Content of the invention
It is an object of the invention to provide a kind of data encryption/decryption method and system, to improve Information Security, it is to avoid impact
The normal work of the other system associating with application system, improves the reliability of crypto-operation.
A kind of data encrypting and deciphering system, comprising: processor, first password card and the second cipher card, described processor is respectively
It is connected with described first password card and described second cipher card, be stored with described first password card and described second cipher card phase
Same first user key, wherein,
Described processor, for when receiving the process request for business datum, described process request being sent to
Described first password card;Determine whether to receive first process corresponding with described business datum that described first password card returns
Data;If it is not, then described process request is sent to described second cipher card;Receive described second cipher card return with institute
State business datum corresponding second processing data;Described process is asked as encryption processing request or decryption processing request;
Described first password card, for when receiving described process request, using described first user key handling institute
State business datum, obtain and return described first processing data;
Described second cipher card, for when receiving described process request, using described first user key handling institute
State business datum, obtain and return described second processing data.
In a kind of specific embodiment of the present invention,
Described first password card, is additionally operable to, when receiving first key and generating instruction, generate and to preserve second user close
Key, and described second user key synchronization is given described second cipher card.
In a kind of specific embodiment of the present invention,
Described first password card, specifically for after generating described second user key, according to default create-rule
Generate symmetric key;Using second user key described in described symmetric key encryption, obtain first key data;Using described
Symmetric key described in the public key encryption of two cipher cards, obtains the second key data;Described first key data and described will be comprised
The ciphertext of the second key data is sent to described second cipher card;
Described second cipher card, is additionally operable to receive described ciphertext;Decipher described second key data using the private key of oneself,
Obtain described symmetric key;Using first key data described in described symmetric key decryption, obtain and preserve described second user
Key.
In a kind of specific embodiment of the present invention,
Described processor, is additionally operable to not receive the corresponding with described business datum of described first password card return in determination
The first processing data when, described first password card is labeled as bad the card.
In a kind of specific embodiment of the present invention,
Described processor, is additionally operable to detect whether described first password card is repaired at set time intervals and completes;As
Fruit is then to send the second key synchronization instruction to described second cipher card, so that described second cipher card is currently stored by it
User key is synchronized to described first password card.
A kind of data encryption/decryption method, is applied to processor, described processor respectively with first password card and the second password
Card connects, and be stored with described first password card and described second cipher card identical first user key, and described data adds solution
Decryption method includes:
Receive the process request for business datum, described process request is encryption processing request or decryption processing please
Ask;
Described process request is sent to described first password card, so that described first password is stuck in receives described process
During request, using business datum described in described first user key handling, obtain and return the first processing data;
Determine whether to receive described first processing data;
If it is not, then described process request is sent to described second cipher card, so that described second cipher card is receiving
To during described process request, using business datum described in described first user key handling, obtain and return described second processing
Data;
Receive described second processing data.
In a kind of specific embodiment of the present invention, also include:
Send first key to described first password card and generate instruction, so that described first password is stuck in receives described the
When one key generates instruction, generate and preserve second user key, and described second user key synchronization is close to described second
Code card.
In a kind of specific embodiment of the present invention, also include:
Send first key synchronic command to described first password card, so that described first password is stuck in generation described second
After user key, symmetric key is generated according to default create-rule;Using second user described in described symmetric key encryption
Key, obtains first key data;Using the symmetric key described in public key encryption of described second cipher card, obtain the second cipher key number
According to;The ciphertext comprising described first key data and described second key data is sent to described second cipher card;So that institute
Stating the second cipher card uses the private key of oneself to decipher described second key data, obtains described symmetric key;Using described symmetrical
First key data described in secret key decryption, obtains and preserves described second user key.
In a kind of specific embodiment of the present invention, also include:
When determination does not receive described first processing data, described first password card is labeled as bad the card.
In a kind of specific embodiment of the present invention, also include:
Detect whether described first password card is repaired at set time intervals to complete;
If it is, to described second cipher card send second key synchronization instruction so that described second cipher card by its
Currently stored user key is synchronized to described first password card.
The technical scheme that the application embodiment of the present invention is provided, the system that the application embodiment of the present invention is provided, in hardware
Aspect carries out the hot standby of the significant datas such as user key using Double-puzzle card, when one of cipher card breaks down, permissible
Directly business datum is encrypted or decryption processing using another cipher card, can continuously continual to business
Data is processed, it is to avoid overstocks substantial amounts of be-encrypted data in application system, improves Information Security, can avoid simultaneously
Encrypted transaction data, the normal work of the other system that impact is associated with application system cannot be read for a long time, improve close
The reliability of code computing.
Specific embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Obviously, described embodiment is only a part of embodiment of the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, broadly falls into the scope of protection of the invention.
Shown in Figure 1, a kind of structural representation of the data encrypting and deciphering system being provided by the embodiment of the present invention.This is
System include processor 110, first password card 120 and the second cipher card 130, described processor 110 respectively with described first password
Card 120 and described second cipher card 130 connect, and are stored with identical in described first password card 120 and described second cipher card 130
First user key, wherein,
Described processor 110, for when receiving the process request for business datum, processing request transmission by described
To described first password card 120;Determine whether to receive the corresponding with described business datum of described first password card 120 return
First processing data;If it is not, then described process request is sent to described second cipher card 130;Receive described second password
The second processing data corresponding with described business datum of card 130 return;Described process asks to be encryption processing request or deciphering
Process request;
Described first password card 120, for when receiving described process request, using described first user key handling
Described business datum, obtains and returns described first processing data;
Described second cipher card 130, for when receiving described process request, using described first user key handling
Described business datum, obtains and returns described second processing data.
It is close that the data encrypting and deciphering system that the embodiment of the present invention is provided comprises processor 110, first password card 120 and second
Code card 130.Processor 110 is connected with first password card 120 and the second cipher card 130 respectively, and first password card 120 and second is close
Code card 130 can standby card each other, be stored with first password card 120 and the second cipher card 130 identical first user key.
Processor 110 can comprise the api interface that several have difference in functionality, when processor 110 need with first password card 120 or
During the second cipher card 130 communication, communication can be realized by calling corresponding api interface.First password card 120 and the second password
Card 130 is specifically as follows pci-e (pci express, the EBI of a new generation) cipher card.
The data encrypting and deciphering system that the embodiment of the present invention is provided can be docked with application system.Application system includes number
According to server, data server is connected with processor 110.Data server can receive and come from other system or user is defeated
The business datum entering.For strengthening the safety of business datum, before business datum is preserved, first password can be passed through
Card 120 or the second cipher card 130 are encrypted to business datum, or, protect through encryption needing to read
During the business datum deposited, process is decrypted to business datum by first password card 120 or the second cipher card 130.
Processor 110 can receive come from the requesting parties such as data server or other users transmission for business number
According to process request, this process request can be encryption processing request, or decryption processing request.For business to be encrypted
Data, this process is asked as encryption processing request, and for encrypted transaction data to be read, this process is asked as decryption processing
Request.
Process request, when receiving the process request for business datum, can be sent to first close by processor 110
Code card 120.In actual applications, processor 110 can randomly choose a cipher card and respond this process request.Or, close
During code card initialization, set a labelling for each cipher card in advance, such as first password card 120 is labeled as main card, by second
Cipher card 130 is labeled as from card.So, when processor 110 is when receiving the process request for business datum, can will locate
Reason request is sent to the first password card 120 with main card labelling.
First password card 120 receive process request when, if first password card 120 is in normal operating conditions,
It can use this business datum of first user key handling, obtains and return the first processing data.If processing request for adding
Close request, then first password card 120 using first user key, this business datum is encrypted, the first processing data is
It is the business datum through encryption.If processing request is decoding request, first password card 120 uses first user close
Key is decrypted process to this business datum, and the first processing data is the business datum through decryption processing.
If first password card 120 currently breaks down, it will be unable to business datum is processed, for this industry
Business data, can not return any information to processor 110, or returns abnormal data, such as mess code etc..
Processor 110 by process request be sent to after first password card 120, can when reaching the time interval of setting,
Determine whether to receive first processing data corresponding with business datum of first password card 120 return.
If receiving the first processing data, the first processing data can be returned to requesting party.
If not receiving the first processing data, or have received abnormal data, then can determine first password card 120
Current having broken down is processed it is impossible to reuse first password card 120 to business datum.In this case, processor
110 can be sent to the second cipher card 130 by processing request.
In the first user key storing in cause the second cipher card 130 and first password card 120, the first user of storage is close
Key is identical.Second cipher card 130 receive process request when, you can using first user key to business datum at
Reason, obtains second processing data, and second processing data is returned to processor 110.
After processor 110 receives second processing data, second processing data can be returned to requesting party.Thus completing
Encryption to business datum or decryption processing.
The system that the application embodiment of the present invention is provided, carries out user key etc. in hardware view using Double-puzzle card important
Data hot standby, when one of cipher card breaks down, can directly using another cipher card, business datum be carried out
Encryption or decryption processing, can continuously continual be processed to business datum, it is to avoid overstock big in application system
The be-encrypted data of amount, improves Information Security, can avoid cannot reading for a long time encrypted transaction data simultaneously, impact
The normal work of the other system associating with application system, improves the reliability of crypto-operation.
It should be noted that the data encrypting and deciphering system that the embodiment of the present invention is provided can also include more passwords
Card, multiple cipher cards are mutually redundant, and ensure the encryption and decryption of business datum.
In one embodiment of the invention, first password card 120 is additionally operable to:
When receiving first key generation instruction, generate and preserve second user key, and will be close for described second user
Key is synchronized to described second cipher card 130.
In actual applications, for strengthening the safety of data, user key can be regularly updated.
First password card 120 receive the transmissions such as processor 110 or user first key generate instruction when, Ke Yisheng
Become and preserve second user key.Specifically, first password card 120 can generate according to default user key create-rule
Second user key.When first password card 120 receives new business datum to be encrypted, it is possible to use this second user is close
Key is encrypted to new business datum.
In the same manner, first user key can also generate by this way.
User key create-rule can preset, and is such as generated according to current date, or the pass specified according to user
Keyword generation etc., the embodiment of the present invention is without limitation.
After first password card 120 generates second user key, you can give the second cipher card by second user key synchronization
130, so that the user key in first password card 120 and the second cipher card 130 is consistent.Or, receiving processor
During 110 key synchronization instruction, second user key synchronization is given the second cipher card 130.
In one embodiment of the invention, first password card 120 can be realized by following steps second user is close
Key is synchronized to the process of the second cipher card 130:
Step one: first password card 120, after generating described second user key, generates according to default create-rule
Symmetric key.Such as generate symmetric key at random, this symmetric key is used for the second user key that encryption is currently generated, using
I.e. discardable afterwards.
Step 2: first password card 120 uses second user key described in described symmetric key encryption, obtains first key
Data.
Step 3: first password card 120 uses the symmetric key described in public key encryption of described second cipher card 130, obtains
Second key data.First password card 120 and the second cipher card 130 can generate unsymmetrical key respectively in initialization, and
The public key of unsymmetrical key is supplied to other side.The public key of the second cipher card 130 is the life in initialization of the second cipher card 130
Public key in the unsymmetrical key becoming.
Step 4: the ciphertext comprising described first key data and described second key data is sent out by first password card 120
Give described second cipher card 130.
Step 5: the second cipher card 130 receives described ciphertext.First key data and second close can be obtained in ciphertext
Key data.
Step 6: the second cipher card 130 uses the private key of oneself to decipher described second key data, obtains described symmetrically close
Key.Because the second key data is to be generated, the second password using the public key encryption symmetric key of the second cipher card 130
Card 130 can decipher the second key data using the private key of oneself, obtains described symmetric key.
Step 7: the second cipher card 130 uses first key data described in described symmetric key decryption, obtains and preserve institute
State second user key.
So, first password card 120 and the second cipher card 130 achieve the synchronizing process of second user key.
Carry out the synchronization of user key by this digital envelope mode, user key can be effectively ensured in transmitting procedure
In safety, reduce and be trapped the risk of modification in transmitting procedure.
Certainly, those skilled in the art can also realize first password card 120 and the second cipher card 130 by additive method
User key synchronization, such as directly transmit etc., the embodiment of the present invention is without limitation.
In one embodiment of the invention, processor 110 is additionally operable to not receive described first password card 120 in determination
During first processing data corresponding with described business datum returning, described first password card 120 is labeled as bad the card.
Processor 110 is not when determination receives the first processing data it may be determined that first password card 120 currently occurs
First password card 120 can be labeled as bad the card by fault.So, when processor 110 receives the process for business datum again
During request, directly can be sent to the second cipher card 130 by processing request, realize persistent service.
If first password card 120 initial markers are main card, the second cipher card 130 initial markers are from card, work as processor
When 110 determination first password cards 120 break down, the flag update of first password card 120 can be bad card, by the second password
The flag update of card 130 is main card.
In one embodiment of the invention, processor 110 is additionally operable to detect described first at set time intervals
Whether cipher card 120 is repaired and is completed;If it is, send the second key synchronization instruction to described second cipher card 130, so that institute
State the second cipher card 130 and its currently stored user key is synchronized to described first password card 120.
In embodiments of the present invention, processor 110 can detect first password card 120 whether at set time intervals
Reparation completes, and completes if first password card 120 is detected and repairing, can remove the bad card labelling of first password card 120, or
The flag update of first password card 120 is from card by person, is set to the standby card of the second cipher card 130.
Meanwhile, processor 110 can send the second key synchronization instruction to the second cipher card 130.Second cipher card 130
Instruct according to the second key synchronization, its currently stored user key can be synchronized to first password card 120.So, when second
When cipher card 130 breaks down, first password card 120 can be continuing with business datum is processed, realize continual
Encryption and decryption services.
Specific user key synchronous method may be referred to above first password card 120, and that user key is synchronized to second is close
The process of code card 130, will not be described here.
Corresponding to the system above embodiment, the embodiment of the present invention additionally provides a kind of data encryption/decryption method, the method
It is applied to processor, described processor is connected with first password card and the second cipher card respectively, described first password card and described
The identical that is stored with second cipher card first user key.
Shown in Figure 2, this data encryption/decryption method comprises the following steps:
S210: receive the process request for business datum, described process is asked at for encryption processing request or deciphering
Reason request.
Processor can receive come from the requesting parties such as data server or other users transmission for business datum
Process request, this process request can be encryption processing request, or decryption processing request.For business number to be encrypted
Ask as encryption processing request according to, this process, for encrypted transaction data to be read, this process is asked please for decryption processing
Ask.
S220: described process request is sent to described first password card, so that described first password is stuck in receives institute
When stating process request, using business datum described in described first user key handling, obtain and return the first processing data.
Processor, when receiving the process request for business datum, can be sent to first password by processing request
Card.In actual applications, processor can randomly choose a cipher card and respond this process request.Or, initial in cipher card
During change, set a labelling for each cipher card in advance, such as first password card is labeled as main card, the second cipher card is labeled as
From card.So, when processor is when receiving the process request for business datum, can be sent to processing request with master
The first password card of card labelling.
First password is stuck in when receiving process request, if first password card is in normal operating conditions, it is permissible
Using this business datum of first user key handling, obtain and return the first processing data.If processing request is CIPHERING REQUEST,
Then first password card is encrypted to this business datum using first user key, and the first processing data is through encryption
The business datum processing.If processing request is decoding request, first password card uses first user key to this business number
According to being decrypted process, the first processing data is the business datum through decryption processing.
If first password card currently breaks down, it will be unable to business datum is processed, for this business
Data, can not return any information to processor, or returns abnormal data, such as mess code etc..
S230: determine whether to receive described first processing data.
Processor is sent to after first password card by processing request, can be when reaching the time interval of setting, and determination is
No first processing data corresponding with business datum receiving the return of first password card.
If receiving the first processing data, the first processing data can be returned to requesting party.
If not receiving the first processing data, or have received abnormal data, then can determine that first password card is worked as
Front having broken down is processed it is impossible to reuse first password card to business datum.In such a case, it is possible to execution step
The operation of s240.
S240: described process request is sent to described second cipher card, so that described second cipher card is receiving
When stating process request, using business datum described in described first user key handling, obtain and return described second processing data.
Processor, when determination does not receive the first processing data, can be sent to the second cipher card by processing request.Cause
In second cipher card, the first user key of storage is identical with the first user key of storage in first password card.Second cipher card
When receiving process request, you can using first user key, business datum is processed, obtain second processing data, and
Second processing data is returned to processor.
S250: receive described second processing data.
After processor receives second processing data, second processing data can be returned to requesting party.Thus completing
Encryption to business datum or decryption processing.
The method that the application embodiment of the present invention is provided, carries out user key etc. in hardware view using Double-puzzle card important
Data hot standby, when one of cipher card breaks down, can directly using another cipher card, business datum be carried out
Encryption or decryption processing, can continuously continual be processed to business datum, it is to avoid overstock big in application system
The be-encrypted data of amount, improves Information Security, can avoid cannot reading for a long time encrypted transaction data simultaneously, impact
The normal work of the other system associating with application system, improves the reliability of crypto-operation.
In one embodiment of the invention, also include:
Send first key to described first password card and generate instruction, so that described first password is stuck in receives described the
When one key generates instruction, generate and preserve second user key, and described second user key synchronization is close to described second
Code card.
Processor is reaching default trigger condition, or when receiving user instruction, can send to first password card
First key generates instruction.
When first password is stuck in the first key generation instruction receiving processor transmission, can generate and preserve the second use
Family key.Specifically, first password card can generate second user key according to default user key create-rule.When
When one cipher card receives new business datum to be encrypted, it is possible to use this second user key is carried out to new business datum
Encryption.
In the same manner, first user key can also generate by this way.
User key create-rule can preset, and is such as generated according to current date, or the pass specified according to user
Keyword generation etc., the embodiment of the present invention is without limitation.
After first password card generates second user key, you can give the second cipher card by second user key synchronization, so that
User key in first password card and the second cipher card is consistent.Or, instruct in the key synchronization receiving processor
When, second user key synchronization is given the second cipher card.
In one embodiment of the invention, also include:
Send first key synchronic command to described first password card, so that described first password is stuck in generation described second
After user key, symmetric key is generated according to default create-rule;Using second user described in described symmetric key encryption
Key, obtains first key data;Using the symmetric key described in public key encryption of described second cipher card, obtain the second cipher key number
According to;The ciphertext comprising described first key data and described second key data is sent to described second cipher card;So that institute
Stating the second cipher card uses the private key of oneself to decipher described second key data, obtains described symmetric key;Using described symmetrical
First key data described in secret key decryption, obtains and preserves described second user key.
Carry out the synchronization of user key by this digital envelope mode, user key can be effectively ensured in transmitting procedure
In safety, reduce and be trapped the risk of modification in transmitting procedure.
In one embodiment of the invention, also include:
When determination does not receive described first processing data, described first password card is labeled as bad the card.
Processor determine do not receive the first processing data when it may be determined that first password card currently breaks down,
First password card can be labeled as bad the card.So, when the process that processor receives for business datum again is asked, permissible
Directly it is sent to the second cipher card by processing request, realize persistent service.
If first password card initial markers are main card, the second cipher card initial markers are from card, when processor determines the
When one cipher card breaks down, the flag update of first password card can be bad card, the flag update by the second cipher card is
Main card.
In one embodiment of the invention, also include:
First step: detect whether described first password card is repaired at set time intervals and complete, if it is,
Execution second step;
Second step: send the second key synchronization instruction to described second cipher card, so that described second cipher card will
Its currently stored user key is synchronized to described first password card.
In embodiments of the present invention, processor can detect whether first password card has been repaired at set time intervals
Becoming, if first password card reparation is detected completed, the bad card labelling of first password card can be removed, or by first password
The flag update of card is from card, is set to the standby card of the second cipher card.
Meanwhile, processor can send the second key synchronization instruction to the second cipher card.Second cipher card is close according to second
Its currently stored user key can be synchronized to first password card by key synchronic command.So, when event in the second cipher card
During barrier, first password card can be continuing with business datum is processed, realize continual encryption and decryption service.
Specific user key synchronous method may be referred to above first password card and user key be synchronized to the second password
The process of card, will not be described here.
In this specification, each embodiment is described by the way of going forward one by one, and what each embodiment stressed is and other
The difference of embodiment, between each embodiment same or similar partly mutually referring to.For side disclosed in embodiment
For method, because it is corresponding with system disclosed in embodiment, so description is fairly simple, referring to components of system as directed in place of correlation
Illustrate.
Professional further appreciates that, in conjunction with the unit of each example of the embodiments described herein description
And algorithm steps, can with electronic hardware, computer software or the two be implemented in combination in, in order to clearly demonstrate hardware and
The interchangeability of software, generally describes composition and the step of each example in the above description according to function.These
Function to be executed with hardware or software mode actually, the application-specific depending on technical scheme and design constraint.Specialty
Technical staff can use different methods to each specific application realize described function, but this realization should
Think beyond the scope of this invention.
The step of the method in conjunction with the embodiments described herein description or algorithm can directly be held with hardware, processor
The software module of row, or the combination of the two is implementing.Software module can be placed in random access memory (ram), internal memory, read-only deposit
Reservoir (rom), electrically programmable rom, electrically erasable rom, depositor, hard disk, moveable magnetic disc, cd-rom or technology
In known any other form of storage medium in field.
Specific case used herein is set forth to the principle of the present invention and embodiment, the saying of above example
Bright it is only intended to help and understands technical scheme and its core concept.It should be pointed out that it is common for the art
For technical staff, under the premise without departing from the principles of the invention, the present invention can also be carried out with some improvement and modify, these
Improve and modify and also fall in the protection domain of the claims in the present invention.