CN105939194B - A kind of backup method and system of electronic key device private - Google Patents
A kind of backup method and system of electronic key device private Download PDFInfo
- Publication number
- CN105939194B CN105939194B CN201510765202.XA CN201510765202A CN105939194B CN 105939194 B CN105939194 B CN 105939194B CN 201510765202 A CN201510765202 A CN 201510765202A CN 105939194 B CN105939194 B CN 105939194B
- Authority
- CN
- China
- Prior art keywords
- electronic key
- key equipment
- equipment
- data
- electronic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Abstract
The present invention provides the backup methods and system of a kind of electronic key device private, wherein private key backup method, which includes: the first electronic key equipment, sends private key backup request and the first data packet to the second electronic key equipment;Second electronic key equipment receives private key backup request and the first data packet, first signed data is verified, if the verification passes, prompt the user with the unique identification of the first electronic key equipment, after reception user confirms that the unique identification of the first electronic key equipment correctly confirms instruction, the private key of second electronic key equipment is encrypted, and sends the second data packet;First electronic key equipment receives the second data packet, second signed data is verified, if the verification passes, then prompts the user with the unique identification of the second electronic key equipment, after reception user confirms that the unique identification of the second electronic key equipment correctly confirms instruction, private key ciphertext is decrypted.
Description
Technical field
The present invention relates to the backup method of a kind of electronic technology field more particularly to a kind of electronic key device private and it is
System.
Background technique
In the prior art, data are encrypted and are signed using private key by the private key that user is stored in electronic key equipment.
Once electronic key device losses, user can only handle new electronic key equipment again, and bank server is needed to new electricity
Sub-key equipment distributes private key and public key again, and the private key and public key of user that bank server needs to update storage, and increases
The maintenance cost of bank is added.Therefore, how to realize that carrying out high maintenance to electronic signature equipment is urgently to be resolved at present ask
Topic.
Summary of the invention
Present invention seek to address that one of at least the above problems, realize the carrying out safety backup of electronic key device private.
The main purpose of the present invention is to provide a kind of backup methods of electronic key device private.
Another object of the present invention is to provide a kind of standby systems of electronic key device private.
In order to achieve the above objectives, technical solution of the present invention is specifically achieved in that
One aspect of the present invention provides a kind of backup method of electronic key device private, comprising: the first electronic key is set
It is standby to send private key backup request to the second electronic key equipment;First electronic key equipment obtains the first data to be signed, to the
One data to be signed are signed to obtain the first signed data, and the first data to be signed include at least: the first electronic key equipment
Unique identification, and the first data packet hair of the unique identification of the first signed data and the first electronic key equipment will be included at least
It send to the second electronic key equipment;Second electronic key equipment receives private key backup request and the first data packet, to the first number
It is verified according to the first signed data in packet;If the verification passes, then the unique of the first electronic key equipment is prompted the user with
Mark sets the second electronic key after reception user confirms that the unique identification of the first electronic key equipment correctly confirms instruction
Standby private key is encrypted to obtain private key ciphertext;Signed to obtain the second signed data to the second data to be signed, second to
Signed data includes at least the unique identification of private key ciphertext and the second electronic key equipment, and will include at least the second number of signature
The first electronic key equipment is sent to according to the second data packet of, private key ciphertext and the unique identification of the second electronic key equipment;The
One electronic key equipment receives the second data packet, verifies to the second signed data in the second data packet;If verifying is logical
It crosses, then prompts the user with the unique identification of the second electronic key equipment, receive user and confirm the unique of the second electronic key equipment
Mark correctly after confirmation instruction, is decrypted private key ciphertext to obtain the private key of the second electronic key equipment;First electronics is close
Key equipment the private key of the second electronic key equipment is written in the safety chip of the first electronic key equipment.
Optionally, the second electronic key equipment is encrypted to obtain private key close to the private key of the second electronic key equipment
Text, comprising: the public key of second electronic key equipment utilization the first electronic key equipment to the private key of the second electronic key equipment into
Row encryption obtains private key ciphertext;First electronic key equipment is decrypted private key ciphertext to obtain the private of the second electronic key equipment
Key, comprising: the private key of first electronic key equipment utilization the first electronic key equipment is decrypted to obtain second to private key ciphertext
The private key of electronic key equipment.
Optionally, the second electronic key equipment is encrypted to obtain private key ciphertext to the private key of the second electronic key equipment,
Include: that the second electronic key equipment generates random process key, utilizes the second electronic key equipment described in random process key pair
Private key encrypted to obtain private key ciphertext;The second data packet the first electronic key is sent in the second electronic key equipment to set
Before standby: the public key of second electronic key equipment utilization the first electronic key equipment to random process key encrypted to obtain with
Machine process key ciphertext;Second data packet, further includes: random process key ciphertext;First electronic key equipment is to private key ciphertext
It is decrypted to obtain the private key of the second electronic key equipment, comprising: first electronic key equipment utilization the first electronic key equipment
Private key random process key ciphertext is decrypted to obtain random process key, using random process key pair private key ciphertext into
Row decryption obtains the private key of the second electronic key equipment.
Optionally, the first data packet, further includes: the digital certificate of the first electronic key equipment;It is set in the second electronic key
After the first data packet of standby reception, and the second electronic key equipment carries out verifying it to the first signed data in the first data packet
Before, the backup method of electronic key device private further include: number of the second electronic key equipment to the first electronic key equipment
Certificate is verified, and if the verification passes, is then obtained the first electronic key from the digital certificate of the first electronic key equipment and is set
Standby public key;Second electronic key equipment verifies the first signed data in the first data packet, comprising: the second electronics is close
The public key of key equipment utilization the first electronic key equipment verifies the first signed data.
Optionally, the second data packet, further includes: the digital certificate of the second electronic key equipment;It is set in the first electronic key
After the second data packet of standby reception, and the first electronic key equipment carries out verifying it to the second signed data in the second data packet
Before, the backup method of electronic key device private further include: number of the first electronic key equipment to the second electronic key equipment
Certificate is verified, and if the verification passes, then obtains the second electronic key equipment from the number card of the second electronic key equipment
Public key;First electronic key equipment verifies the second signed data for including in the second data packet, comprising: the first electronics
Key devices verify the second signed data using the public key of the second electronic key equipment.
Optionally, the first data to be signed, further includes: the first combination single authentication data;In the second electronic key equipment
After receiving private key backup request, and the first electronic key equipment signs the first data to be signed to obtain the first number of signature
According to before, further includes: the first electronic key equipment obtains the first single authentication data, and the first single authentication data are by the second electronics
Key devices generate and send to the first electronic key equipment;First electronic key equipment generates the second single authentication data, will
First single authentication data and the second single authentication data combine to obtain the first combination single authentication data.
Optionally, the unique identification of the first electronic key equipment, comprising: the sequence number of the first electronic key equipment;Second
The unique identification of electronic key equipment, comprising: the sequence number of the second electronic key equipment.
Another aspect of the present invention provides a kind of standby system of electronic key device private, comprising: the first electronic key
Equipment and the second electronic key equipment;First electronic key equipment, for sending private key backup to the second electronic key equipment
Request obtains the first data to be signed, is signed to obtain the first signed data, the first number to be signed to the first data to be signed
According to including at least: the unique identification of the first electronic key equipment will include at least the first signed data and the first electronic key be set
First data packet of standby unique identification is sent to the second electronic key equipment;Second electronic key equipment, for receiving private key
Backup request and the first data packet verify the first signed data in the first data packet;If the verification passes, then to
User prompts the unique identification of the first electronic key equipment, receives user and confirms that the unique identification of the first electronic key equipment is correct
Confirmation instruction after, the private key of the second electronic key equipment is encrypted to obtain private key ciphertext;To the second data to be signed into
Row signature obtains the second signed data, and the second data to be signed include at least the unique of private key ciphertext and the second electronic key equipment
Mark, and the second data of the unique identification of the second signed data, private key ciphertext and the second electronic key equipment will be included at least
Packet is sent to the first electronic key equipment;First electronic key equipment, is also used to receive the second data packet, in the second data packet
The second signed data verified;If the verification passes, then the unique identification for prompting the user with the second electronic key equipment, connects
It receives after user confirms that the unique identification of the second electronic key equipment correctly confirm and instructs, is decrypted to obtain the to private key ciphertext
The private key of two electronic key equipment;And the private key of the second electronic key equipment is written to the safety chip of the first electronic key equipment
In.
Optionally, the second electronic key equipment is encrypted to obtain for the private key to the second electronic key equipment
Private key ciphertext, comprising: the second electronic key equipment, for being set using the public key of the first electronic key equipment to the second electronic key
Standby private key is encrypted to obtain private key ciphertext;First electronic key equipment, for being decrypted to obtain to the private key ciphertext
The private key of second electronic key equipment, comprising: the first electronic key equipment, for the private key pair using the first electronic key equipment
Private key ciphertext is decrypted to obtain the private key of the second electronic key equipment.
Optionally, the second electronic key equipment is encrypted to obtain private key for the private key to the second electronic key equipment
Ciphertext, comprising: the second electronic key equipment, it is close using the second electronics of random process key pair for generating random process key
The private key of key equipment is encrypted to obtain private key ciphertext;Second electronic key equipment is also used to be sent to by the second data packet
Before first electronic key equipment, random process key is encrypted to obtain using the public key of the first electronic key equipment random
Process key ciphertext;Second data packet, further includes: random process key ciphertext;First electronic key equipment, for close to private key
Text is decrypted to obtain the private key of the second electronic key equipment, comprising: the first electronic key equipment, for close using the first electronics
The private key of key equipment is decrypted random process key ciphertext to obtain the random process key of the second electronic key equipment, utilizes
The random process key pair private key ciphertext of second electronic key equipment is decrypted to obtain the private key of the second electronic key equipment.
Optionally, the first data packet, further includes: the digital certificate of the first electronic key equipment;Second electronic key equipment,
It is also used to verify the digital certificate of the first electronic key equipment, if the verification passes, then from the first electronic key equipment
Digital certificate in obtain the public key of the first electronic key equipment;Second electronic key equipment, is also used to in the first data packet
The first signed data verified, comprising: the public key of second electronic key equipment utilization the first electronic key equipment is to first
Signed data is verified.
Optionally, the second data packet, further includes: the digital certificate of the second electronic key equipment;First electronic key equipment,
It is also used to verify the digital certificate of the second electronic key equipment, if the verification passes, then from the second electronic key equipment
Digital certificate in obtain the public key of the second electronic key equipment;First electronic key equipment, is also used to in the second data packet
The second signed data verified, comprising: the public key of first electronic key equipment utilization the second electronic key equipment is to second
Signed data is verified.
Optionally, the first data to be signed, further includes: the first combination single authentication data;First electronic key equipment, also
For obtaining the first single authentication data, the first single authentication data are generated and sent by the second electronic key equipment to the first electricity
Sub-key equipment;First electronic key equipment is also used to generate the second single authentication data, by the first single authentication data and
Two single authentication data combine to obtain the first combination single authentication data.
Optionally, the unique identification of the first electronic key equipment, comprising: the sequence number of the first electronic key equipment;Second
The unique identification of electronic key equipment, comprising: the sequence number of the second electronic key equipment.
As seen from the above technical solution provided by the invention, the present invention provides a kind of electronic key device privates
Backup method and system, two electronic key equipment determine other side's electronic key equipment by being verified to signed data
Legitimacy further confirms unique mark of the first electronic key equipment, the second electronic key equipment by receiving user respectively
Know correctly confirmation instruction, determines that two electronic key equipment with the presence or absence of backup relation, are determining other side's safety and existing
When backup relation, then the transmission of private key is carried out, realizes carrying out safety backup private key.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the structural schematic diagram of the standby system for the electronic key device private that the embodiment of the present invention 1 provides;
Fig. 2 is the flow chart of the backup method for the electronic key device private that the embodiment of the present invention 2 provides.
Specific embodiment
With reference to the attached drawing in the embodiment of the present invention, technical solution in the embodiment of the present invention carries out clear, complete
Ground description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on this
The embodiment of invention, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, belongs to protection scope of the present invention.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower",
The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is
It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark
Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair
Limitation of the invention.In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply opposite
Importance or quantity or position.
In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood at this with concrete condition
Concrete meaning in invention.
The embodiment of the present invention is described in further detail below in conjunction with attached drawing.
Embodiment 1
A kind of standby system of electronic key device private is present embodiments provided, as shown in Figure 1, the system includes:
One electronic key equipment 10 and the second electronic key equipment 20.
In the present embodiment, the working principle of each equipment is described as follows.
First electronic key equipment 10 obtains first for sending private key backup request to the second electronic key equipment 20
Data to be signed sign the first data to be signed to obtain the first signed data, wherein the first data to be signed at least wrap
Include: the unique identification of the first electronic key equipment 10 will include at least the first signed data and the first electronic key equipment 10
First data packet of unique identification is sent to the second electronic key equipment 20.
Second electronic key equipment 20, for receiving private key backup request and the first data packet, in the first data packet
The first signed data verified;If the verification passes, then the unique identification of the first electronic key equipment 10 is prompted the user with,
After reception user confirms that the unique identification of the first electronic key equipment 10 correctly confirms instruction, to the second electronic key equipment 20
Private key encrypted to obtain private key ciphertext;Second data to be signed are signed to obtain the second signed data, second wait sign
Name data include at least the unique identification of private key ciphertext and the second electronic key equipment 20, and will include at least the second number of signature
The first electronic key equipment is sent to according to the second data packet of, private key ciphertext and the unique identification of the second electronic key equipment 20
10。
First electronic key equipment 10, is also used to receive the second data packet, to the second signature for including in the second data packet
Data are verified;If the verification passes, then the unique identification of the second electronic key equipment 20 is prompted the user with, it is true to receive user
Recognize the second electronic key equipment 20 unique identification correctly confirm instruction after, private key ciphertext is decrypted to obtain the second electronics
The private key of key devices 20;The private key of second electronic key equipment 20 is written to the safety chip of the first electronic key equipment 10
In.
In the present embodiment, the legitimacy of other side is separately verified by the first electronic key equipment and the second electronic key equipment
And whether there is backup relation, it is determining other side's safety and there are when backup relation, then carry out the transmission of private key, is realizing
Carrying out safety backup private key.
In the present embodiment, when the first electronic key equipment 10 and the second electronic key equipment 20 are that user opens an account, silver
The equipment with signature function that row is provided to user engages one including KEY, smart card or KEY with signature function
Equipment, when bank provides the first electronic key equipment 10 and the second electronic key equipment 20 to user, bank is first
The private key of each electronic key equipment has been respectively written into electronic key equipment 10 and the second electronic key equipment 20.Each electronics
The mode that key devices can provide through this embodiment backups to its private key in matched electronic key equipment.
In the specific implementation process, the first electronic key equipment 10 can according to the difference of operation principle, using different
Mode sends private key backup request to the second electronic key equipment 20, and specifically, the first electronic key equipment 10 can be by having
Private key backup request is sent to the second electronic key equipment 20 by line mode or wireless mode.As a kind of optional embodiment party
Formula can be attached between the first electronic key equipment 10 and the second electronic key equipment 20 by wired mode, for example, the
One electronic key equipment 10 and the second electronic key equipment 20 are connect respectively at the both ends of adapter, carry out wired company by adapter
It connects, private key backup request can be sent to the second electronic key equipment 20 by wired mode by the first electronic key equipment 10;
As another optional embodiment, can also pass through between the first electronic key equipment 10 and the second electronic key equipment 20
Wireless mode is attached, such as WIFI, bluetooth, infrared, NFC etc., and the first electronic key equipment 10 can be wirelessly
Private key backup request is sent to the second electronic key equipment 20.The private key that first electronic key equipment is sent in the present embodiment
Backup request can serve to indicate that the second electronic key equipment 20 start private key backup process, the second electronic key equipment 20 into
After a series of verifying of row, the first electronic key equipment will be sent to after its private key encryption, to complete the safety of its private key
Backup.
In the present embodiment, it is close using the first electronics after the first electronic key equipment 10 obtains the first data to be signed
The private key of key equipment 10 signs the first data to be signed to obtain the first signed data, and the second electronic key equipment 20 is right
The private key of second electronic key equipment is encrypted after obtaining private key ciphertext, is signed to obtain second to the second data to be signed
Signed data;Wherein, the first data to be signed include at least the unique identification of the first electronic key equipment 10, the second number to be signed
According to the unique identification and private key ciphertext for including at least the second electronic key equipment 20.The unique identification of first electronic key equipment 10
It can be used to any information of mark 10 unique identities of the first electronic key equipment, unique mark of the second electronic key equipment 20
Know any information that can be used to mark 20 unique identities of the second electronic key equipment, as a kind of optional mode, this is only
One mark can be the sequence number of the first electronic key equipment 10 and the second electronic key equipment 20, dispatch from the factory in electronic key equipment
When the sequence number that is printed upon in electronic key equipment can be used to unique identification.Certainly, it is unique that other are not precluded in the present embodiment
Mark, as long as the unique identities of the first electronic key equipment 10 and the second electronic key equipment 20 can be identified.In this reality
It applies in example, the second electronic key equipment 20 receives the private key backup request and the first data packet that the first electronic key equipment 10 is sent
Later, first the first signed data in the first data packet is verified.As one of the present embodiment optional embodiment,
Second electronic key equipment 20 can be in the following manner for verifying to the first signed data in the first data packet
Realize: hash function identical with the first electronic key equipment 10 can be used to received first in the second electronic key equipment 20
Raw information in data packet generates an abstract, then is carried out with the public key of the first electronic key equipment 10 to the first signed data
Decryption obtains another abstract, whether identical compares two abstracts.If two abstracts are identical, it is verified, is verified
The second electronic key equipment 20 prompts the user with the unique identification of the first electronic key equipment 10 afterwards.If two not phases of making a summary
Together, then authentication failed, the second electronic key equipment 20 can send verifying to the first electronic key equipment 10 and lose after authentication failed
Information is lost, the backup of this private key is terminated.Second electronic key equipment can determine by verifying to the first signed data
Whether one electronic key equipment is legal, prevents other equipment from falsely using the backup of the first electronic key device request private key, ensure that private
The safety of key backup.
As one of the present embodiment optional embodiment, the second electronic key equipment 20, for prompting the user with
The unique identification of one electronic key equipment 10, can be accomplished by the following way: language can be used in the second electronic key equipment 20
Sound broadcasts the unique identification of the first electronic key equipment 10 to user, can also show the first electronic key equipment 10 on the screen
Unique identification.The unique identification for the first electronic key equipment 10 that user prompts the second electronic key equipment 20 and the first electricity
The unique identification of sub-key equipment 10 itself is compareed, and (user can be close for the first electronic key equipment 10 and the second electronics
The holder of key equipment 20 or the user prepare to back up to the private key of the second electronic key equipment 20 into its first electricity held
In sub-key equipment 10).If the two is consistent, user can be carried out by pressing the acknowledgement key of the second electronic key equipment 20
Confirmation can also be confirmed that this is not restricted using other modes.If the two is inconsistent, user can be by pressing
The cancel key of lower second electronic key equipment 20 terminates the backup of this private key, can also be cancelled using other modes, herein
With no restriction.By compareing the unique identification of the first electronic key equipment, the first electronic key equipment and the is can be confirmed in user
Two electronic key equipment whether there is backup relation.
In the present embodiment, the first electronic key equipment 10 receives the second data packet that the second electronic key equipment 20 is sent
Later, first the second signed data in the second data packet is verified.As one of the present embodiment optional embodiment,
First electronic key equipment 10 can be in the following manner for verifying to the second signed data in the second data packet
Realize: hash function identical with the second electronic key equipment 20 can be used to received second in the first electronic key equipment 10
Raw information in data packet generates an abstract, then is carried out with the public key of the second electronic key equipment 20 to the second signed data
Decryption obtains another abstract, whether identical compares two abstracts.If two abstracts are identical, it is verified, is verified
The first electronic key equipment 10 prompts the user with the unique identification of the second electronic key equipment 20 afterwards.If two not phases of making a summary
Together, then authentication failed, the first electronic key equipment 10 can send verifying to the second electronic key equipment 20 and lose after authentication failed
Information is lost, the backup of this private key is terminated.First electronic key equipment can determine by verifying to the second signed data
Whether two electronic key equipment are legal, prevent other equipment from falsely using the backup of the second electronic key equipment respective private keys, ensure that private
The safety of key backup.
As one of the present embodiment optional embodiment, the first electronic key equipment 10, for prompting the user with
The unique identification of two electronic key equipment 20, can be accomplished by the following way: language can be used in the first electronic key equipment 10
Sound broadcasts the unique identification of the second electronic key equipment 20 to user, can also show the second electronic key to user on the screen
The unique identification of equipment 20.The unique identification for the second electronic key equipment 20 that user prompts the first electronic key equipment 10 with
The unique identification of second electronic key equipment 20 itself is compareed.If the two is consistent, user can be by pressing first
The acknowledgement key of electronic key equipment 10 is confirmed, can also be confirmed that this is not restricted using other modes.If two
Person is inconsistent, then user can terminate the backup of this private key by pressing the cancel key of the first electronic key equipment 10, can also be with
Cancelled using other modes, this is not restricted.By compareing the unique identification of the second electronic key equipment, user can be with
The first electronic key equipment and the second electronic key equipment are confirmed with the presence or absence of backup relation, and if there is backup relation, this can
To enter the process of carrying out safety backup, the safety of private key backup is improved.
In the present embodiment, the first electronic key equipment 10 is decrypted to obtain the second electronics close to received private key ciphertext
In plain text, the safety of the first electronic key equipment 10 is written in the private key of second electronic key equipment 20 by the private key of key equipment 20 in plain text
In chip.Wherein, safety chip (Z8D64U (the close lot number SSX43 of state) of such as Guoming Technology Co., Ltd, Z32 (close batch of state
Number SSX20)) it is internal possess independent processor and storage unit, the private key of the second electronic key equipment can be stored, and can
Guarantee that the private key of the second electronic key equipment maliciously will not be read or be modified, can accomplish to protect business privacy and data peace
Entirely.In the specific implementation process, the second electronic key equipment 20 is written in the safety chip of the first electronic key equipment 10
After private key plaintext, the first electronic key equipment 10 is in unactivated state, cannot use.When the second electronic key equipment 20 is lost
Or damage activates the first electronic key equipment 10 when leading to be unable to normal use.One as the embodiment of the present invention is optional
Embodiment, can activate the first electronic key equipment 10 in the following ways: the first electronic key equipment 10 is inserted by user
It supports the terminal devices such as PC machine, PAD (tablet computer), the smart phone of electronic key equipment, the first electronic key equipment is installed
10 driver in the corresponding website of bank downloading bank safety software of the first electronic key equipment 10 and is installed, in bank
Username and password is registered and be arranged in website, and the first electronic key equipment 10 is activated, and user uses the first electronic key at this time
When equipment is traded, the private key that the first electronic key equipment can use the second electronic key equipment of backup carries out safe friendship
It easily, will not shadow even if as a result, in the case where the second electronic key equipment 20 is lost or damage leads to be unable to normal use
The arm's length dealing for ringing user uses.
As an optional embodiment of the embodiment of the present invention, the second electronic key equipment 20, for the second electronics
The private key of key devices 20 is encrypted to obtain private key ciphertext, comprising: the second electronic key equipment 20, for utilizing the first electronics
The public key of key devices 10 is encrypted to obtain private key ciphertext to the private key of the second electronic key equipment 20;First electronic key is set
Standby 10, the private key of the second electronic key equipment 20 is obtained for private key ciphertext to be decrypted, comprising: the first electronic key equipment
10, private key ciphertext is decrypted for the private key using the first electronic key equipment 10 to obtain the second electronic key equipment 20
Private key.
In the specific implementation process, the first electronic key equipment 10 is using the private key of the first electronic key equipment 10 to reception
Private key ciphertext be decrypted to obtain the private key of the second electronic key equipment 20 in plain text, by the private key of the second electronic key equipment 20
In plain text in the safety chip of the first electronic key equipment 10 of write-in.Using the public key of the first electronic key equipment 10 to the second electronics
The private key of key devices 10 is encrypted to obtain private key ciphertext, and private key ciphertext only has the private key ability of the first electronic key equipment 10
Decryption, can guarantee the safety of private key.
As an optional embodiment of the embodiment of the present invention, the second electronic key equipment 20, for the second electronics
The private key of key devices 20 is encrypted to obtain private key ciphertext, comprising: the second electronic key equipment 20, for generating random process
Key is encrypted to obtain private key ciphertext using the private key of the second electronic key of random process key pair equipment 20;Second electronics
Key devices 20 are also used to before the second data packet is sent to the first electronic key equipment, are set using the first electronic key
Standby 10 public key encrypts random process key to obtain random process key ciphertext;Second data packet further include: random mistake
Journey key ciphertext;First electronic key equipment 10 obtains the second electronic key equipment 20 for private key ciphertext to be decrypted
Private key, comprising: the first electronic key equipment 10, for close to random process key using the private key of the first electronic key equipment 10
Text is decrypted to obtain the random process key of the second electronic key equipment 20, utilizes the random mistake of the second electronic key equipment 20
Journey key pair private key ciphertext is decrypted to obtain the private key of the second electronic key equipment 20.
In the present embodiment, random process key is symmetric key, can be to through random using random process key itself
The ciphertext that process key encrypts is decrypted.After first electronic key equipment 10 receives the second data packet, the first electricity is utilized
The private key of sub-key equipment 10 is decrypted to obtain the second electronic key and set to the random process key ciphertext in the second data packet
Standby 20 random process key, is decrypted using the random process key pair private key ciphertext of the second electronic key equipment 20
To the private key plaintext of the second electronic key equipment 20, the first electronic key is written into the private key of the second electronic key equipment 20 in plain text
In the safety chip of equipment 10.The random process key that second electronic key equipment 20 generates is random, and random process is close
Key is sent with ciphertext, can enhance private key ciphertext in the safety of transmission process.
As an optional embodiment of the embodiment of the present invention, the first data packet further includes the first electronic key equipment 10
Digital certificate, the second electronic key equipment 20 is also used to verify the digital certificate of the first electronic key equipment 10, such as
Fruit is verified, then the public key of the first electronic key equipment 10 is obtained from the number card of the first electronic key equipment 10;Second
Electronic key equipment 20, for being verified to the first signed data in the first data packet, comprising: utilize the first electronic key
The public key of equipment 10 verifies the first signed data.
In the specific implementation, the second electronic key equipment 20 can use root certificate and verify the first electronic key received
The legitimacy of the digital certificate of equipment 10.Second electronic key equipment 20 from authentication center (Certificate Authority,
Abbreviation CA) downloading root certificate, root certificate is the basis that CA and user establish trusting relationship.If the verification passes, then the second electronics
Key devices 20 obtain the public key of the first electronic key equipment 10 from the digital certificate of the first electronic key equipment 10, utilize
The public key of one electronic key equipment 10 verifies the first signed data.Second electronic key equipment 20 can pass through root certificate
The legitimacy of the digital certificate of the first electronic key equipment 10 is verified, thus judge whether the first electronic key equipment 10 is legal,
Prevent other equipment from the first electronic key equipment 10 being pretended to be to participate in private key backup.
As an optional embodiment of the embodiment of the present invention, the second data packet further includes the second electronic key equipment 20
Digital certificate;First electronic key equipment 10 is also used to verify the digital certificate of the second electronic key equipment 20, such as
Fruit is verified, then the public key of the second electronic key equipment 20 is obtained from the digital certificate of the second electronic key equipment 20;The
One electronic key equipment 10 is also used to verify the second signed data for including in second data packet, comprising: utilizes
The public key of second electronic key equipment 20 verifies the second signed data.
In the specific implementation, the first electronic key equipment 10 can use root certificate and verify the second electronic key received
The legitimacy of the digital certificate of equipment 20.First electronic key equipment 10 downloads root certificate from authentication center, root certificate be CA with
User establishes the basis of trusting relationship.If the verification passes, then the first electronic key equipment 10 from the second electronic key equipment 20
Digital certificate in obtain the public key of the second electronic key equipment 20, signed using the public key of the second electronic key equipment 20 to second
Name data are verified.The number that first electronic key equipment 10 can verify the second electronic key equipment 20 by root certificate is demonstrate,proved
The legitimacy of book, to judge whether the second electronic key equipment 20 is legal, prevents other people from pretending to be the second electronic key equipment 20
Participate in private key backup.
As an optional embodiment of the embodiment of the present invention, the first data to be signed further include that the first combination single is recognized
Demonstrate,prove data;First electronic key equipment 10 is also used to obtain the first single authentication data, and the first single authentication data are by the second electricity
Sub-key equipment 20 generates and sends to the first electronic key equipment 10;First electronic key equipment 10, is also used to generate second
Single authentication data combine the first single authentication data and the second single authentication data to obtain the first combination single authentication number
According to.
In the present embodiment, the first single authentication data can be the random number of the second electronic key equipment 20 generation,
It can be the chance event of the second electronic key equipment 20 generation.Second single authentication data can be the first electronic key equipment
10 random numbers generated, are also possible to the chance event of the first electronic key equipment 10 generation.Single authentication data can only use
Once, therefore Replay Attack can be prevented.In the specific implementation process, the first electronic key equipment 10 can recognize the second single
Card data addition obtains the first combination single authentication data after the first single authentication data, can also be by the second single authentication
The top N of data obtains the first combination single authentication data after being added to the top N of the first single authentication data, does not make herein
Limitation.First single authentication data and the second single authentication data are combined to obtain the first combination list by the first electronic key equipment 10
Secondary authentication data, and sign to the first data to be signed for including at least the first combination single authentication data, it can be effective
Prevent third party attack.
In the present embodiment, two electronic key equipment are by verifying signed data to determine other side's electronic key
The legitimacy of equipment is further confirmed by unique identification of the user to electronic key device prompts, to determine two
Electronic key equipment whether there is backup relation, be distinguished as a result, by the first electronic key equipment and the second electronic key equipment
It verifies the legitimacy of other side and whether there is backup relation, determining other side's safety and there are when backup relation, then carry out
The transmission of private key realizes carrying out safety backup private key.
Embodiment 2
Fig. 2 is the flow diagram of the backup method embodiment of electronic key device private provided by the invention, this method
Mainly include the following steps that (S201~S209):
S201: the first electronic key equipment sends private key backup request to the second electronic key equipment.
In the present embodiment, when the first electronic key equipment and the second electronic key equipment are that user opens an account, bank to
The equipment with signature function that user provides engages one equipment including KEY, smart card or KEY with signature function,
When bank provides the first electronic key equipment and the second electronic key equipment to user, bank is set in the first electronic key
The private key of each electronic key equipment has been respectively written into standby and the second electronic key equipment.Each electronic key equipment is ok
The mode provided through this embodiment backups to its private key in matched electronic key equipment.
In the specific implementation process, the first electronic key equipment can use different sides according to the difference of operation principle
Formula sends private key backup request to the second electronic key equipment, and specifically, the first electronic key equipment can pass through wired mode
Or private key backup request is sent to the second electronic key equipment by wireless mode.As an alternative embodiment, the first electricity
It can be attached by wired mode between sub-key equipment and the second electronic key equipment, for example, the first electronic key is set
Standby and the second electronic key equipment is connect respectively at the both ends of adapter, carries out wired connection, the first electronic key by adapter
Private key backup request can be sent to the second electronic key equipment by wired mode by equipment;As another optional implementation
Mode can also be attached wirelessly between the first electronic key equipment and the second electronic key equipment, such as
Private key backup request can be sent to second wirelessly by WIFI, bluetooth, infrared, NFC etc., the first electronic key equipment
Electronic key equipment.The private key backup request that the first electronic key equipment is sent in the present embodiment can serve to indicate that the second electricity
Sub-key equipment starts private key backup process, and the second electronic key equipment adds its private key after carrying out a series of verifying
The first electronic key equipment is sent to after close, to complete the carrying out safety backup of its private key.
S202: the first electronic key equipment obtains the first data to be signed, is signed to obtain to the first data to be signed
First signed data, the first data to be signed include at least: the unique identification of the first electronic key equipment, and will include at least the
First data packet of the unique identification of one signed data and the first electronic key equipment is sent to the second electronic key equipment.
In the present embodiment, after the first electronic key equipment obtains the first data to be signed, the first electronic key is utilized
The private key of equipment signs the first data to be signed to obtain the first signed data, and the first data to be signed include at least first
The unique identification of electronic key equipment.The unique identification of first electronic key equipment can be used to the first electronic key of mark and set
Any information of standby unique identities, as an alternative embodiment, the unique identification can be the first electronic key equipment
Sequence number, in the factory of electronic key equipment, the sequence number that is printed upon in electronic key equipment can be used to unique identification.When
So, other unique identifications are not precluded in the present embodiment, as long as the unique identities of the first electronic key equipment can be identified.
As an optional embodiment of the embodiment of the present invention, the first data to be signed further include: the first combination single
Authentication data;After the second electronic key equipment receives the private key backup request, and the first electronic key equipment is to first
Before data to be signed are signed to obtain the first signed data, the first electronic key equipment obtains the first single authentication data,
First single authentication data are generated and sent by the second electronic key equipment to the first electronic key equipment;First electronic key is set
It is standby to generate the second single authentication data, the first single authentication data and the second single authentication data are combined to obtain the first combination list
Secondary authentication data
In the present embodiment, the first single authentication data can be the random number of the second electronic key equipment generation, can also
To be the chance event of the second electronic key equipment generation.Second single authentication data can be the generation of the first electronic key equipment
Random number, be also possible to the first electronic key equipment generation chance event.Single authentication data are used only once, therefore
It can prevent Replay Attack.In the specific implementation process, the first electronic key equipment can add the second single authentication data
The first combination single authentication data are obtained after the first single authentication data, it can also be by the preceding N of the second single authentication data
Position obtains the first combination single authentication data after being added to the top N of the first single authentication data, and this is not restricted.First
Electronic key equipment combines the first single authentication data and the second single authentication data to obtain the first combination single authentication data,
And sign to the first data to be signed for including at least the first combination single authentication data, third party can be effectively prevented and attack
It hits.
S203: the second electronic key equipment receives private key backup request and the first data packet, in the first data packet
First signed data is verified.
In the present embodiment, the second electronic key equipment receive the first electronic key equipment send private key backup request and
After first data packet, first the first signed data in the first data packet is verified.It can as one of the present embodiment
Embodiment is selected, the second electronic key equipment verifies the first signed data in the first data packet, can be by following
Mode is realized: hash function identical with the first electronic key equipment can be used to received first in the second electronic key equipment
Raw information in data packet generates an abstract, then is solved with the public key of the first electronic key equipment to the first signed data
It is close to obtain another abstract, whether identical compare two abstracts.If two abstracts are identical, it is verified;If two are plucked
Otherwise identical, then authentication failed, the second electronic key equipment can be sent to the first electronic key equipment after authentication failed verifies
Failure information terminates the backup of this private key.Second electronic key equipment can be determined by verifying to the first signed data
Whether the first electronic key equipment is legal, prevents other equipment from falsely using the backup of the first electronic key device request private key, ensure that
The safety of private key backup.
As an optional embodiment of the embodiment of the present invention, the first data packet further includes the first electronic key equipment
Digital certificate, after the second electronic key equipment receives the first data packet, and the second electronic key equipment is to the first data packet
In include the first signed data verified before, method provided in this embodiment further include: the second electronic key equipment pair
The digital certificate of first electronic key equipment is verified, if the verification passes, then from the number of the first electronic key equipment
The public key of the first electronic key equipment is obtained in word card.Wherein, the second electronic key equipment is in first data packet
The first signed data verified, comprising: the public key of second electronic key equipment utilization the first electronic key equipment is to first
Signed data is verified.
In the specific implementation, the first electronic key that the second electronic key equipment can use that root certificate verifying receives is set
The legitimacy of standby digital certificate.Second electronic key equipment is from authentication center (Certificate Authority, abbreviation CA)
Root certificate is downloaded, root certificate is the basis that CA and user establish trusting relationship.If the verification passes, then the second electronic key equipment
The public key that the first electronic key equipment is obtained from the digital certificate of the first electronic key equipment utilizes the first electronic key equipment
Public key the first signed data is verified.Second electronic key equipment can verify the first electronic key by root certificate and set
The legitimacy of standby digital certificate prevents other equipment from pretending to be the first electricity to judge whether the first electronic key equipment is legal
Sub-key equipment participates in private key backup.
S204: if the verification passes, then the second electronic key equipment prompts the user with the unique of the first electronic key equipment
Mark sets the second electronic key after reception user confirms that the unique identification of the first electronic key equipment correctly confirms instruction
Standby private key is encrypted to obtain private key ciphertext.
In the present embodiment, it if two abstracts are identical in step S203, is verified, the second electronics after being verified
Key devices prompt the user with the unique identification of the first electronic key equipment.
As one of the present embodiment optional embodiment, the second electronic key equipment can in the following manner to
Family prompts the unique identification of the first electronic key equipment: voice can be used to the first electricity of user's casting in the second electronic key equipment
The unique identification of sub-key equipment can also show the unique identification of the first electronic key equipment on the screen.User is by second
The unique identification of first electronic key equipment of electronic key device prompts and the unique identification of the first electronic key equipment itself
Compareed that (user can be quasi- for the holder of the first electronic key equipment and the second electronic key equipment or the user
It is standby to back up to the private key of the second electronic key equipment in the first electronic key equipment that it is held).If the two is consistent, use
Family can be confirmed by pressing the acknowledgement key of the second electronic key equipment, can also be confirmed using other modes,
This is with no restriction.If the two is inconsistent, user can terminate this by pressing the cancel key of the second electronic key equipment
Private key backup can also be cancelled using other modes, and this is not restricted.Only by the first electronic key equipment of control
One mark, user can be confirmed the first electronic key equipment and the second electronic key equipment with the presence or absence of backup relation.
As an optional embodiment of the embodiment of the present invention, the second electronic key equipment is to the second electronic key equipment
Private key encrypted to obtain private key ciphertext, comprising: the public key pair of second electronic key equipment utilization the first electronic key equipment
The private key of second electronic key equipment is encrypted to obtain private key ciphertext.
As an optional embodiment of the embodiment of the present invention, the second electronic key equipment is to the second electronic key equipment
Private key encrypted to obtain private key ciphertext, comprising: the second electronic key equipment generate random process key, utilize random process
The private key of key pair the second electronic key equipment is encrypted to obtain private key ciphertext, in the second electronic key equipment by the second data
Packet is sent to before the first electronic key equipment, method further include: second electronic key equipment utilization the first electronic key equipment
Public key random process key is encrypted to obtain random process key ciphertext.In the present embodiment, random process key is
Symmetric key can be decrypted the ciphertext encrypted through random process key using random process key itself.Second
The random process key that electronic key equipment generates is random, and random process key is sent with ciphertext, can enhance private key
Safety of the ciphertext in transmission process.
S205: the second electronic key equipment is signed to obtain the second signed data to the second data to be signed, second to
Signed data includes at least the unique identification of private key ciphertext and the second electronic key equipment, and will include at least the second number of signature
The first electronic key equipment is sent to according to the second data packet of, private key ciphertext and the unique identification of the second electronic key equipment.
In the present embodiment, after the second electronic key equipment obtains the second data to be signed, the second electronic key is utilized
The private key of equipment signs the second data to be signed to obtain the second signed data, and the second data to be signed include at least private key
The unique identification of ciphertext and the second electronic key equipment.The unique identification of second electronic key equipment can be used to mark second
Any information of electronic key equipment unique identities, as an alternative embodiment, the unique identification can be the second electricity
The sequence number of sub-key equipment, the sequence number being printed upon in electronic key equipment in the factory of electronic key equipment can be used to only
One mark.Certainly, other unique identifications are not precluded in the present embodiment, as long as unique body of the second electronic key equipment can be identified
Part.S206: the first electronic key equipment receives the second data packet, tests the second signed data in the second data packet
Card.
In the present embodiment, the first electronic key equipment receive the second electronic key equipment send the second data packet it
Afterwards, first the second signed data in the second data packet is verified.As one of the present embodiment optional embodiment,
One electronic key equipment can in the following manner verify the second signed data in the second data packet: the first electronics is close
Hash function identical with the second electronic key equipment can be used to the raw information in received second data packet in key equipment
An abstract is generated, then the second signed data is decrypted to obtain another abstract with the public key of the second electronic key equipment,
Whether identical compare two abstracts.If two abstracts are identical, it is verified;If two abstracts are not identical, mistake is verified
It loses, the first electronic key equipment can send authentication failed information to the second electronic key equipment after authentication failed, terminate this time
Private key backup.First electronic key equipment can determine the second electronic key equipment by verifying to the second signed data
It is whether legal, it prevents other equipment from falsely using the backup of the second electronic key equipment respective private keys, ensure that the safety of private key backup.
As an optional embodiment of the embodiment of the present invention, the second data packet further includes the second electronic key equipment
Digital certificate, after the first electronic key equipment receives the second data packet, and the first electronic key equipment is to the second data packet
In include the second signed data verified before, method provided in this embodiment further include: the first electronic key equipment pair
The digital certificate of second electronic key equipment is verified, if the verification passes, then from the number card of the second electronic key equipment
The middle public key for obtaining the second electronic key equipment;Wherein, the first electronic key equipment is to the second label in second data packet
Name data are verified, comprising: the public key of first electronic key equipment utilization the second electronic key equipment is to the second signed data
It is verified.
In the specific implementation, the second electronic key that the first electronic key equipment can use that root certificate verifying receives is set
The legitimacy of standby digital certificate.First electronic key equipment downloads root certificate from authentication center, and root certificate is that CA is built with user
The basis of vertical trusting relationship.If the verification passes, then digital certificate of the first electronic key equipment from the second electronic key equipment
The middle public key for obtaining the second electronic key equipment, tests the second signed data using the public key of the second electronic key equipment
Card.First electronic key equipment can verify the legitimacy of the digital certificate of the second electronic key equipment by root certificate, thus
Judge whether the second electronic key equipment is legal, prevents other people from the second electronic key equipment being pretended to be to participate in private key backup.
S207: if the verification passes, then the first electronic key equipment prompts the user with the unique of the second electronic key equipment
Mark solves private key ciphertext after reception user confirms that the unique identification of the second electronic key equipment correctly confirms instruction
The close private key for obtaining the second electronic key equipment.
In the present embodiment, it if two abstracts are identical in step S206, is verified, the first electronics after being verified
Key devices prompt the user with the unique identification of the second electronic key equipment.
As one of the present embodiment optional embodiment, the first electronic key equipment can in the following manner to
Family prompts the unique identification of the second electronic key equipment: voice can be used to the second electricity of user's casting in the first electronic key equipment
The unique identification of sub-key equipment can also show the unique identification of the second electronic key equipment to user on the screen.User
Only by the unique identification of the second electronic key equipment of the first electronic key device prompts and the second electronic key equipment itself
One mark is compareed.If the two is consistent, user can be carried out really by pressing the acknowledgement key of the first electronic key equipment
Recognize, can also be confirmed that this is not restricted using other modes.If the two is inconsistent, user can be by pressing
The cancel key of first electronic key equipment terminates the backup of this private key, can also be cancelled using other modes, not made herein
Limitation.By compareing the unique identification of the second electronic key equipment, the first electronic key equipment and the second electricity is can be confirmed in user
Sub-key equipment whether there is backup relation.
As an optional embodiment of the embodiment of the present invention, private key ciphertext is decrypted in the first electronic key equipment
Obtain the private key of the second electronic key equipment, comprising: the private key pair of first electronic key equipment utilization the first electronic key equipment
Private key ciphertext is decrypted to obtain the private key of the second electronic key equipment.
In the specific implementation process, the private key of first electronic key equipment utilization the first electronic key equipment is to received private
Key ciphertext is decrypted to obtain the private key plaintext of the second electronic key equipment, and the private key of the second electronic key equipment is written in plain text
In the safety chip of first electronic key equipment.Private using the public key of the first electronic key equipment to the second electronic key equipment
Key is encrypted to obtain private key ciphertext, and private key ciphertext only has the private key of the first electronic key equipment that could decrypt, can guarantee private
The safety of key.
As an optional embodiment of the embodiment of the present invention, the second data packet further include: random process key ciphertext;
First electronic key equipment is decrypted private key ciphertext to obtain the private key of the second electronic key equipment, comprising: the first electronics is close
The private key of key equipment utilization the first electronic key equipment is decrypted random process key ciphertext to obtain random process key, benefit
It is decrypted to obtain the private key of the second electronic key equipment with random process key pair private key ciphertext.
In the present embodiment, random process key is symmetric key, can be to through random using random process key itself
The ciphertext that process key encrypts is decrypted.After first electronic key equipment receives the second data packet, the first electronics is utilized
The private key of key devices is decrypted to obtain the second electronic key equipment to the random process key ciphertext in the second data packet
Random process key is decrypted to obtain the second electricity in the random process key pair private key ciphertext using the second electronic key equipment
In plain text, the safe core of the first electronic key equipment is written in the private key of second electronic key equipment by the private key of sub-key equipment in plain text
In piece.The random process key that second electronic key equipment generates is random, and random process key is sent with ciphertext, can
Enhance private key ciphertext in the safety of transmission process.
In the present embodiment, the private key of first electronic key equipment utilization the first electronic key equipment is close to received private key
Text is decrypted to obtain the private key plaintext of the second electronic key equipment.
The peace of the first electronic key equipment is written in the private key of second electronic key equipment by the S208: the first electronic key equipment
In full chip.
Wherein, (Z8D64U (the close lot number SSX43 of state) of such as Guoming Technology Co., Ltd, (state is close by Z32 for safety chip
Lot number SSX20)) it is internal possess independent processor and storage unit, the private key of the second electronic key equipment, and energy can be stored
Enough guarantee that the private key of the second electronic key equipment maliciously will not be read or be modified, protects business privacy and data safety.
In the specific implementation process, the second electronic key equipment is written in the safety chip of the first electronic key equipment
After private key plaintext, the first electronic key equipment is in unactivated state, cannot use.When the second electronic key device losses or
When damage leads to be unable to normal use, the first electronic key equipment is activated.An optional embodiment party as the embodiment of the present invention
Formula can activate the first electronic key equipment in the following ways: the first electronic key equipment being inserted into, electronic key is supported to set
The terminal devices such as standby PC machine, PAD (tablet computer), smart phone install the driver of the first electronic key equipment, the
The corresponding website of bank downloading bank safety software of one electronic key equipment 10 is simultaneously installed, register in website of bank and user is arranged
Name and password, the first electronic key equipment are activated.
In the present embodiment, two electronic key equipment are by verifying signed data to determine other side's electronic key
The legitimacy of equipment is further confirmed by unique identification of the user to electronic key device prompts, to determine two
Electronic key equipment whether there is backup relation, be distinguished as a result, by the first electronic key equipment and the second electronic key equipment
It verifies the legitimacy of other side and whether there is backup relation, determining other side's safety and there are when backup relation, then carry out
The transmission of private key realizes carrying out safety backup private key.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art are not departing from the principle of the present invention and objective
In the case where can make changes, modifications, alterations, and variations to the above described embodiments within the scope of the invention.The scope of the present invention
By appended claims and its equivalent limit.
Claims (12)
1. a kind of backup method of electronic key device private, which is characterized in that the described method includes:
First electronic key equipment sends private key backup request to the second electronic key equipment;
First electronic key equipment obtains the first data to be signed, is signed to obtain the first label to first data to be signed
Name data, first data to be signed include at least: the unique identification of the first electronic key equipment, and will include at least
First data packet of the unique identification of first signed data and the first electronic key equipment is sent to second electricity
Sub-key equipment;
The second electronic key equipment receives the private key backup request and first data packet, to first data
The first signed data in packet is verified;If the verification passes, then the first electronic key equipment is prompted the user with only
One mark, receive the user confirm the unique identification of the first electronic key equipment correctly confirm instruct after, to described
The private key of second electronic key equipment is encrypted to obtain private key ciphertext;Second data to be signed are signed to obtain the second label
Name data, second data to be signed include at least unique mark of the private key ciphertext and the second electronic key equipment
The unique identification known, and second signed data, the private key ciphertext and the second electronic key equipment will be included at least
The second data packet be sent to the first electronic key equipment;
The first electronic key equipment receives second data packet, to the second signed data in second data packet into
Row verifying;If the verification passes, then the unique identification that the second electronic key equipment is prompted to the user, receives the use
After family confirms that the unique identification of the second electronic key equipment correctly confirms instruction, the private key ciphertext is decrypted
To the private key of the second electronic key equipment;
The first electronic key equipment is written in the private key of the second electronic key equipment by the first electronic key equipment
Safety chip in;
First data to be signed, further includes: the first combination single authentication data;
After the second electronic key equipment receives the private key backup request, and the first electronic key equipment is to institute
It states before the first data to be signed are signed to obtain the first signed data, the method also includes:
The first electronic key equipment obtains the first single authentication data, and the first single authentication data are by second electricity
Sub-key equipment generates and sends to the first electronic key equipment;
The first electronic key equipment generates the second single authentication data, by the first single authentication data and described second
Single authentication data combine to obtain the first combination single authentication data.
2. according to the method described in claim 1, it is characterized by:
The second electronic key equipment encrypts the private key of the second electronic key equipment to obtain private key ciphertext, packet
It includes:
The public key of the first electronic key equipment is to the second electronic key equipment described in the second electronic key equipment utilization
Private key encrypted to obtain the private key ciphertext;
The first electronic key equipment is decrypted the private key ciphertext to obtain the private key of the second electronic key equipment,
Include:
The private key ciphertext is decrypted in the private key of first electronic key equipment described in the first electronic key equipment utilization
Obtain the private key of the second electronic key equipment.
3. according to the method described in claim 1, it is characterized by:
The second electronic key equipment encrypts the private key of the second electronic key equipment to obtain private key ciphertext, packet
It includes:
The second electronic key equipment generates random process key, close using the second electronics described in the random process key pair
The private key of key equipment is encrypted to obtain the private key ciphertext;
It is described before second data packet is sent to the first electronic key equipment by the second electronic key equipment
Method further include: the public key of the first electronic key equipment described in the second electronic key equipment utilization is close to the random process
Key is encrypted to obtain random process key ciphertext;Second data packet, further includes: the random process key ciphertext;
The first electronic key equipment is decrypted the private key ciphertext to obtain the private key of the second electronic key equipment,
Include:
The private key of the first electronic key equipment is to the random process key ciphertext described in the first electronic key equipment utilization
It is decrypted to obtain the random process key, is decrypted to obtain institute using private key ciphertext described in the random process key pair
State the private key of the second electronic key equipment.
4. method according to claim 1-3, it is characterised in that:
First data packet, further includes: the digital certificate of the first electronic key equipment;
After the second electronic key equipment receives first data packet, and the second electronic key equipment is to described
Before the first signed data in first data packet is verified, the method also includes:
The second electronic key equipment verifies the digital certificate of the first electronic key equipment, if verifying is logical
It crosses, then obtains the public key of the first electronic key equipment from the digital certificate of the first electronic key equipment;
The second electronic key equipment verifies the first signed data in first data packet, comprising:
The public key of first electronic key equipment described in the second electronic key equipment utilization carries out first signed data
Verifying.
5. method according to claim 1-3, it is characterised in that:
Second data packet, further includes: the digital certificate of the second electronic key equipment;
After the first electronic key equipment receives second data packet, and the first electronic key equipment is to described
Before the second signed data in second data packet is verified, the method also includes:
The first electronic key equipment verifies the digital certificate of the second electronic key equipment, if verifying is logical
It crosses, then obtains the public key of the second electronic key equipment from the number card of the second electronic key equipment;
The first electronic key equipment verifies the second signed data for including in second data packet, comprising:
The public key of second electronic key equipment described in the first electronic key equipment utilization carries out second signed data
Verifying.
6. method according to claim 1-3, it is characterised in that:
The unique identification of the first electronic key equipment, comprising: the sequence number of the first electronic key equipment;
The unique identification of the second electronic key equipment, comprising: the sequence number of the second electronic key equipment.
7. a kind of standby system of electronic key device private, which is characterized in that the system comprises: the first electronic key equipment
And the second electronic key equipment;
The first electronic key equipment obtains first for sending private key backup request to the second electronic key equipment
Data to be signed sign first data to be signed to obtain the first signed data, and first data to be signed are extremely
Less include: the unique identification of the first electronic key equipment, first signed data and first electricity will be included at least
First data packet of the unique identification of sub-key equipment is sent to the second electronic key equipment;
The second electronic key equipment, for receiving the private key backup request and first data packet, to described
The first signed data in one data packet is verified;If the verification passes, then first electronic key is prompted the user with to set
Standby unique identification, receive the user confirm the unique identification of the first electronic key equipment correctly confirm instruction after,
The private key of the second electronic key equipment is encrypted to obtain private key ciphertext;Second data to be signed are signed to obtain
Second signed data, second data to be signed include at least the private key ciphertext and the second electronic key equipment only
One mark, and the unique of second signed data, the private key ciphertext and the second electronic key equipment will be included at least
Second data packet of mark is sent to the first electronic key equipment;
The first electronic key equipment is also used to receive second data packet, to the second label in second data packet
Name data are verified;If the verification passes, then the unique identification that the second electronic key equipment is prompted to the user, connects
Receive the user confirm the unique identification of the second electronic key equipment correctly confirm instruction after, to the private key ciphertext into
Row decryption obtains the private key of the second electronic key equipment;And by the private key of the second electronic key equipment write-in described the
In the safety chip of one electronic key equipment;
First data to be signed, further includes: the first combination single authentication data;
The first electronic key equipment is also used to obtain the first single authentication data, and the first single authentication data are by institute
The second electronic key equipment is stated to generate and send to the first electronic key equipment;
The first electronic key equipment is also used to generate the second single authentication data, by the first single authentication data and
The second single authentication data combine to obtain the first combination single authentication data.
8. system according to claim 7, it is characterised in that:
The second electronic key equipment is encrypted to obtain private key close for the private key to the second electronic key equipment
Text, comprising:
The second electronic key equipment, for the public key using the first electronic key equipment to second electronic key
The private key of equipment is encrypted to obtain the private key ciphertext;
The first electronic key equipment obtains the second electronic key equipment for the private key ciphertext to be decrypted
Private key, comprising:
The first electronic key equipment carries out the private key ciphertext for the private key using the first electronic key equipment
Decryption obtains the private key of the second electronic key equipment.
9. system according to claim 7, it is characterised in that:
The second electronic key equipment is encrypted to obtain private key close for the private key to the second electronic key equipment
Text, comprising:
The second electronic key equipment, for generating random process key, using second described in the random process key pair
The private key of electronic key equipment is encrypted to obtain private key ciphertext;
The second electronic key equipment, be also used to by second data packet be sent to the first electronic key equipment it
Before, the random process key is encrypted to obtain random process key using the public key of the first electronic key equipment close
Text;Second data packet, further includes: the random process key ciphertext;
The first electronic key equipment obtains the second electronic key equipment for the private key ciphertext to be decrypted
Private key, comprising:
The first electronic key equipment, for the private key using the first electronic key equipment to the random process key
Ciphertext is decrypted to obtain the random process key of the second electronic key equipment, utilizes the second electronic key equipment
Private key ciphertext described in random process key pair is decrypted to obtain the private key of the second electronic key equipment.
10. according to the described in any item systems of claim 7-9, which is characterized in that first data packet, further includes: described
The digital certificate of first electronic key equipment;
The second electronic key equipment is also used to verify the digital certificate of the first electronic key equipment, if
It is verified, then obtains the public key of the first electronic key equipment from the digital certificate of the first electronic key equipment;
The second electronic key equipment is also used to verify the first signed data in first data packet, comprising:
The public key of first electronic key equipment described in the second electronic key equipment utilization verifies first signed data.
11. according to the described in any item systems of claim 7-9, which is characterized in that second data packet, further includes: described
The digital certificate of second electronic key equipment;
The first electronic key equipment is also used to verify the digital certificate of the second electronic key equipment, if
It is verified, then obtains the public key of the second electronic key equipment from the digital certificate of the second electronic key equipment;
The first electronic key equipment is also used to verify the second signed data in second data packet, comprising:
The public key of second electronic key equipment described in the first electronic key equipment utilization verifies second signed data.
12. according to the described in any item systems of claim 7-9, it is characterised in that:
The unique identification of the first electronic key equipment, comprising: the sequence number of the first electronic key equipment;
The unique identification of the second electronic key equipment, comprising: the sequence number of the second electronic key equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510765202.XA CN105939194B (en) | 2015-11-11 | 2015-11-11 | A kind of backup method and system of electronic key device private |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510765202.XA CN105939194B (en) | 2015-11-11 | 2015-11-11 | A kind of backup method and system of electronic key device private |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105939194A CN105939194A (en) | 2016-09-14 |
| CN105939194B true CN105939194B (en) | 2019-06-25 |
Family
ID=57153208
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510765202.XA Active CN105939194B (en) | 2015-11-11 | 2015-11-11 | A kind of backup method and system of electronic key device private |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105939194B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106533665B (en) | 2016-10-31 | 2018-08-07 | 北京百度网讯科技有限公司 | Mthods, systems and devices for storing website private key plaintext |
| CN107453862B (en) * | 2017-05-15 | 2023-05-30 | 杭州复杂美科技有限公司 | Scheme for generating, storing and using private key |
| CN107358441B (en) * | 2017-06-26 | 2020-12-18 | 北京明华联盟科技有限公司 | Payment verification method and system, mobile device and security authentication device |
| CN108199844B (en) * | 2018-04-09 | 2022-05-13 | 北京无字天书科技有限公司 | Method for supporting off-line SM9 algorithm key first application downloading |
| CN109547203A (en) * | 2018-12-25 | 2019-03-29 | 深圳市安信认证系统有限公司 | A kind of backup method of private key, back-up device and terminal device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1249636A (en) * | 1998-07-31 | 2000-04-05 | 朗迅科技公司 | Method for transmitting sensitive message by initial unclassified communication |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
| CN103248491A (en) * | 2013-05-23 | 2013-08-14 | 天地融科技股份有限公司 | Method and system for backing up electronic signed token private key |
| CN103281188A (en) * | 2013-05-23 | 2013-09-04 | 天地融科技股份有限公司 | Method and system for backing up private key in electronic signature token |
| CN103973455A (en) * | 2014-05-28 | 2014-08-06 | 天地融科技股份有限公司 | Information interaction method |
| CN104036391A (en) * | 2014-05-30 | 2014-09-10 | 天地融科技股份有限公司 | Information interaction method and system, information processing method and electronic key equipment |
-
2015
- 2015-11-11 CN CN201510765202.XA patent/CN105939194B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1249636A (en) * | 1998-07-31 | 2000-04-05 | 朗迅科技公司 | Method for transmitting sensitive message by initial unclassified communication |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
| CN103248491A (en) * | 2013-05-23 | 2013-08-14 | 天地融科技股份有限公司 | Method and system for backing up electronic signed token private key |
| CN103281188A (en) * | 2013-05-23 | 2013-09-04 | 天地融科技股份有限公司 | Method and system for backing up private key in electronic signature token |
| CN103973455A (en) * | 2014-05-28 | 2014-08-06 | 天地融科技股份有限公司 | Information interaction method |
| CN104036391A (en) * | 2014-05-30 | 2014-09-10 | 天地融科技股份有限公司 | Information interaction method and system, information processing method and electronic key equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105939194A (en) | 2016-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667608B (en) | Method, device and system for protecting data key | |
| CN105939194B (en) | A kind of backup method and system of electronic key device private | |
| CN105050081B (en) | Method, device and system for connecting network access device to wireless network access point | |
| CN103069774B (en) | Access the service notified safely | |
| CN104243451B (en) | A kind of information interacting method, system and intelligent cipher key equipment | |
| CN103326862B (en) | Electronically signing method and system | |
| CN100566255C (en) | Improve the method and system of safety of intelligent key equipment | |
| US10931464B2 (en) | Communication system, hardware security module, terminal device, communication method, and program | |
| CN103269271B (en) | A kind of back up the method and system of private key in electronic signature token | |
| CN104836784B (en) | A kind of information processing method, client and server | |
| CN103532719B (en) | Dynamic password generation method, dynamic password generation system, as well as processing method and processing system of transaction request | |
| WO2016110601A1 (en) | Method for generating a digital identity for a user of a mobile device, digital user identity, and authentication method using said digital user identity | |
| CN103516525B (en) | Dynamic password generation method and system | |
| CN105991650B (en) | A kind of transmission method and system of ID card information | |
| CN106027457B (en) | A kind of ID card information transmission method and system | |
| CN106027475B (en) | The transmission method and system of a kind of key acquisition method, ID card information | |
| CN102577301A (en) | Method and apparatus for trusted authentication and logon | |
| CN104301110A (en) | Authentication method, authentication device and system applied to intelligent terminal | |
| TWI632798B (en) | Server, mobile terminal, and network real-name authentication system and method | |
| JP5380583B1 (en) | Device authentication method and system | |
| CN104618114B (en) | ID card information acquisition methods, apparatus and system | |
| US20220166623A1 (en) | Hardware authentication token with remote validation | |
| CN106156677B (en) | Identity card card reading method and system | |
| JP6752013B2 (en) | Hearing devices with service modes and related methods | |
| CN107135205A (en) | A kind of method for network access and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |