CN106953917A - Method of data synchronization and system - Google Patents

Method of data synchronization and system Download PDF

Info

Publication number
CN106953917A
CN106953917A CN201710173982.8A CN201710173982A CN106953917A CN 106953917 A CN106953917 A CN 106953917A CN 201710173982 A CN201710173982 A CN 201710173982A CN 106953917 A CN106953917 A CN 106953917A
Authority
CN
China
Prior art keywords
data
lock
signs
ciphertext
issues
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710173982.8A
Other languages
Chinese (zh)
Other versions
CN106953917B (en
Inventor
孙吉平
钟灵剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201710173982.8A priority Critical patent/CN106953917B/en
Publication of CN106953917A publication Critical patent/CN106953917A/en
Application granted granted Critical
Publication of CN106953917B publication Critical patent/CN106953917B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

The invention discloses a kind of method of data synchronization, including:S1, the ciphertext of the first data stored into the first equipment, the first data are and the first data that to sign and issue digital permission that system signs and issues to software protective lock related;S2, when create second sign and issue system when, the ciphertext for the first data that will be stored in the first equipment is sent to second and signs and issues system;S3, the second ciphertext for signing and issuing the first data that system docking is received are decrypted, and decrypt obtained the first data and are used as and the second data that to sign and issue digital permission that system signs and issues to software protective lock related.The present invention discloses a kind of data synchronous system.By the solution of the present invention, it can be easy to use or inconvenience uses first to sign and issue to use second to sign and issue system when system signs and issues digital permission to sign and issue digital permission, be conducive to maintaining to sign and issue being smoothed out for process.

Description

Method of data synchronization and system
Technical field
The present invention relates to data security arts, more particularly to a kind of method of data synchronization and system.
Background technology
Software enciphered lock is a kind of equipment for being protected to target software.Traditional software enciphered lock is used for hardware Family is locked, and digital permission mandate of the hand-manipulating of needle to target software is locked into hardware user using hardware controls lock by software developer. Nowadays, encryption lock function is transplanted to high in the clouds by many software enciphered lock manufacturers, and as cloud user lock, sign entitlement is also no longer Locked using traditional hardware controls, and use cloud trustship control lock.
However, software developer side once in Network Abnormal or without network in the environment of, will be unable to use cloud trustship control Lockmaking is that cloud user locks or hardware user lock sign entitlement.In addition, some software developers are also unwilling to reveal the cloud of our company Account information gives excessive employee.
The content of the invention
In view of this, the embodiments of the invention provide a kind of method of data synchronization and system, realize and use different label Hair system signs and issues software digital license based on same key data.
Method of data synchronization provided in an embodiment of the present invention includes:S1, the ciphertext of the first data stored to the first equipment In, the first data are and the first data that to sign and issue digital permission that system signs and issues to software protective lock related;S2, when create second When signing and issuing system, the ciphertext for the first data that will be stored in the first equipment is sent to second and signs and issues system;S3, second, which are signed and issued, is The ciphertext for the first data to receiving of uniting is decrypted, and decrypts the first obtained data and is used as signing and issuing system to software with second The data for the digital permission correlation that protection lock is signed and issued.
Data synchronous system provided in an embodiment of the present invention signs and issues system and second including first and signs and issues system.Wherein, One, which signs and issues system, includes:First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;Encryption device, be configured to by To first the first data encryption that to sign and issue digital permission that equipment signs and issues related;Dispensing device, is configured to the close of the first data Text is stored into the first equipment.Second, which signs and issues system, includes:Second signs and issues equipment, is configured to sign and issue numeral to software protective lock and is permitted Can;Acquisition device, is configured to obtain the ciphertext of the first data from the first equipment;Ciphering and deciphering device, is configured to obtain acquisition device The ciphertext of the first data taken, which is decrypted, obtains the first data, and the first data, which are used as signing and issuing the numeral that equipment signs and issues with second, to be permitted Data that can be related.
In scheme provided in an embodiment of the present invention, establishment first is incited somebody to action while signing and issuing system (including cloud trustship control lock) Necessary key data encryption is preserved into database, when client has demand, then the key data of encryption is sent into second System is signed and issued, second signs and issues after system decryption key data, write-in second is signed and issued in equipment (such as hardware controls lock).By this hair The scheme that bright embodiment is provided, cloud trustship control lock and hardware controls lock will possess identical key data, and software developer is such as It is that hardware user lock or cloud user lock sign and issue software digital license to have specific demand then to use hardware controls lock, thus, firmly Part control lock can sign and issue software digital license with buyun trustship control lock so that software developer is in Network Abnormal or without network Still software digital license can be signed and issued under environment for user's lock.
Brief description of the drawings
Fig. 1 is the indicative flowchart of the method for data synchronization of the embodiment of the present invention;
Fig. 2 is the indicative flowchart of an example of the specific steps of S3 steps in Fig. 1;
Fig. 3 is the indicative flowchart of an example of the specific steps of S32 steps in Fig. 2;
Fig. 4 is the indicative flowchart of another example of the specific steps of S3 steps in Fig. 1;
Fig. 5 is the indicative flowchart of an example of the specific steps of S34 steps in Fig. 4;
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
Embodiment
Embodiments of the invention are described in detail with reference to the accompanying drawings.
Fig. 1 is the indicative flowchart of the method for data synchronization of the embodiment of the present invention
As shown in figure 1, the method for data synchronization of the embodiment of the present invention includes:
S1, the ciphertext of the first data stored into the first equipment, the first data are protected to sign and issue system with first to software The data for the digital permission correlation that shield lock is signed and issued;
First to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.Exemplified by system being signed and issued by high in the clouds, high in the clouds The system of signing and issuing may include such as cloud trustship control lock.Software protective lock can be that hardware user lock can also be cloud user lock. Cloud trustship control lock can be used to sign and issue digital permission to cloud user lock, may also be used for signing and issuing numeral to hardware user lock and being permitted Can.First data can include signing and issuing with cloud trustship control lock such as key data, configuration parameter, secure communication related data The related data of digital permission.The ciphertext of first data is stored while can signing and issuing system creation beyond the clouds to the first equipment In, can also sign and issue beyond the clouds occur during use after system creation network it is unavailable or other in the case of need to use hardware label The ciphertext of the first data is stored into the first equipment temporarily during hair system.Here the first equipment can be cloud database or Any kind of movable storage device of person.
S2, when create second sign and issue system when, the ciphertext for the first data that will be stored in the first equipment is sent to second Sign and issue system;
When in order to realize that first signs and issues the same function of system and when creating second and signing and issuing system, the first equipment will be stored in In the ciphertexts of the first data be sent to second and sign and issue system.Second to sign and issue system can be that hardware signs and issues system or high in the clouds is signed and issued System.So that hardware signs and issues system as an example, hardware, which signs and issues system, may include such as hardware controls lock.Hardware controls lock can be used to Hardware user lock signs and issues digital permission, may also be used for signing and issuing digital permission to cloud user lock.
S3, the second ciphertext for signing and issuing the first data that system docking is received are decrypted, and decrypt the first obtained data and use Make and the second data that to sign and issue digital permission that system signs and issues to software protective lock related.
Second, which signs and issues system, is received to be decrypted after the ciphertext of the first data and obtains the first data, and the first data are used Make the data of digital permission correlation signed and issued software protective lock so that second signs and issues when system signs and issues digital permission or signed and issued Digital permission need the related data used to sign and issue signing and issuing or using for the digital permission that system is signed and issued with first when in use Related data are consistent.
The embodiment of the present invention to be signed and issued first be used in system and the device of the first data encryption and second signed and issued in system The type for the device being decrypted for the ciphertext to the first data is not restricted, and is as long as can possess to sign and issue with digital permission The suitable security performance of system.As a kind of embodiment, first signs and issues the device for being used to encrypt and the second label in system The device for being used to decrypt in hair system can be encrypted card.For example, the first encrypted card and hardware that system is signed and issued in high in the clouds are signed and issued Prestored in second encrypted card of system a pair can encryption and decryption mutually key, wherein the key storage for encryption is in the first encryption In card, the key storage for decryption is in the second encrypted card.Encrypted card is able to ensure that key can only be used inside encrypted card, Need that encryption and decryption will be carried out in the incoming encrypted card of data during to data encrypting and deciphering, ensure that the safety of key.
By the method for the embodiment of the present invention, to signing and issuing or using related data in cloud trustship control lock for digital permission Consistent with being in hardware controls lock, such as network appearance is abnormal, it is impossible to using cloud trustship control lock, hardware controls can be used to lock It is that hardware user lock or cloud user lock sign and issue software digital license.In the case of network is normal, then cloud trustship control can be used Any one in lock or hardware controls lock is that hardware user lock or cloud user lock sign and issue digital permission.Thus, hardware controls lock energy It is enough to sign and issue software digital license with buyun trustship control lock so that software developer under Network Abnormal or without network environment still Software digital license can be signed and issued for user's lock.
In an embodiment of the invention, in S3 steps, second signs and issues after ciphertext and the decryption that system obtains the first data, One or more data that the first obtained data include can at the same time or separately be encrypted, and will encrypt obtain one or Multiple ciphertexts are sent to software protective lock, obtain said one or multiple data after being decrypted by software protective lock to ciphertext and protect Deposit.So may be such that second sign and issue in software protective lock of the system with signing and issuing object as it with unanimously with digital permission phase The data of pass, and then to sign and issue the software protective lock for signing and issuing object of system and as the second label for signing and issuing system as first Sending out has the consistent data related to digital permission in the software protective lock of object, it is ensured that sign and issue system synchronization for two and sign and issue The uniformity of operating result.
In another embodiment of the invention, in S3 steps, second, which signs and issues system, is obtaining the ciphertext and solution of the first data After close, before data ciphertext is sent to software protective lock, first software can will be write to the first digital certificate of CA system applications Protection lock, after software protective lock is to the success of the first digital certificate authentication, then at least one data that the first data are included Encrypt at the same time or separately, and one or more ciphertexts that encryption is obtained are sent to software protective lock, by software protective lock to close Said one or multiple data are obtained after text decryption and are preserved.As an example, it can be included and second in the first digital certificate The corresponding public key of private key used during system encryption at least one data is signed and issued, so that software protective lock can use the first number Word certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserved.So it is able to ensure that the Two sign and issue the security that system sends digital permission related data to software protective lock, while ensure that two are signed and issued system synchronization Sign and issue the uniformity of operating result.
Fig. 2 is the indicative flowchart of an example of the specific steps of S3 steps in Fig. 1.
In the embodiment depicted in figure 2, the first data may include the first salt figure, and the first salt figure for example may participate in generation and be used for adding The key of decryption software critical data, software critical data is some necessary data of running software, is generally stored securely in In software protective lock.In embodiments of the present invention, for example can be by the first salt figure and digital permission information or other tentation datas The key of encryption and decryption software piece critical data is generated after assembling.In S31 steps shown in Fig. 2, second signs and issues system can be by first The first salt figure write-in second in one or more data that the ciphertext of data is obtained after being decrypted is signed and issued signing and issuing for system and set In standby, such as hardware, which signs and issues system and will decrypt obtained the first salt figure, to be write in produced hardware controls lock, is then walked in S32 In rapid, it can be signed and issued by this after equipment encrypted using private key to the first salt figure, the ciphertext of the first salt figure is sent to software and protected Shield lock.By the present embodiment, it may be such that the first sign and issue equipment and the second equipment of signing and issuing for signing and issuing system for signing and issuing system has phase Same salt figure, while so that signing and issuing the software protective lock for signing and issuing object of system and as the second label for signing and issuing system as first Sending out also has identical salt figure in the software protective lock of object.
Fig. 3 is the indicative flowchart of an example of the specific steps of S32 steps in Fig. 2.
As shown in figure 3, the S32 steps shown in Fig. 2 specifically may include:
S321, by the first digital certificate write software protective lock in;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls, which are locked in, to be manufactured A pair of RSA unsymmetrical key of generation in Cheng Zhong, lock, wherein private key do not go out lock to ensure safety, are given birth to using public key information therein Into certificate request file CSR to CA system application certificates, to obtain the first digital certificate, so that the public key information of hardware controls lock Included in the first digital certificate.During production hardware user lock, hardware controls lock writes first digital certificate In hardware user lock.
S322, software protective lock are verified to the first digital certificate;
A series of root certificates of CA systems are prefixed in hardware user lock, available for verifying the first digital certificate.
If S323, software protective lock sign and issue equipment by the ciphertext of the first salt figure to the success of the first digital certificate authentication It is sent to software protective lock;
If hardware user Lock Lee verifies that the first digital certificate passes through with preset root certificate, hardware controls lock is by the The ciphertext of one salt figure is sent to hardware user lock, and the private key that the ciphertext can use hardware controls to lock is encrypted to the first salt figure Arrive.
S323, software protective lock obtain the first salt figure using the first digital certificate to the cryptogram validation of the first salt figure and decryption And preserve.
Hardware controls in the first digital certificate can be used to lock public key information to connecing from signing and issuing equipment for such as hardware user lock The cryptogram validation of the first salt figure received and decryption obtains the first salt figure and preserved.
By the embodiment of the present invention, the process that the first salt figure is securely written into hardware user lock is realized.Certainly, here Although being come with hardware user lock for example, but can also be locked the first salt figure feeding using similar mode for cloud user lock It is interior.
Fig. 4 is the indicative flowchart of another example of the specific steps of S3 steps in Fig. 1.In embodiment illustrated in fig. 4 In, the first data can include the first private key, and the first private key can be used for during based on digital permission runs software The safe key of secured communication channel is set up, such as setting up direct or indirect between the software and software protective lock of operation Encrypted communication channel.Second signs and issues after the first private key encryption obtained after the ciphertext to the first data can be decrypted for system The ciphertext of first private key is sent to software protective lock, equipment is to the first data such as hardware signs and issues system using encrypted card Ciphertext decryption is obtained after the first private key, can re-start encryption to first private key with the private key of itself by hardware controls lock, and When producing hardware user lock, the ciphertext of the first private key is sent to hardware user lock, hardware user lock pair by hardware controls lock The first private key is stored after the ciphertext decryption of first private key.By the present embodiment, it may be such that signing and issuing system through first signs and issues The software protective lock of digital permission and sign and issue system through second and sign and issue the software protective lock of digital permission there is identical private key.
In an embodiment of the invention, the first data can include the first salt figure and the first private key simultaneously.As shown in Figure 2 The step of can merge progress with step as shown in Figure 4, that is to say, that second signs and issues the ciphertext that system receives the first data Afterwards, available first salt figure and the first private key are decrypted, the signing and issuing in equipment of system is signed and issued in first salt figure write-in second, and by the Ciphertext is sent to software protective lock by one private key and the first salt figure after encrypting at the same time or separately, and software protective lock is close to what is received The first private key and the first salt figure are obtained after text decryption and are preserved.
In another embodiment, it can also be deposited in addition to storing the ciphertext of the first data in the first equipment The first public key is contained, the first public key and the first private key are a pair of secret keys being mutually matched, and the first public key is reinstated with the first private key one In setting up secured communication channel when based on digital permission runs software, such as between protected software and software security system The data of transmission are encrypted when being communicated, software security system may include to install software license clothes on the terminal device Business application program.First public key can be compiled into the SDK (SDKs that digital permission provider is distributed to software developer Bag) in order to using.
In embodiments of the present invention, it for example can be to be calculated using ECC algorithm to be included in the first private key in the first data Obtained ECC private keys etc..
Fig. 5 is the indicative flowchart of an example of the specific steps of S34 steps in Fig. 4.
In the embodiment shown in fig. 5, the S34 steps shown in Fig. 4 can specifically include:
S341, by the first digital certificate write software protective lock in;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls, which are locked in, to be manufactured A pair of RSA unsymmetrical key of generation in Cheng Zhong, lock, wherein private key do not go out lock to ensure safety, are given birth to using public key information therein Into certificate request file CSR to CA system application certificates, to obtain the first digital certificate, so that the public key information of hardware controls lock Included in the first digital certificate.During production hardware user lock, hardware controls lock writes first digital certificate In hardware user lock.
S342, software protective lock are verified to the first digital certificate;
A series of root certificates of CA systems are prefixed in hardware user lock, available for verifying the first digital certificate.
If S343, software protective lock sign and issue equipment by the ciphertext of the first private key to the success of the first digital certificate authentication It is sent to software protective lock.
If hardware user Lock Lee verifies that the first digital certificate passes through with preset root certificate, hardware controls lock is by the The ciphertext of one private key is sent to hardware user lock, and the private key that the ciphertext can use hardware controls to lock is obtained to the first private key encryption Arrive.
S344, software protective lock obtain the first private key using the first digital certificate to the cryptogram validation of the first private key and decryption And preserve.
Hardware user lock can use the hardware controls in the first digital certificate to lock ciphertext of the public key information to the first private key Verify and decrypt and obtain the first private key and preserve.
By the embodiment of the present invention, the process that the first private key is securely written into hardware user lock is realized.Certainly, here Although being come with hardware user lock for example, but can also be locked the first private key feeding using similar mode for cloud user lock It is interior.
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
Signed and issued as shown in figure 4, the data synchronous system of the embodiment of the present invention can sign and issue system 10 and second including first System 20, first, which signs and issues system 10 and second, signs and issues system 20 and may be connected to the first equipment 30.
First, which signs and issues system 10, to sign and issue equipment 11, encryption device 12 and dispensing device 13 including first.First signs and issues Equipment 11 is configured to sign and issue digital permission to software protective lock, and encryption device 12 is configured to that the number that equipment is signed and issued will be signed and issued with first The first related data encryption of word license, dispensing device 13 is configured to send the ciphertext of the first data into the first equipment 30 and deposited Storage.
Second, which signs and issues system 20, to sign and issue equipment 21, ciphering and deciphering device 22 and acquisition device 23 including second.Second label Hair equipment 21 is configured to sign and issue digital permission to software protective lock, and acquisition device 23 is configured to obtain the first number from the first equipment 30 According to ciphertext, the ciphertext that ciphering and deciphering device 22 is configured to the first data obtained to acquisition device 23 is decrypted and obtains the first number System is signed and issued according to, the first data by second to be used as and the second data that to sign and issue digital permission that equipment 21 signs and issues related.
In embodiments of the present invention, first to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.With high in the clouds Sign and issue exemplified by system, system is signed and issued in high in the clouds may include such as cloud trustship control lock.Software protective lock can be hardware user lock It can be cloud user lock.Cloud trustship control lock can be used to sign and issue digital permission to cloud user lock, may also be used for hardware User's lock signs and issues digital permission.First data can include such as key data, configuration parameter, secure communication related data with The data for the digital permission correlation that cloud trustship control lock is signed and issued.First equipment 30 can be cloud database or any kind of Movable storage device.
In embodiments of the present invention, second to sign and issue system can be that hardware signs and issues system or system is signed and issued in high in the clouds.With hardware Sign and issue exemplified by system, hardware, which signs and issues system, may include such as hardware controls lock.Hardware controls lock can be used to lock to hardware user Digital permission is signed and issued, may also be used for signing and issuing digital permission to cloud user lock.
In embodiments of the present invention, the first encryption device 12 and second signed and issued in system 10 signs and issues in system 20 plus solution Close device 22 can be encrypted card.For example, the first encrypted card and hardware that system is signed and issued in high in the clouds sign and issue the second encrypted card of system In prestore a pair can encryption and decryption mutually key, wherein the key storage for encryption is in the first encrypted card, for decryption Key storage is in the second encrypted card.
By the system of the embodiment of the present invention, hardware controls lock can sign and issue software digital with buyun trustship control lock and be permitted Can so that software developer still can sign and issue software digital license under Network Abnormal or without network environment for user's lock.
In an embodiment of the invention, the second sign and issue that equipment 21 is configurable to include the first data one or Multiple data are encrypted at the same time or separately, and one or more ciphertexts that encryption is obtained are sent to software protective lock, are protected by software Shield lock obtains said one or multiple data after being decrypted to ciphertext and preserved.It so may be such that second signs and issues system with being signed as it Sending out has the consistent data related to digital permission in the software protective lock of object, and then to sign and issue system as first The software protective lock of signing and issuing object it is consistent with having in the software protective lock for signing and issuing object that system is signed and issued as second with number The related data of word license, it is ensured that two are signed and issued the uniformity that system synchronization signs and issues operating result.
In another embodiment, second sign and issue equipment 21 be configurable to obtain the first data ciphertext simultaneously , can be first soft by the first digital certificate write-in to CA system applications before data ciphertext is sent to software protective lock after decryption Part protection lock, after software protective lock is to the success of the first digital certificate authentication, then at least one number that the first data are included According to encrypting at the same time or separately, and obtained one or more ciphertexts will be encrypted it is sent to software protective lock, by software protective lock pair Said one or multiple data are obtained after ciphertext decryption and are preserved.It can be included as an example, in the first digital certificate and the Two sign and issue the corresponding public key of private key used during system encryption at least one data, so that software protective lock can use first Digital certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserved.So it is able to ensure that Second, which signs and issues system, sends the security of digital permission related data to software protective lock, while ensure that two, to sign and issue system same Step signs and issues the uniformity of operating result.
In an embodiment of the invention, the first data can include the first salt figure, and the first salt figure for example may participate in generation For the key of encryption and decryption software piece critical data.Ciphering and deciphering device 22 is configurable to the ciphertext to the first data being decrypted Equipment 21 is signed and issued in the first salt figure write-in second obtained afterwards.Second, which signs and issues equipment 21, can be further configured to add the first salt figure The close ciphertext for obtaining the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.By the present embodiment, may be such that One, which signs and issues the first of system 10, signs and issues equipment 11 and second and signs and issues the second of system 20 and sign and issue equipment 21 with identical salt figure.
In another embodiment, the first data include being used to set up peace when based on digital permission runs software First private key of full tunnel, ciphering and deciphering device 22 is configurable to obtain the first private after the ciphertext of the first data is decrypted Key, second sign and issue equipment 21 can be further configured to it is private by first after the first private key encryption for will being obtained from ciphering and deciphering device 22 The ciphertext of key is sent to software protective lock.By the present embodiment, it may be such that signing and issuing system 10 through first signs and issues the soft of digital permission Part protection lock and sign and issue system 20 through second and sign and issue the software protective lock of digital permission there is identical private key.
In embodiments of the present invention, second sign and issue equipment 21 be configurable to by the first digital certificate write software protection Lock, and be configured to after software protective lock is to the success of the first digital certificate authentication, then the ciphertext of the first private key is sent to software Protection lock.Obtained for example, the first digital certificate can sign and issue equipment 21 from second to the application of CA systems.For example hardware controls are locked in In manufacturing process, a pair of RSA unsymmetrical key of generation in lock, wherein private key do not go out lock to ensure safety, use public key therein Information Generates Certificate demand file CSR to CA system application certificates, to obtain the first digital certificate, so that the public affairs of hardware controls lock Key information is included in the first digital certificate.During production hardware user lock, hardware controls lock demonstrate,proves first numeral Write in hardware user lock.A series of root certificates of CA systems are prefixed in hardware user lock, available for the numeral of checking first Certificate.If hardware user Lock Lee verifies that the first digital certificate passes through with preset root certificate, hardware controls are locked first The ciphertext of private key is sent to hardware user lock, and the ciphertext is that the private key locked using hardware controls is obtained to the first private key encryption. Subsequent hardware user lock uses the hardware controls in the first digital certificate to lock cryptogram validation and solution of the public key information to the first private key It is close to obtain the first private key and preserve.
By the embodiment of the present invention, the mistake that the first private key and the/the first salt figure are securely written into hardware user lock is realized Journey.Certainly, although being come here with hardware user lock for example, can also use similar mode for cloud user lock by first In private key feeding lock.
Multiple embodiments to the present invention are illustrated above, but the invention is not restricted to above-mentioned specific embodiment, not In the case of departing from present inventive concept, a variety of modifications and modification can be carried out to embodiment, these modifications and modification each fall within this Shen Please it is claimed within the scope of.

Claims (21)

1. a kind of method of data synchronization, it is characterised in that including:
S1, the ciphertext of the first data stored into the first equipment, the first data is sign and issue system to software protective lock with first The data for the digital permission correlation signed and issued;
S2, when create second sign and issue system when, the ciphertext for the first data that will be stored in the first equipment is sent to second and signed and issued System;
S3, the second ciphertext for signing and issuing the first data that system docking is received are decrypted, decrypt obtained the first data be used as with Second signs and issues the data for the digital permission correlation that system is signed and issued to software protective lock.
2. the method as described in claim 1, it is characterised in that S3 steps also include:
Second signs and issues at least one data encryption that system includes to the first data and obtained ciphertext is sent into software and protect Shield lock.
3. the method as described in claim 1, it is characterised in that S3 steps also include:
First digital certificate is write software protective lock by the second equipment of signing and issuing for signing and issuing system, and is counted in software protective lock to first After word certification authentication success, obtained ciphertext is simultaneously sent to software and protected by least one data encryption for including to the first data Shield lock.
4. method as claimed in claim 3, it is characterised in that S3 steps further comprise:
Software protective lock obtains at least one described data to the cryptogram validation and decryption using the first digital certificate and preserved.
5. the method as described in claim 1, it is characterised in that the first data include the first salt figure, S3 steps also include:
S31, the first salt figure write-in second obtained after the decryption is signed and issued to the signing and issuing in equipment of system;
S32, the first salt figure is encrypted obtain the ciphertext of the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.
6. method as claimed in claim 5, it is characterised in that S32 steps are specifically included:
S321, by the first digital certificate write software protective lock in;
S322, software protective lock are verified to the first digital certificate;
If S323, software protective lock are to the success of the first digital certificate authentication, the ciphertext of the first salt figure is sent into software protects Shield lock;
S324, software protective lock obtain the first salt figure to the cryptogram validation of the first salt figure and decryption using the first digital certificate and protected Deposit.
7. the method as described in claim 1, it is characterised in that the first data include the first private key, S3 steps include:
The first private key is obtained after S33, the progress decryption;
S34, the ciphertext for obtaining to obtained the first private key encryption of decryption the first private key, and the ciphertext of the first private key is sent to soft Part protection lock.
8. method as claimed in claim 7, it is characterised in that S34 steps are specifically included:
S341, by the first digital certificate write software protective lock in;
S342, software protective lock are verified to the first digital certificate;
If S343, software protective lock are to the success of the first digital certificate authentication, the ciphertext of the first private key is sent into software protects Shield lock;
S344, software protective lock obtain the first private key to the cryptogram validation of the first private key and decryption using the first digital certificate and protected Deposit.
9. method as claimed in claim 4, it is characterised in that be also stored with the first public key in the first equipment, the first public key with First private key is a pair of secret keys being mutually matched.
10. method as claimed in any one of claims 1-9 wherein, it is characterised in that first, which signs and issues system, includes the first encryption Card, second, which signs and issues system, includes the second encrypted card, and the first encrypted card is stored with for the key of the first data encryption, second to be added It is close to block the key being stored with for the ciphertext decryption to the first data.
11. method as claimed in any one of claims 1-9 wherein, it is characterised in that first signs and issues system signs and issues system for high in the clouds Or hardware signs and issues system, second signs and issues that system signs and issues system for hardware or system is signed and issued in high in the clouds.
12. method as claimed in any one of claims 1-9 wherein, it is characterised in that software protective lock be hardware user lock and/ Or cloud user lock.
13. a kind of data synchronous system, it is characterised in that sign and issue system and second including first and sign and issue system,
First, which signs and issues system, includes:
First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Encryption device, be configured to by first the first data encryption that to sign and issue digital permission that equipment signs and issues related;And
Dispensing device, is configured to store the ciphertext of the first data into the first equipment;
Second, which signs and issues system, includes:
Second signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Acquisition device, is configured to obtain the ciphertext of the first data from the first equipment;
Ciphering and deciphering device, the ciphertext of the first data for being configured to obtain acquisition device is decrypted and obtains the first data, first Data are used as and the second data that to sign and issue digital permission that equipment signs and issues related.
14. system as claimed in claim 13, it is characterised in that second signs and issues device configuration includes to the first data Obtained ciphertext is simultaneously sent to software protective lock by least one data encryption.
15. system as claimed in claim 13, it is characterised in that second signs and issues device configuration to write the first digital certificate Software protective lock, and be configured to software protective lock to the first digital certificate authentication success after, the first data are included to Obtained ciphertext is simultaneously sent to software protective lock by a few data encryption.
16. system as claimed in claim 15, it is characterised in that software protective lock is configured so that the first digital certificate to this Cryptogram validation and decryption obtain at least one described data and preserved.
17. system as claimed in claim 13, it is characterised in that the first data include the first salt figure,
The first salt figure write-in second that the ciphering and deciphering device is configured to obtain after the ciphertext to the first data is decrypted is signed Send out equipment,
Second, which signs and issues equipment, is further configured to encrypt the first salt figure and obtains the ciphertext of the first salt figure, and by the close of the first salt figure Text is sent to software protective lock.
18. system as claimed in claim 13, it is characterised in that the first data include the first private key,
The ciphering and deciphering device is configured to after the ciphertext of the first data is decrypted obtain the first private key,
Described second signs and issues the ciphertext that equipment is further configured to obtain the first private key encryption the first private key, and by the first private key Ciphertext be sent to software protective lock.
19. the system as any one of claim 13-18, it is characterised in that encryption device and ciphering and deciphering device are to add Close card.
20. the system as any one of claim 13-18, it is characterised in that first signs and issues system and signed and issued for high in the clouds and be System or hardware sign and issue system, and second signs and issues that system signs and issues system for hardware or system is signed and issued in high in the clouds.
21. the system as any one of claim 13-18, it is characterised in that software protective lock be cloud user lock and/or Hardware user is locked.
CN201710173982.8A 2017-03-22 2017-03-22 Method of data synchronization and system Active CN106953917B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710173982.8A CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710173982.8A CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Publications (2)

Publication Number Publication Date
CN106953917A true CN106953917A (en) 2017-07-14
CN106953917B CN106953917B (en) 2018-08-21

Family

ID=59473611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710173982.8A Active CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Country Status (1)

Country Link
CN (1) CN106953917B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107204848A (en) * 2017-07-25 2017-09-26 北京深思数盾科技股份有限公司 A kind of method for managing key data and the device for managing key data
CN107391966A (en) * 2017-07-21 2017-11-24 北京深思数盾科技股份有限公司 A kind of method for protecting software, device and software protective lock
CN107835162A (en) * 2017-10-18 2018-03-23 北京深思数盾科技股份有限公司 The method that software digital permit server signs and issues software digital permissions

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108204A1 (en) * 2001-12-07 2003-06-12 Yves Audebert System and method for secure replacement of high level cryptographic keys in a personal security device
US20050198510A1 (en) * 2004-02-13 2005-09-08 Arnaud Robert Binding content to an entity
CN1747386A (en) * 2004-08-27 2006-03-15 微软公司 System and method for enforcing location privacy using rights management
CN101141460A (en) * 2007-08-20 2008-03-12 中兴通讯股份有限公司 Permission control method and system of service function in cluster system
CN102006276A (en) * 2009-08-26 2011-04-06 阿瓦雅公司 Licensing and certificate distribution via secondary or divided signaling communication pathway
CN102622538A (en) * 2011-02-01 2012-08-01 中国电信股份有限公司 Method and system for software licensing control
CN103078858A (en) * 2012-12-31 2013-05-01 上海同岩土木工程科技有限公司 Web service and signature certificate-based software trial authorization method
CN103906054A (en) * 2012-12-28 2014-07-02 上海农业信息有限公司 Method and system for authorization of software function modules of internet of things
CN104392150A (en) * 2014-10-28 2015-03-04 用友优普信息技术有限公司 Software authorization superposition control device and software authorization superposition control method
US20150180662A1 (en) * 2012-08-17 2015-06-25 Huawei Technologies Co., Ltd. Software key updating method and device
CN105635082A (en) * 2014-11-12 2016-06-01 北大方正集团有限公司 Dynamic authorization method and system, authorization center, and authorization client

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108204A1 (en) * 2001-12-07 2003-06-12 Yves Audebert System and method for secure replacement of high level cryptographic keys in a personal security device
US20050198510A1 (en) * 2004-02-13 2005-09-08 Arnaud Robert Binding content to an entity
CN1747386A (en) * 2004-08-27 2006-03-15 微软公司 System and method for enforcing location privacy using rights management
CN101141460A (en) * 2007-08-20 2008-03-12 中兴通讯股份有限公司 Permission control method and system of service function in cluster system
CN102006276A (en) * 2009-08-26 2011-04-06 阿瓦雅公司 Licensing and certificate distribution via secondary or divided signaling communication pathway
CN102622538A (en) * 2011-02-01 2012-08-01 中国电信股份有限公司 Method and system for software licensing control
US20150180662A1 (en) * 2012-08-17 2015-06-25 Huawei Technologies Co., Ltd. Software key updating method and device
CN103906054A (en) * 2012-12-28 2014-07-02 上海农业信息有限公司 Method and system for authorization of software function modules of internet of things
CN103078858A (en) * 2012-12-31 2013-05-01 上海同岩土木工程科技有限公司 Web service and signature certificate-based software trial authorization method
CN104392150A (en) * 2014-10-28 2015-03-04 用友优普信息技术有限公司 Software authorization superposition control device and software authorization superposition control method
CN105635082A (en) * 2014-11-12 2016-06-01 北大方正集团有限公司 Dynamic authorization method and system, authorization center, and authorization client

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391966A (en) * 2017-07-21 2017-11-24 北京深思数盾科技股份有限公司 A kind of method for protecting software, device and software protective lock
CN107204848A (en) * 2017-07-25 2017-09-26 北京深思数盾科技股份有限公司 A kind of method for managing key data and the device for managing key data
CN107835162A (en) * 2017-10-18 2018-03-23 北京深思数盾科技股份有限公司 The method that software digital permit server signs and issues software digital permissions

Also Published As

Publication number Publication date
CN106953917B (en) 2018-08-21

Similar Documents

Publication Publication Date Title
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN106452775B (en) Method and device for realizing electronic signature and signature server
US10305688B2 (en) Method, apparatus, and system for cloud-based encryption machine key injection
CN108199835B (en) Multi-party combined private key decryption method
CN1939028B (en) Accessing protected data on network storage from multiple devices
CN107896147B (en) Method and system for negotiating temporary session key based on national cryptographic algorithm
US11874935B2 (en) Protecting data from brute force attack
CN112347453B (en) Data safety writing method and system of automobile electronic identification embedded NFC chip
CN109379387B (en) Safety certification and data communication system between Internet of things equipment
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
US11831753B2 (en) Secure distributed key management system
CN111464301A (en) Key management method and system
CN110138548A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system
TWI476629B (en) Data security and security systems and methods
CN106953917B (en) Method of data synchronization and system
CN110383755A (en) The network equipment and trusted third party's equipment
CN113868684A (en) Signature method, device, server, medium and signature system
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
CN108616516A (en) A kind of third party's plaintext password method of calibration based on multiple encryption algorithms
JP5295999B2 (en) Terminal initial setting method and initial setting device
EP3556046B1 (en) Method for secure management of secrets in a hierarchical multi-tenant environment
CN106790185B (en) CP-ABE-based method and device for safely accessing authority dynamic update centralized information
TWI430643B (en) Secure key recovery system and method
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN110138547A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station cryptographic key negotiation method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder