Summary of the invention
The object of the present invention is to provide a kind of data encryption/decryption method and systems, to improve Information Security, avoid influencing
With the normal work of the associated other systems of application system, the reliability of crypto-operation is improved.
A kind of data encrypting and deciphering system, comprising: processor, first password card and the second cipher card, the processor difference
It is connect with the first password card and second cipher card, is stored with phase in the first password card and second cipher card
The first same user key, wherein
The processor, for when receiving the processing request for business datum, processing request to be sent to
The first password card;Determine whether to receive the first processing corresponding with the business datum that the first password card returns
Data;If it is not, then processing request is sent to second cipher card;Receive that second cipher card returns with institute
State the corresponding second processing data of business datum;The processing request is that encryption processing request or decryption processing are requested;
The first password card, for handling institute using first user key when receiving processing request
Business datum is stated, obtain and returns to the first processing data;
Second cipher card, for handling institute using first user key when receiving processing request
Business datum is stated, obtain and returns to the second processing data.
In a kind of specific embodiment of the invention,
The first password card is also used to generate when receiving first key and generating instruction and to save second user close
Key, and give the second user key synchronization to second cipher card.
In a kind of specific embodiment of the invention,
The first password card is specifically used for after generating the second user key, according to preset create-rule
Generate symmetric key;Using second user key described in the symmetric key encryption, first key data are obtained;Use described
Symmetric key described in the public key encryption of two cipher cards obtains the second key data;It will be comprising first key data and described
The ciphertext of second key data is sent to second cipher card;
Second cipher card, is also used to receive the ciphertext;Second key data is decrypted using the private key of oneself,
Obtain the symmetric key;Using first key data described in the symmetric key decryption, obtains and save the second user
Key.
In a kind of specific embodiment of the invention,
The processor is also used to not receive the corresponding with the business datum of the first password card return determining
The first processing data when, by the first password card labeled as bad card.
In a kind of specific embodiment of the invention,
The processor, is also used to detect whether the first password card repairs completion at set time intervals;Such as
Fruit is then the instruction of the second key synchronization to be sent to second cipher card, so that second cipher card is currently stored by its
User key is synchronized to the first password card.
A kind of data encryption/decryption method, be applied to processor, the processor respectively with first password card and the second password
Card connects, and is stored with identical first user key in the first password card and second cipher card, the data add solution
Decryption method includes:
The processing received for business datum is requested, and the processing request is that encryption processing request or decryption processing are asked
It asks;
Processing request is sent to the first password card, so that the first password, which is stuck in, receives the processing
When request, the business datum is handled using first user key, obtains and returns to the first processing data;
Determine whether to receive the first processing data;
If it is not, then processing request is sent to second cipher card, so that second cipher card is receiving
To when processing request, the business datum is handled using first user key, obtains and returns to the second processing
Data;
Receive the second processing data.
In a kind of specific embodiment of the invention, further includes:
First key is sent to the first password card and generates instruction, so that the first password, which is stuck in, receives described the
When one key generates instruction, second user key is generated and saves, and the second user key synchronization is close to described second
Code card.
In a kind of specific embodiment of the invention, further includes:
First key synchronic command is sent to the first password card, so that the first password is stuck in generation described second
After user key, symmetric key is generated according to preset create-rule;Use second user described in the symmetric key encryption
Key obtains first key data;Symmetric key described in public key encryption using second cipher card obtains the second cipher key number
According to;Ciphertext comprising the first key data and second key data is sent to second cipher card;So that institute
It states the second cipher card and decrypts second key data using the private key of oneself, obtain the symmetric key;Using described symmetrical
Key decrypts the first key data, obtains and saves the second user key.
In a kind of specific embodiment of the invention, further includes:
When determining that not receiving described first handles data, by the first password card labeled as bad card.
In a kind of specific embodiment of the invention, further includes:
Detect whether the first password card repairs completion at set time intervals;
If it is, to second cipher card send the second key synchronization instruction so that second cipher card by its
Currently stored user key is synchronized to the first password card.
Using technical solution provided by the embodiment of the present invention, using system provided by the embodiment of the present invention, in hardware
Level carries out the hot standby of the significant datas such as user key using Double-puzzle card, can be with when one of cipher card breaks down
Directly business datum is encrypted using another cipher card or decryption processing, it can be continuous continual to business
Data are handled, and avoid overstocking a large amount of be-encrypted data in application system, improve Information Security, while can be to avoid
Encrypted transaction data can not be read for a long time, influenced the normal work with the associated other systems of application system, improved close
The reliability of code operation.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Obviously, described embodiments are only a part of the embodiments of the present invention, rather than
Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise
Under every other embodiment obtained, shall fall within the protection scope of the present invention.
It is shown in Figure 1, it is a kind of structural schematic diagram of data encrypting and deciphering system provided by the embodiment of the present invention.This is
System include processor 110, first password card 120 and the second cipher card 130, the processor 110 respectively with the first password
Card 120 and second cipher card 130 connect, and are stored in the first password card 120 and second cipher card 130 identical
The first user key, wherein
The processor 110, for when receiving the processing request for business datum, the processing being requested to send
To the first password card 120;Determine whether to receive the corresponding with the business datum of the return of first password card 120
First processing data;If it is not, then processing request is sent to second cipher card 130;Receive second password
The second processing data corresponding with the business datum that card 130 returns;The processing request is encryption processing request or decryption
Processing request;
The first password card 120, for being handled using first user key when receiving processing request
The business datum obtains and returns to the first processing data;
Second cipher card 130, for being handled using first user key when receiving processing request
The business datum obtains and returns to the second processing data.
Data encrypting and deciphering system provided by the embodiment of the present invention is close comprising processor 110, first password card 120 and second
Code card 130.Processor 110 is connect with first password card 120 and the second cipher card 130 respectively, and first password card 120 and second is close
Code card 130 can be stored with identical first user key in first password card 120 and the second cipher card 130 with mutual backup card.
Processor 110 may include several api interfaces with different function, when processor 110 need with first password card 120 or
It, can be by calling corresponding api interface to realize communication when second cipher card 130 communicates.First password card 120 and the second password
Card 130 is specifically as follows PCI-E (PCI Express, bus interface of new generation) cipher card.
Data encrypting and deciphering system provided by the embodiment of the present invention can be docked with application system.It include number in application system
According to server, data server is connect with processor 110.Data server can receive defeated from other systems or user
The business datum entered.First password can be passed through before saving to business datum to enhance the safety of business datum
Business datum is encrypted in card 120 or the second cipher card 130, alternatively, having protected needing to read by encryption
When the business datum deposited, business datum is decrypted by first password card 120 or the second cipher card 130.
Processor 110, which can receive, is directed to business number from what the requesting parties such as data server or other users sent
According to processing request, the processing request can be encryption processing request or decryption processing request.For business to be encrypted
Data, processing request are encryption processing request, and for encrypted transaction data to be read, processing request is decryption processing
Request.
It is close can be sent to first when receiving the processing request for business datum by processor 110 for processing request
Code card 120.In practical applications, processor 110 can be randomly selected a cipher card and respond processing request.Alternatively, close
When code card initialization, a label is set for each cipher card in advance, first password card 120 is such as labeled as main card, by second
Cipher card 130 is labeled as from card.In this way, can will locate when processor 110 is when receiving the processing request for business datum
Reason request is sent to the first password card 120 with main card label.
First password card 120 is when receiving processing request, if first password card 120 is in normal operating conditions,
It can be used the first user key and handles the business datum, obtains and returns to the first processing data.If processing request is to add
Close request, then first password card 120 is encrypted the business datum using the first user key, and the first processing data are
For the business datum Jing Guo encryption.If processing request is decoding request, first password card 120 is close using the first user
The business datum is decrypted in key, and the first processing data are to pass through the business datum of decryption processing.
If first password card 120 has currently broken down, it will be unable to handle business datum, for the industry
Business data can not return to any information to processor 110, or return to abnormal data, such as messy code.
Processor 110 will processing request be sent to first password card 120 after, can in the time interval for reaching setting,
Determine whether that receiving corresponding with business datum the first of the return of first password card 120 handles data.
If receiving the first processing data, the first processing data can be returned into requesting party.
If not receiving the first processing data, or abnormal data is had received, then can determine first password card 120
It has currently broken down, first password card 120 cannot have been reused, business datum is handled.In this case, processor
Processing request can be sent to the second cipher card 130 by 110.
The first user stored in the first user key and first password card 120 stored in the second cipher card 130 of cause is close
Key is identical.Second cipher card 130 receive processing request when, that is, can be used the first user key to business datum at
Reason obtains second processing data, and second processing data is returned to processor 110.
After processor 110 receives second processing data, second processing data can be returned into requesting party.To complete
Encryption or decryption processing to business datum.
It is important using Double-puzzle card progress user key etc. in hardware view using system provided by the embodiment of the present invention
Data it is hot standby, when one of cipher card break down when, can directly using another cipher card to business datum carry out
Encryption or decryption processing continuously continual can be handled business datum, avoid overstocking in application system big
The be-encrypted data of amount improves Information Security, while can not read encrypted transaction data to avoid long-time, influences
With the normal work of the associated other systems of application system, the reliability of crypto-operation is improved.
It should be noted that data encrypting and deciphering system provided by the embodiment of the present invention can also include more passwords
Card, multiple cipher cards are mutually redundant, and ensure the encryption and decryption of business datum.
In one embodiment of the invention, first password card 120 is also used to:
When receiving first key generation instruction, second user key is generated and saves, and the second user is close
Key is synchronized to second cipher card 130.
In practical applications, it is the safety for enhancing data, user key can be regularly updated.
First password card 120 is when the first key for receiving the transmissions such as processor 110 or user generates instruction, Ke Yisheng
At and save second user key.Specifically, first password card 120 can be generated according to preset user key create-rule
Second user key.When first password card 120 receives new business datum to be encrypted, it is close that the second user can be used
New business datum is encrypted in key.
Similarly, the first user key can also generate by this way.
User key create-rule can be preset, and such as be generated according to current date, or the pass specified according to user
Keyword generation etc., the embodiment of the present invention is without limitation.
After first password card 120 generates second user key, second user key synchronization can be given to the second cipher card
130, so that the user key in first password card 120 and the second cipher card 130 is consistent.Alternatively, receiving processor
When 110 key synchronization instruction, second user key synchronization is given to the second cipher card 130.
In one embodiment of the invention, it can realize that first password card 120 is close by second user by following steps
Key is synchronized to the process of the second cipher card 130:
Step 1: first password card 120 generates after generating the second user key according to preset create-rule
Symmetric key.For example random generation symmetric key, the symmetric key were used for encrypting the second user key being currently generated
It is i.e. discardable afterwards.
Step 2: first password card 120 obtains first key using second user key described in the symmetric key encryption
Data.
Step 3: symmetric key described in public key encryption of the first password card 120 using second cipher card 130 obtains
Second key data.First password card 120 and the second cipher card 130 can generate unsymmetrical key in initialization respectively, and
The public key of unsymmetrical key is supplied to other side.The public key of second cipher card 130 is that the second cipher card 130 is raw in initialization
At unsymmetrical key in public key.
Step 4: first password card 120 will include the first key data and the ciphertext of second key data hair
Give second cipher card 130.
Step 5: the second cipher card 130 receives the ciphertext.First key data and second close can be obtained in ciphertext
Key data.
Step 6: the second cipher card 130 decrypts second key data using the private key of oneself, obtains described symmetrical close
Key.Because the second key data is generated, the second password using the public key encryption symmetric key of the second cipher card 130
Card 130 can decrypt the second key data using the private key of oneself, obtain the symmetric key.
Step 7: the second cipher card 130 is obtained using first key data described in the symmetric key decryption and is saved institute
State second user key.
In this way, first password card 120 and the second cipher card 130 realize the synchronizing process of second user key.
User key can be effectively ensured in transmission process in the synchronization that user key is carried out by this digital envelope mode
In safety, reduce and be trapped the risk of modification in transmission process.
Certainly, those skilled in the art can also realize first password card 120 and the second cipher card 130 by other methods
User key synchronization, such as directly transmit, the embodiment of the present invention is without limitation.
In one embodiment of the invention, processor 110 is also used to not receive the first password card 120 in determination
When the first processing data corresponding with the business datum returned, by the first password card 120 labeled as bad card.
Processor 110 can determine that first password card 120 has currently occurred when determination does not receive the first processing data
Failure, can be by first password card 120 labeled as bad card.In this way, when processor 110 receives the processing for business datum again
When request, processing request directly can be sent to the second cipher card 130, realize persistent service.
If 120 initial markers of first password card are main card, 130 initial markers of the second cipher card are to work as processor from card
It can be bad card by the flag update of first password card 120, by the second password when 110 determining first password cards 120 break down
The flag update of card 130 is main card.
In one embodiment of the invention, processor 110 is also used to detect described first at set time intervals
Whether cipher card 120 repairs completion;If it is, the instruction of the second key synchronization is sent to second cipher card 130, so that institute
It states the second cipher card 130 and its currently stored user key is synchronized to the first password card 120.
In embodiments of the present invention, whether processor 110 can detect at set time intervals first password card 120
It repairs and completes, completed if detecting that first password card 120 is repaired, the bad card label of first password card 120 can be removed, or
The flag update of first password card 120 is to be set to the standby card of the second cipher card 130 from card by person.
Meanwhile processor 110 can send the instruction of the second key synchronization to the second cipher card 130.Second cipher card 130
It is instructed according to the second key synchronization, its currently stored user key can be synchronized to first password card 120.In this way, when second
When cipher card 130 breaks down, first password card 120 can be continued to use, business datum is handled, realized continual
Encryption and decryption service.
It is close that user key can be synchronized to second with reference to the above first password card 120 by specific user key synchronous method
The process of code card 130, details are not described herein.
Corresponding to the system above embodiment, the embodiment of the invention also provides a kind of data encryption/decryption method, this method
Applied to processor, the processor is connect with first password card and the second cipher card respectively, the first password card and described
Identical first user key is stored in second cipher card.
It is shown in Figure 2, the data encryption/decryption method the following steps are included:
S210: the processing received for business datum is requested, and the processing request is at encryption processing request or decryption
Reason request.
Processor, which can receive, is directed to business datum from what the requesting parties such as data server or other users sent
Processing request, the processing request can be encryption processing request or decryption processing request.For business number to be encrypted
According to processing request is encryption processing request, and for encrypted transaction data to be read, processing request is asked for decryption processing
It asks.
S220: processing request is sent to the first password card, so that the first password, which is stuck in, receives institute
When stating processing request, the business datum is handled using first user key, obtains and returns to the first processing data.
Processing request can be sent to first password when receiving the processing request for business datum by processor
Card.In practical applications, processor can be randomly selected a cipher card and respond processing request.Alternatively, initial in cipher card
When change, a label is set for each cipher card in advance, first password card is such as labeled as main card, the second cipher card is labeled as
From card.In this way, can be sent to processing request has master when processor is when receiving the processing request for business datum
Block the first password card of label.
First password is stuck in when receiving processing request, can be with if first password card is in normal operating conditions
The business datum is handled using the first user key, obtain and returns to the first processing data.If processing request is CIPHERING REQUEST,
Then first password card is encrypted the business datum using the first user key, and the first processing data are by encryption
The business datum of processing.If processing request is decoding request, first password card is using the first user key to the business number
According to being decrypted, the first processing data are to pass through the business datum of decryption processing.
If first password card has currently broken down, it will be unable to handle business datum, for the business
Data can not return to any information to processor, or return to abnormal data, such as messy code.
S230: determine whether to receive the first processing data.
, can be in the time interval for reaching setting after processing request is sent to first password card by processor, determination is
No the first processing data corresponding with business datum for receiving the return of first password card.
If receiving the first processing data, the first processing data can be returned into requesting party.
If not receiving the first processing data, or abnormal data is had received, then can determine that first password card is worked as
It is preceding to have broken down, first password card cannot be reused, business datum is handled.In such a case, it is possible to execute step
The operation of S240.
S240: processing request is sent to second cipher card, so that second cipher card is receiving
When stating processing request, the business datum is handled using first user key, obtains and returns to the second processing data.
Processing request can be sent to the second cipher card when determination does not receive the first processing data by processor.Cause
The first user key stored in second cipher card and the first user key stored in first password card are identical.Second cipher card
When receiving processing request, that is, the first user key can be used to handle business datum, obtains second processing data, and
Second processing data are returned into processor.
S250: the second processing data are received.
After processor receives second processing data, second processing data can be returned into requesting party.So as to complete
Encryption or decryption processing to business datum.
It is important using Double-puzzle card progress user key etc. in hardware view using method provided by the embodiment of the present invention
Data it is hot standby, when one of cipher card break down when, can directly using another cipher card to business datum carry out
Encryption or decryption processing continuously continual can be handled business datum, avoid overstocking in application system big
The be-encrypted data of amount improves Information Security, while can not read encrypted transaction data to avoid long-time, influences
With the normal work of the associated other systems of application system, the reliability of crypto-operation is improved.
In one embodiment of the invention, further includes:
First key is sent to the first password card and generates instruction, so that the first password, which is stuck in, receives described the
When one key generates instruction, second user key is generated and saves, and the second user key synchronization is close to described second
Code card.
Processor can be sent when reaching preset trigger condition, or receiving user instruction to first password card
First key generates instruction.
When first password is stuck in the first key generation instruction for receiving processor transmission, it can be generated and save the second use
Family key.Specifically, first password card can generate second user key according to preset user key create-rule.When
When one cipher card receives new business datum to be encrypted, the new business datum of the second user key pair can be used and carry out
Encryption.
Similarly, the first user key can also generate by this way.
User key create-rule can be preset, and such as be generated according to current date, or the pass specified according to user
Keyword generation etc., the embodiment of the present invention is without limitation.
After first password card generates second user key, second user key synchronization can be given to the second cipher card, so that
User key in first password card and the second cipher card is consistent.Alternatively, in the key synchronization instruction for receiving processor
When, give second user key synchronization to the second cipher card.
In one embodiment of the invention, further includes:
First key synchronic command is sent to the first password card, so that the first password is stuck in generation described second
After user key, symmetric key is generated according to preset create-rule;Use second user described in the symmetric key encryption
Key obtains first key data;Symmetric key described in public key encryption using second cipher card obtains the second cipher key number
According to;Ciphertext comprising the first key data and second key data is sent to second cipher card;So that institute
It states the second cipher card and decrypts second key data using the private key of oneself, obtain the symmetric key;Using described symmetrical
Key decrypts the first key data, obtains and saves the second user key.
User key can be effectively ensured in transmission process in the synchronization that user key is carried out by this digital envelope mode
In safety, reduce and be trapped the risk of modification in transmission process.
In one embodiment of the invention, further includes:
When determining that not receiving described first handles data, by the first password card labeled as bad card.
Processor can determine that first password card has currently broken down when determination does not receive the first processing data,
It can be by first password card labeled as bad card.In this way, when processor receives the processing request for business datum again, it can be with
Processing request is directly sent to the second cipher card, realizes persistent service.
If first password card initial markers are main card, the second cipher card initial markers are from card, when processor determines the
It can be bad card by the flag update of first password card when one cipher card breaks down, the flag update by the second cipher card is
Main card.
In one embodiment of the invention, further includes:
First step: detecting whether the first password card repairs completion at set time intervals, if it is,
Execute second step;
Second step: sending the instruction of the second key synchronization to second cipher card, so that second cipher card will
Its currently stored user key is synchronized to the first password card.
In embodiments of the present invention, processor can detect at set time intervals whether first password card has been repaired
At if detecting that first password card reparation is completed, the bad card label of first password card can be removed, or by first password
The flag update of card is to be set to the standby card of the second cipher card from card.
Meanwhile processor can send the instruction of the second key synchronization to the second cipher card.Second cipher card is close according to second
Its currently stored user key can be synchronized to first password card by key synchronic command.In this way, when there is event in the second cipher card
When barrier, first password card can be continued to use, business datum is handled, realize continual encryption and decryption service.
User key can be synchronized to the second password with reference to the above first password card by specific user key synchronous method
The process of card, details are not described herein.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with it is other
The difference of embodiment, same or similar part may refer to each other between each embodiment.For side disclosed in embodiment
For method, since it is corresponding with system disclosed in embodiment, so being described relatively simple, related place is referring to components of system as directed
Explanation.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Used herein a specific example illustrates the principle and implementation of the invention, and above embodiments are said
It is bright to be merely used to help understand technical solution of the present invention and its core concept.It should be pointed out that for the common of the art
, without departing from the principle of the present invention, can be with several improvements and modifications are made to the present invention for technical staff, these
Improvement and modification are also fallen within the protection scope of the claims of the present invention.