obtains based on asymmetric encryption, that is, user's decruption key only can use the private key for user be stored in intelligent key apparatus to be decrypted, which ensure that the user only having specific intelligence key device can be decrypted acquisition decruption key to the first decryption information, ensure that the fail safe of decruption key in transmitting procedure.
2, the first decryption information can comprise decruption key and the first signing messages, first decryption information generation module 204, also at least carrying out Hash operation to decruption key, obtains the first summary info, utilize privacy key to encrypt the first summary info, obtain the first signing messages.
Now, decruption key and the first signing messages is comprised in first decryption information of sending module 206 outgoing, first decryption information generation module 204 utilizes Hash operation to carry out the first summary info of Hash operation acquisition to decruption key, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, after storage device receives the first decryption information, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, Hash calculation is carried out to decruption key, obtain the 3rd summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, the decruption key obtained is processed and preserved, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key.In the first decryption information, add the first signing messages, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user.Certainly, user terminal and storage device can be integral structures, storage device is integrated in user terminal inside, be convenient to user carry and operate, user terminal and storage device also can be separate type, and storage device, independent of user terminal, is communicated with user terminal by wired or wireless mode, improve flexibility, and promote the fail safe being stored in the information of storage device.
3, the first decryption information can also comprise user's decruption key and the first signing messages, first decryption information generation module 204, also for utilizing client public key encrypted decryption key, generate user's decruption key, at least Hash operation is carried out to decruption key, obtain the first summary info, and utilize privacy key to encrypt the first summary info, obtain the first signing messages;
Now, user's decruption key and the first signing messages is comprised in first decryption information of sending module 206 outgoing, first decryption information generation module 204 utilizes client public key encrypted decryption key, generate user's decruption key, simultaneously, Hash operation is utilized at least decruption key to be carried out to the first summary info of Hash operation acquisition, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, after storage device receives the first decryption information, utilize private key for user decrypted user key information, obtain decruption key, hash algorithm is utilized at least to carry out Hash operation to decruption key, obtain the 3rd summary info, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, the decruption key obtained is processed and preserved, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key.In the first decryption information, add the first signing messages, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user.
4, the first decryption information can also comprise user's decruption key and the second signing messages, first decryption information generation module 204, also for utilizing client public key encrypted decryption key, generate user's decruption key, at least Hash operation is carried out to user's decruption key, obtain the second summary info, and utilize privacy key to encrypt the second summary info, obtain the second signing messages;
User's decruption key and the second signing messages is comprised in first decryption information of sending module 206 outgoing, first decryption information generation module 204 utilizes client public key encrypted decryption key, generate user's decruption key, simultaneously, Hash operation is utilized at least user's decruption key to be carried out to the second summary info of Hash operation acquisition, and utilize privacy key to be encrypted the second summary info, obtain the second signing messages, after storage device receives the second decryption information, hash algorithm is utilized at least to carry out Hash operation to user's decruption key, obtain the 4th summary info, server public key is utilized to be decrypted computing to the second signing messages, obtain the second summary info, contrast the 4th summary info whether consistent with the second summary info, if consistent, then sign test success, storage device can determine that the first decryption information received is the genuine and believable information that server sends, private key for user is utilized to be decrypted operation to user's decruption key, obtain decruption key, to go forward side by side row relax and preservation, certainly, storage device can preserve decruption key expressly, also preserve after can being encrypted decruption key.The second signing messages is added in the first decryption information, realize the certification of storage device to server, effectively can prevent the illegal operation of false service device, ensure that the data security of user, further, storage device carries out after certification passes through to server, recycling private key for user is decrypted operation to user's decruption key, thus ensure that when only having storage device confirmed service device genuine and believable, just utilize private key for user to be decrypted operation to user's decruption key, avoid the waste of storage device operand.
Alternatively, server can also comprise deciphering module 208, receiver module 201, and also for receiving the second decryption information, wherein, the second decryption information is the information generated based on decruption key; Deciphering module 208, is connected with memory module 205 with receiver module 201, for being decrypted the second decryption information and/or sign test operation, obtains decruption key, and utilizes decruption key to be decrypted encrypted packets and/or sign test operation, obtains packet.
During storage device request server read data packet, the second decryption information can be sent to receiver module 201, decruption key directly expressly can be included in the second decryption information and be sent to server by storage device, also after can signing to decruption key, decruption key plaintext and signing messages are included in the second decryption information and are sent to server, reduce operand that is local and server, certainly, storage device also can use private key for user or server public key to be encrypted operation to decruption key, ciphertext after encryption is included in the second decryption information and sends, thus ensure the safety of decruption key, after receiver module 201 receives the second decryption information, second decryption information is sent to deciphering module 208, deciphering module 208 utilizes client public key or privacy key to be decrypted operation to the decruption key ciphertext in the second decryption information, obtain decruption key, utilize decryption key decryption encrypted packets, obtain packet expressly, realize the read operation to packet, certainly, private key for user or server public key is used to be encrypted operation simultaneously to decruption key at storage device, signature operation can also be carried out to the decruption key after decruption key or encryption, to guarantee the authenticity that decruption key is originated.
Embodiment 3
The present embodiment provides a kind of data encryption storage system, comprise server 301 in embodiment 2 and user terminal 302 and intelligent key apparatus 303, wherein, server 301 is for receiving identity card packet, stochastic generation encryption key and decruption key, utilize encryption keys identity card packet, obtain encrypted packets and storage encryption packet; Utilize decruption key to generate the first decryption information, by the first decryption information outgoing, and delete encryption key, decruption key and the first decryption information; In detail see the server in embodiment 2, can not repeat them here;
Identity card packet for reading identity card packet, and is uploaded onto the server 301 by user terminal 302;
User terminal 302 is can the user terminal of reading identity card information, such as identity card reader, identity card reader, the mobile phone with identity card read functions, panel computer, PC etc., after user utilizes user terminal to read ID card information, by cable network or wireless network, ID card information is uploaded onto the server 301, make identity card read and upload procedure convenient and swift;
Intelligent key apparatus 303, for receiving the first decryption information, and carries out stores processor operation to the first decryption information,
Intelligent key apparatus 303 deposits representative of consumer unique identities digital certificate and private key for user; based on PKI system; private key for user produces in the intelligent key apparatus 303 of high degree of safety; and it is outside to export to intelligent key apparatus 303 all the life; that is; the process operation of intelligent key apparatus 303 to the first decryption information all completes in intelligent key apparatus 303 inside, and is subject to the PIN code protection of intelligent key apparatus 303, significantly enhances the fail safe of decruption key.Certainly, above-mentioned user terminal 302 and intelligent key apparatus 303 can be integral structures, intelligent key apparatus 303 are integrated in user terminal 302 inner, can either ensure the fail safe of decruption key, can promote portability again, facilitate user to preserve and carry.
Alternatively, in order to ensure fail safe and/or the authenticity of the first decryption information outgoing, after server 301 generating solution decryption key, before outgoing first decryption information, server 301 and intelligent key apparatus 303 can also do process operation one of any as follows:
1, the first decryption information can comprise user's decruption key, server 301, also for utilizing client public key encrypted decryption key, generates user's decruption key; Intelligent key apparatus 303, also for extracting the user's decruption key in the first decryption information, utilizing private key for user to be decrypted operation to user's decruption key, obtaining the first decruption key.
Now, the user's decruption key utilizing client public key encrypted decryption key to obtain is comprised in first decryption information of server 301 outgoing, user's decruption key obtains based on asymmetric encryption, that is, user's decruption key only can use the private key for user be stored in intelligent key apparatus 303 to be decrypted, which ensure that the user only having specific intelligence key device 303 can be decrypted acquisition decruption key to the first decryption information, ensure that the fail safe of decruption key in transmitting procedure.
2, the first decryption information can comprise decruption key and the first signing messages, server 301, also at least carrying out Hash operation to decruption key, obtain the first summary info, meanwhile, utilize privacy key to encrypt the first summary info, obtain the first signing messages.
Now, decruption key and the first signing messages is comprised in first decryption information of server 301 outgoing, server 301 utilizes Hash operation to carry out the first summary info of Hash operation acquisition to decruption key, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, after intelligent key apparatus 303 receives the first decryption information, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, Hash calculation is carried out to decruption key, obtain the 3rd summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, intelligent key apparatus 303 can determine that the first decryption information received is the genuine and believable information that server 301 sends, the decruption key obtained is processed and preserved, certainly, intelligent key apparatus 303 can preserve decruption key expressly, also preserve after can being encrypted decruption key.In the first decryption information, add the first signing messages, realize the certification of intelligent key apparatus 303 pairs of servers 301, effectively can prevent the illegal operation of false service device, ensure that the data security of user.
3, the first decryption information can also comprise user's decruption key and the first signing messages, server 301, also for utilizing client public key encrypted decryption key, generate user's decruption key, meanwhile, at least Hash operation is carried out to decruption key, obtain the first summary info, and utilize privacy key to encrypt the first summary info, obtain the first signing messages; Intelligent key apparatus 303, also for extracting the first signing messages in the first decryption information, utilize private key for user to be decrypted operation to user's decruption key and obtain decruption key, server public key and private key for user is utilized to carry out verification operation to the first signing messages, after being proved to be successful, store decrypted key.
Now, user's decruption key and the first signing messages is comprised in first decryption information of server 301 outgoing, server 301 utilizes client public key encrypted decryption key, generate user's decruption key, simultaneously, Hash operation is utilized at least decruption key to be carried out to the first summary info of Hash operation acquisition, and utilize privacy key to be encrypted the first summary info, obtain the first signing messages, first decryption information directly can be sent to intelligent key apparatus 303 by server 301, thus save transmission time and step, promote the fail safe of transfer of data simultaneously, first decryption information also can be sent to user terminal 302 by server 301, by user terminal 302, first decryption information is sent to intelligent key apparatus 303 again, thus on intelligent key apparatus 303, network communication module can not be set separately, reduce costs, promote the fail safe of intelligent key apparatus 303 internal data simultaneously, after intelligent key apparatus 303 receives the first decryption information, utilize private key for user decrypted user key information, obtain decruption key, hash algorithm is utilized at least to carry out Hash operation to decruption key, obtain the 3rd summary info, server public key is utilized to be decrypted computing to the first signing messages, obtain the first summary info, contrast the 3rd summary info whether consistent with the first summary info, if consistent, then sign test success, intelligent key apparatus 303 can determine that the first decryption information received is the genuine and believable information that server 301 sends, the decruption key obtained is processed and preserved, certainly, intelligent key apparatus 303 can preserve decruption key expressly, also preserve after can being encrypted decruption key.In the first decryption information, add the first signing messages, realize the certification of intelligent key apparatus 303 pairs of servers 301, effectively can prevent the illegal operation of false service device, ensure that the data security of user.
4, the first decryption information can also comprise user's decruption key and the second signing messages, server 301, also for utilizing client public key encrypted decryption key, generate user's decruption key, meanwhile, at least Hash operation is carried out to user's decruption key, obtain the second summary info, and utilize privacy key to encrypt the second summary info, obtain the second signing messages; Intelligent key apparatus, also for extracting the second signing messages in the first decryption information, server public key is utilized to carry out verification operation, after being proved to be successful to the second signing messages, utilize private key for user to be decrypted operation to user's decruption key, obtain decruption key and store.
User's decruption key and the second signing messages is comprised in first decryption information of server 301 outgoing, server 301 utilizes client public key encrypted decryption key, generate user's decruption key, simultaneously, Hash operation is utilized at least to carry out the second summary info of Hash operation acquisition to user's decruption key, and utilize privacy key to be encrypted the second summary info, obtain the second signing messages, first decryption information directly can be sent to intelligent key apparatus 303 by server 301, thus save transmission time and step, promote the fail safe of transfer of data simultaneously, first decryption information also can be sent to user terminal 302 by server 301, by user terminal 302, first decryption information is sent to intelligent key apparatus 303 again, thus on intelligent key apparatus 303, network communication module can not be set separately, reduce costs, promote the fail safe of intelligent key apparatus 303 internal data simultaneously, after intelligent key apparatus 303 receives the second decryption information, hash algorithm is utilized at least to carry out Hash operation to user's decruption key, obtain the 4th summary info, server public key is utilized to be decrypted computing to the second signing messages, obtain the second summary info, contrast the 4th summary info whether consistent with the second summary info, if consistent, then sign test success, intelligent key apparatus 303 can determine that the first decryption information received is the genuine and believable information that server sends, private key for user is utilized to be decrypted operation to user's decruption key, obtain decruption key, to go forward side by side row relax and preservation, certainly, intelligent key apparatus 303 can preserve decruption key expressly, also preserve after can being encrypted decruption key.The second signing messages is added in the first decryption information, realize the certification of intelligent key apparatus 303 pairs of servers 301, effectively can prevent the illegal operation of false service device, ensure that the data security of user, further, intelligent key apparatus 303 pairs of servers 301 carry out after certification passes through, recycling private key for user is decrypted operation to user's decruption key, thus ensure that when only having intelligent key apparatus 303 confirmed service device 301 genuine and believable, private key for user is just utilized to be decrypted operation to user's decruption key, avoid the waste of intelligent key apparatus 303 operand.
Alternatively, in order to again obtain packet, intelligent key apparatus 303 also for after acquisition decruption key, is encrypted and/or signature operation decruption key, obtains the second decryption information and outgoing; Server 301, also for receiving the second decryption information, being decrypted the second decryption information and/or sign test operation, obtaining decruption key, and utilize decryption key decryption encrypted packets, obtain identity card packet.
During user's request server 301 read data packet, the second decryption information is sent to server 301, second decryption information directly can be sent to server 301 by intelligent key apparatus 303, thus saves transmission time and step, promotes the fail safe of transfer of data simultaneously, second decryption information also can be sent to user terminal 302 by intelligent key apparatus 303, by user terminal 302, second decryption information is sent to server 301 again, thus on intelligent key apparatus 303, network communication module can not be set separately, reduce costs, promote the fail safe of intelligent key apparatus 303 internal data simultaneously, decruption key directly expressly can be included in the second decryption information and be sent to server 301 by intelligent key apparatus 303, also after can signing to decruption key, decruption key plaintext and signing messages are included in the second decryption information and are sent to server 301, reduce operand that is local and server 301, certainly, intelligent key apparatus 303 also can use private key for user or server public key to be encrypted operation to decruption key, ciphertext after encryption is included in the second decryption information and sends, thus ensure the safety of decruption key, after server 301 receives the second decryption information, client public key or privacy key is utilized to be decrypted operation to the decruption key ciphertext in the second decryption information, obtain decruption key, utilize decryption key decryption encrypted packets, obtain packet expressly, realize the read operation to packet, certainly, private key for user or server public key is used to be encrypted operation simultaneously to decruption key at intelligent key apparatus 303, signature operation can also be carried out to the decruption key after decruption key or encryption, to guarantee the authenticity that decruption key is originated.
Second decryption information can also be sent to server 301 by intelligent cipher key equipment 303 after user confirms, now, intelligent cipher key equipment 303 can be pressed the operation such as acknowledgement key or input PIN code by user and realize user's confirmation, after receiving the confirmation instruction of user, intelligent cipher key equipment 303 sends to server 301 by outside the second decryption information, by arranging button on intelligent cipher key equipment 303, ensure only when user confirms outgoing the second decryption information, intelligent cipher key equipment 303 just performs outgoing instructions, prevent other people unauthorized remote from controlling intelligent cipher key equipment 303 and perform transmission second decryption information, promote the fail safe of user data.
The embodiment provided as can be seen from the invention described above, the invention provides a kind of data encryption storage means, server and system, server is at server end storage encryption packet, and after the first decryption information is carried out outgoing, delete the encryption key of server end, decruption key and the first decryption information, server self not store decrypted key and comprise the first decryption information of decruption key ciphertext, operation cannot be decrypted the encrypted packets stored and obtain packet expressly, only can initiate request with user orientation server, and when decruption key is uploaded onto the server, the decruption key that server can utilize user to upload is decrypted operation to encrypted packets, obtain packet expressly, even if server is by rogue attacks, the external world also cannot be decrypted operation to the encrypted packets of server stores, greatly ensure that the safety of user data.Further, server often carries out a packet read operation, encrypted packets before will deleting, generate new encrypted packets based on newly-generated encryption key simultaneously, decruption key before cannot continue to use, the validity of decruption key for once, this guarantees after user's request server carries out packet reading, even if decruption key is revealed, this decruption key also successfully cannot read the encrypted packets of server stores again, greatly improves the fail safe of the user data stored in server.
Describe and can be understood in flow chart or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the application-specific integrated circuit (ASIC) of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
In the description of this specification, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, identical embodiment or example are not necessarily referred to the schematic representation of above-mentioned term.And the specific features of description, structure, material or feature can combine in an appropriate manner in any one or more embodiment or example.
Although illustrate and describe embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, those of ordinary skill in the art can change above-described embodiment within the scope of the invention when not departing from principle of the present invention and aim, revising, replacing and modification.Scope of the present invention is by claims and equivalency thereof.

Claims (16)

1. a data encryption storage means, is characterized in that, comprises the following steps:
A: server receives packet;
B: described server stochastic generation encryption key and decruption key, utilize packet described in described encryption keys, obtains encrypted packets and stores described encrypted packets;
C: described server generates the first decryption information and outgoing based on described decruption key;
D: described server deletes described encryption key, described decruption key and described first decryption information.
2. method according to claim 1, is characterized in that, described first decryption information comprises user's decruption key, after described server generates described decruption key, before the first decryption information described in outgoing, also comprises step:
Described server by utilizing client public key encrypts described decruption key, generates described user's decruption key.
3. method according to claim 2, is characterized in that, described first decryption information also comprises the first signing messages, after described server generates described decruption key, before the first decryption information described in outgoing, also comprises step:
Described server at least carries out Hash operation to described decruption key, obtains the first summary info;
Described first summary info of described server by utilizing privacy key encryption, obtains described first signing messages.
4. method according to claim 2, is characterized in that, described first decryption information also comprises the second signing messages, after described server generates described decruption key, before the first decryption information described in outgoing, also comprises step:
Described server at least carries out Hash operation to described user's decruption key, obtains the second summary info;
Described second summary info of described server by utilizing privacy key encryption, obtains described second signing messages.
5. the method according to any one of Claims 1-4, is characterized in that, after described server deletes described encryption key, described decruption key and described first decryption information, also comprises step:
Described server receives the second decryption information, and be decrypted described second decryption information and/or sign test operation, obtain described decruption key, wherein, described second decryption information is the information generated based on described decruption key;
Described in described server by utilizing, decruption key is decrypted operation to described encrypted packets, obtains described packet.
6. method according to claim 5, it is characterized in that, described in described server by utilizing, decruption key is decrypted operation to described encrypted packets, after obtaining described packet, also comprise: described server deletes described encrypted packets, and return described step B.
7. a server, is characterized in that, comprises, receiver module, key production module, encrypting module, the first decryption information generation module, memory module, removing module and sending module, wherein,
Described receiver module, for receiving packet;
Described key production module, for stochastic generation encryption key and decruption key;
Described encrypting module, is connected with described receiver module, described key production module, for utilizing packet described in described encryption keys, obtains encrypted packets;
Described first decryption information generation module, is connected with described key production module, for generating the first decryption information based on described decruption key;
Described memory module, is connected with described encrypting module, for storing described encrypted packets;
Described sending module, is connected with described first decryption information generation module, for the first decryption information described in outgoing;
Described removing module, is connected with described key production module, the first decryption information generation module, for deleting described encryption key, described decruption key and described first decryption information.
8. server according to claim 7, is characterized in that, described first decryption information comprises user's decruption key, described first decryption information generation module, also for utilizing client public key to encrypt described decruption key, generates described user's decruption key.
9. server according to claim 8, it is characterized in that, described first decryption information also comprises the first signing messages, described first decryption information generation module, also at least carrying out Hash operation to described decruption key, obtain the first summary info, and utilize privacy key to encrypt described first summary info, obtain described first signing messages.
10. server according to claim 8, it is characterized in that, described first decryption information also comprises the second signing messages, described first decryption information generation module, also at least carrying out Hash operation to described user's decruption key, obtain the second summary info, and utilize privacy key to encrypt described second summary info, obtain described second signing messages.
11. servers according to any one of claim 7 to 10, is characterized in that, also comprise deciphering module,
Described receiver module, also for receiving the second decryption information, wherein, described second decryption information is the information generated based on described decruption key;
Described deciphering module, being connected with described memory module with described receiver module, for being decrypted described second decryption information and/or sign test operation, obtaining described decruption key, and utilize described decruption key to be decrypted operation to described encrypted packets, obtain described packet.
12. 1 kinds of data encryption storage systems, comprise identity card reading device, server and intelligent key apparatus, wherein,
Described identity card reading device is used for reading identity card packet, and described identity card packet is uploaded to described server;
Described server, for receiving described identity card packet, stochastic generation encryption key and decruption key, utilizes identity card packet described in described encryption keys, obtains encrypted packets and stores described encrypted packets; Utilize described decruption key to generate the first decryption information, the first decryption information described in outgoing, and delete described encryption key, described decruption key and described first decryption information;
Described intelligent key apparatus, for receiving described first decryption information, and carries out storage operation to described first decryption information.
13. systems according to claim 12, is characterized in that, described first decryption information comprises user's decruption key,
Described server, also for utilizing client public key to encrypt described decruption key, generates described user's decruption key;
Described intelligent key apparatus, also for extracting the described user's decruption key in described first decryption information, utilizing private key for user to be decrypted operation to described user's decruption key, obtaining described first decruption key.
14. systems according to claim 13, is characterized in that, described first decryption information also comprises the first signing messages,
Described server, also at least carrying out Hash operation to described decruption key, obtains the first summary info, and utilizes privacy key to encrypt described first summary info, obtains described first signing messages;
Described intelligent key apparatus, also for extracting described first signing messages in described first decryption information, utilize private key for user to be decrypted operation to described user's decruption key and obtain described decruption key, server public key and described decruption key is utilized to carry out sign test operation to described first signing messages, after sign test success, store described decruption key.
15. systems according to claim 13, is characterized in that, described first decryption information also comprises the second signing messages,
Described server, also at least carrying out Hash operation to described user's decruption key, obtains the second summary info, and utilizes privacy key to encrypt described second summary info, obtains described second signing messages;
Described intelligent key apparatus, also for extracting described second signing messages in described first decryption information, server public key and described user's decruption key is utilized to carry out sign test operation to described second signing messages, after sign test success, utilize private key for user to be decrypted operation to described user's decruption key, obtain described decruption key and store.
16., according to claim 12 to the system described in 15 any one, is characterized in that, described intelligent key apparatus also for after the described decruption key of acquisition, is encrypted and/or signature operation described decruption key, obtains the second decryption information and outgoing;
Described server, also for receiving described second decryption information, being decrypted described second decryption information and/or sign test operation, obtaining described decruption key, and utilize encrypted packets described in described decryption key decryption, obtain described identity card packet.
CN201510279862.7A 2015-05-27 2015-05-27 Data encryption storage method, server and system Pending CN104967612A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510279862.7A CN104967612A (en) 2015-05-27 2015-05-27 Data encryption storage method, server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510279862.7A CN104967612A (en) 2015-05-27 2015-05-27 Data encryption storage method, server and system

Publications (1)

Publication Number Publication Date
CN104967612A true CN104967612A (en) 2015-10-07

Family

ID=54221555

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510279862.7A Pending CN104967612A (en) 2015-05-27 2015-05-27 Data encryption storage method, server and system

Country Status (1)

Country Link
CN (1) CN104967612A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516102A (en) * 2015-11-30 2016-04-20 英业达科技有限公司 File transfer system and method thereof
CN105847006A (en) * 2016-03-17 2016-08-10 北京奇虎科技有限公司 Signature method and device for program file and mobile terminal
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN106683243A (en) * 2016-12-08 2017-05-17 大唐微电子技术有限公司 Hotel online encryption management method and system
CN106712958A (en) * 2015-12-06 2017-05-24 杨斌 Information collection method and system and real name system information collection method, system and application
CN106789008A (en) * 2016-12-16 2017-05-31 北京瑞卓喜投科技发展有限公司 Method, the apparatus and system being decrypted to sharable encryption data
CN107359990A (en) * 2017-08-03 2017-11-17 北京奇艺世纪科技有限公司 A kind of secret information processing method, apparatus and system
CN108521419A (en) * 2018-04-04 2018-09-11 广州赛姆科技资讯股份有限公司 Access processing method, device and the computer equipment of observation system file
CN108880787A (en) * 2017-05-08 2018-11-23 腾讯科技(深圳)有限公司 A kind of processing method and relevant device of information key
CN109327463A (en) * 2018-11-14 2019-02-12 深圳市云歌人工智能技术有限公司 The storage and confirmation method of personal information, system and storage medium
CN111619475A (en) * 2019-02-28 2020-09-04 上海新微技术研发中心有限公司 Method for automobile CAN bus safety access
CN112685756A (en) * 2020-12-30 2021-04-20 北京海泰方圆科技股份有限公司 Data writing and reading method, device, medium and equipment
CN114880630A (en) * 2022-05-16 2022-08-09 北京百度网讯科技有限公司 Method and device for acquiring software use permission

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1790984A (en) * 2004-12-14 2006-06-21 中兴通讯股份有限公司 User identity secret-keeping method in communication system
CN1805337A (en) * 2005-01-14 2006-07-19 中兴通讯股份有限公司 Secret shared key mechanism based user management method
CN101626290A (en) * 2008-07-09 2010-01-13 东莞市中大科教网络科技有限公司 Method for signature and confidentiality by fingerprints
CN102163178A (en) * 2010-02-24 2011-08-24 上海果壳电子有限公司 Secure storage method of data
CN103457995A (en) * 2013-06-07 2013-12-18 北京百纳威尔科技有限公司 Data information storage method for terminal equipment, terminal equipment and cloud terminal server
CN103559526A (en) * 2013-10-31 2014-02-05 北京天威诚信电子商务服务有限公司 Method and system for generation and verification of two-dimensional code

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1790984A (en) * 2004-12-14 2006-06-21 中兴通讯股份有限公司 User identity secret-keeping method in communication system
CN1805337A (en) * 2005-01-14 2006-07-19 中兴通讯股份有限公司 Secret shared key mechanism based user management method
CN101626290A (en) * 2008-07-09 2010-01-13 东莞市中大科教网络科技有限公司 Method for signature and confidentiality by fingerprints
CN102163178A (en) * 2010-02-24 2011-08-24 上海果壳电子有限公司 Secure storage method of data
CN103457995A (en) * 2013-06-07 2013-12-18 北京百纳威尔科技有限公司 Data information storage method for terminal equipment, terminal equipment and cloud terminal server
CN103559526A (en) * 2013-10-31 2014-02-05 北京天威诚信电子商务服务有限公司 Method and system for generation and verification of two-dimensional code

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516102A (en) * 2015-11-30 2016-04-20 英业达科技有限公司 File transfer system and method thereof
CN106712958A (en) * 2015-12-06 2017-05-24 杨斌 Information collection method and system and real name system information collection method, system and application
CN105847006A (en) * 2016-03-17 2016-08-10 北京奇虎科技有限公司 Signature method and device for program file and mobile terminal
CN106683243A (en) * 2016-12-08 2017-05-17 大唐微电子技术有限公司 Hotel online encryption management method and system
CN106789008A (en) * 2016-12-16 2017-05-31 北京瑞卓喜投科技发展有限公司 Method, the apparatus and system being decrypted to sharable encryption data
CN106789008B (en) * 2016-12-16 2020-02-28 北京瑞卓喜投科技发展有限公司 Method, device and system for decrypting sharable encrypted data
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN106656510B (en) * 2017-01-04 2019-07-30 天地融科技股份有限公司 A kind of encryption key acquisition methods and system
CN108880787A (en) * 2017-05-08 2018-11-23 腾讯科技(深圳)有限公司 A kind of processing method and relevant device of information key
CN107359990A (en) * 2017-08-03 2017-11-17 北京奇艺世纪科技有限公司 A kind of secret information processing method, apparatus and system
CN108521419A (en) * 2018-04-04 2018-09-11 广州赛姆科技资讯股份有限公司 Access processing method, device and the computer equipment of observation system file
CN109327463A (en) * 2018-11-14 2019-02-12 深圳市云歌人工智能技术有限公司 The storage and confirmation method of personal information, system and storage medium
CN111619475A (en) * 2019-02-28 2020-09-04 上海新微技术研发中心有限公司 Method for automobile CAN bus safety access
CN112685756A (en) * 2020-12-30 2021-04-20 北京海泰方圆科技股份有限公司 Data writing and reading method, device, medium and equipment
CN112685756B (en) * 2020-12-30 2021-09-21 北京海泰方圆科技股份有限公司 Data writing and reading method, device, medium and equipment
CN114880630A (en) * 2022-05-16 2022-08-09 北京百度网讯科技有限公司 Method and device for acquiring software use permission

Similar Documents

Publication Publication Date Title
CN104967612A (en) Data encryption storage method, server and system
CN109309565B (en) Security authentication method and device
CN105553951B (en) Data transmission method and device
US8719938B2 (en) Detecting network intrusion using a decoy cryptographic key
US11210658B2 (en) Constructing a distributed ledger transaction on a cold hardware wallet
US9852300B2 (en) Secure audit logging
CN106656510B (en) A kind of encryption key acquisition methods and system
EP3324572B1 (en) Information transmission method and mobile device
CN107172056A (en) A kind of channel safety determines method, device, system, client and server
CA3178180A1 (en) Constructing a distributed ledger transaction on a cold hardware wallet
CN103905204A (en) Data transmission method and transmission system
CN104424446A (en) Safety verification and transmission method and system
CN109274644A (en) A kind of data processing method, terminal and watermark server
CN105553654A (en) Key information query processing method and device and key information management system
CN114143117A (en) Data processing method and device
TW202231014A (en) Message transmitting system, user device and hardware security module for use therein
CN104796399B (en) A kind of cryptographic key negotiation method of Data Encryption Transmission
CN105024813A (en) Server, user equipment and interactive method of the user equipment and the server
CN113365264B (en) Block chain wireless network data transmission method, device and system
CN102724205A (en) Method for encrypting communication process in industrial field and data collection device
CN110611679A (en) Data transmission method, device, equipment and system
CN113592484B (en) Account opening method, system and device
CN110098915B (en) Authentication method and system, and terminal
KR101146509B1 (en) Internet banking transaction system and the method that use maintenance of public security card to be mobile
CN108809651A (en) Key pair management method and terminal

Legal Events

Date Code Title Description
DD01 Delivery of document by public notice

Addressee: Li Ming

Document name: Notification of Acceptance of Patent Application

C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20151007