CN106953917B - Method of data synchronization and system - Google Patents
Method of data synchronization and system Download PDFInfo
- Publication number
- CN106953917B CN106953917B CN201710173982.8A CN201710173982A CN106953917B CN 106953917 B CN106953917 B CN 106953917B CN 201710173982 A CN201710173982 A CN 201710173982A CN 106953917 B CN106953917 B CN 106953917B
- Authority
- CN
- China
- Prior art keywords
- data
- lock
- ciphertext
- signs
- issues
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method of data synchronization, including:S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with first;S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second and signs and issues system;S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, and the first data decrypted are used as signing and issuing the relevant data of digital permission that system is signed and issued to software protective lock with second.The present invention discloses a kind of data synchronous systems.Scheme through the invention can be convenient for using or inconvenient use first to sign and issue to use second to sign and issue system when system signs and issues digital permission to sign and issue digital permission, be conducive to maintenance and sign and issue being smoothed out for process.
Description
Technical field
The present invention relates to data security arts, more particularly to a kind of method of data synchronization and system.
Background technology
Software enciphered lock is a kind of equipment for being protected to target software.Traditional software enciphered lock is used for hardware
Family is locked, and is locked into digital permission mandate of the hand-manipulating of needle to target software to hardware user using hardware controls lock by software developer.
Nowadays, encryption lock function is transplanted to high in the clouds by many software enciphered lock manufacturers, becomes cloud user lock, sign entitlement is also no longer
It is locked using traditional hardware controls, and uses cloud trustship control lock.
However, software developer side once in Network Abnormal or without network in the environment of, will be unable to use cloud trustship control
Lockmaking is that cloud user locks or hardware user locks sign entitlement.In addition, some software developers are also unwilling to reveal the cloud of our company
Account information gives excessive employee.
Invention content
In view of this, an embodiment of the present invention provides a kind of method of data synchronization and system, realizes and use different label
Hair system signs and issues software digital license based on same key data.
Method of data synchronization provided in an embodiment of the present invention includes:S1, the ciphertext of the first data is stored to the first equipment
In, the first data are to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with first;S2, when create second
When signing and issuing system, the ciphertext for the first data being stored in the first equipment is sent to second and signs and issues system;S3, second, which are signed and issued, is
The ciphertext of the first data received is decrypted in system, and the first data decrypted are used as signing and issuing system to software with second
The relevant data of digital permission that protection lock is signed and issued.
Data synchronous system provided in an embodiment of the present invention signs and issues system and second including first and signs and issues system.Wherein,
One, which signs and issues system, includes:First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;Encryption device, be configured to by
Relevant first data encryption of digital permission that equipment is signed and issued is signed and issued with first;Sending device is configured to the close of the first data
Text is stored into the first equipment.Second, which signs and issues system, includes:Second signs and issues equipment, is configured to sign and issue number to software protective lock and be permitted
It can;Acquisition device is configured to obtain the ciphertext of the first data from the first equipment;Ciphering and deciphering device is configured to obtain acquisition device
The ciphertext of the first data taken is decrypted to obtain the first data, and the first data, which are used as signing and issuing the number that equipment is signed and issued with second, to be permitted
It can relevant data.
In scheme provided in an embodiment of the present invention, establishment first will while signing and issuing system (including cloud trustship control lock)
Necessary key data encryption is preserved into database, when client has demand, then encrypted key data is sent to second
System is signed and issued, after second signs and issues system decryption key data, write-in second is signed and issued in equipment (such as hardware controls lock).By this hair
The scheme that bright embodiment provides, cloud trustship control lock and hardware controls lock will possess identical key data, and software developer is such as
It is that hardware user lock or cloud user lock sign and issue software digital license to have specific demand then to use hardware controls lock, in this way, firmly
Part control lock can control lock with buyun trustship and sign and issue software digital license so that software developer is in Network Abnormal or without network
Can be still that user's lock signs and issues software digital license under environment.
Description of the drawings
Fig. 1 is the schematic flow chart of the method for data synchronization of the embodiment of the present invention;
Fig. 2 is an exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1;
Fig. 3 is an exemplary schematic flow chart of the specific steps of S32 steps in Fig. 2;
Fig. 4 is another exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1;
Fig. 5 is an exemplary schematic flow chart of the specific steps of S34 steps in Fig. 4;
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
Specific implementation mode
The embodiment of the present invention is described in detail with reference to the accompanying drawings.
Fig. 1 is the schematic flow chart of the method for data synchronization of the embodiment of the present invention
As shown in Figure 1, the method for data synchronization of the embodiment of the present invention includes:
S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue system with first to protect to software
The relevant data of digital permission that shield lock is signed and issued;
First to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.By taking system is signed and issued in high in the clouds as an example, high in the clouds
The system of signing and issuing may include such as cloud trustship control lock.Software protective lock can be that hardware user lock can also be cloud user lock.
Cloud trustship control lock can be used for signing and issuing digital permission to cloud user lock, can also be used to sign and issue number to hardware user lock and permitted
It can.First data may include being signed and issued with cloud trustship control lock such as key data, configuration parameter, secure communication related data
The relevant data of digital permission.The ciphertext of first data is stored while can signing and issuing system creation beyond the clouds to the first equipment
In, can also sign and issue beyond the clouds after system creation occur during use network it is unavailable or other in the case of need to use hardware label
The ciphertext of the first data is stored into the first equipment temporarily when hair system.Here the first equipment can be cloud database or
Any kind of movable storage device of person.
S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second
Sign and issue system;
When in order to realize that first signs and issues system same function when creating second and signing and issuing system, the first equipment will be stored in
In the ciphertexts of the first data be sent to second and sign and issue system.Second to sign and issue system can be that hardware signs and issues system or high in the clouds is signed and issued
System.By taking hardware signs and issues system as an example, hardware signs and issues system and may include such as hardware controls lock.Hardware controls lock can be used for
Hardware user lock signs and issues digital permission, can also be used to sign and issue digital permission to cloud user lock.
S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, and the first data decrypted are used
Make to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with second.
Second signs and issues after system receives the ciphertexts of the first data and is decrypted to obtain the first data, and the first data are used
Make the relevant data of digital permission signed and issued software protective lock so that second signs and issues when system signs and issues digital permission or signed and issued
Digital permission need the related data used to sign and issue signing and issuing or using for digital permission that system is signed and issued with first when in use
Relevant data are consistent.
The embodiment of the present invention pair first is signed and issued in system for signing and issuing in system the device of the first data encryption and second
The type for the device being decrypted for the ciphertext to the first data is not restricted, and is as long as can have to sign and issue with digital permission
It unites comparable security performance.As an implementation, first being signed for encrypted device and second in system is signed and issued
The device for decryption in hair system can be encrypted card.For example, the first encrypted card of system is signed and issued in high in the clouds and hardware is signed and issued
Prestore in second encrypted card of system it is a pair of can encryption and decryption mutually key, wherein for encrypted key storage in the first encryption
In card, the key storage for decryption is in the second encrypted card.Encrypted card can ensure that key can only use inside encrypted card,
Encryption and decryption is carried out to needing data being passed in encrypted card when data encrypting and deciphering, ensures that the safety of key.
Method through the embodiment of the present invention, with signing and issuing or using relevant data in cloud trustship control lock for digital permission
It is consistent in being locked with hardware controls, if exception occurs in network, cloud trustship control lock can not be used, can be locked using hardware controls
Software digital license is signed and issued for hardware user lock or cloud user lock.It is normal in network, cloud trustship control may be used
Any of lock or hardware controls lock sign and issue digital permission for hardware user lock or cloud user lock.In this way, hardware controls lock energy
It is enough to sign and issue software digital license with buyun trustship control lock so that software developer under Network Abnormal or without network environment still
Can be that user's lock signs and issues software digital license.
In an embodiment of the invention, in S3 steps, after second signs and issues ciphertext and the decryption that system obtains the first data,
The one or more data that can include to the first obtained data are simultaneously or separately encrypted, and will encryption obtain one or
Multiple ciphertexts are sent to software protective lock, obtain said one or multiple data after being decrypted to ciphertext by software protective lock and protect
It deposits.So may make second sign and issue system and object is signed and issued as it software protective lock in have unanimously with digital permission phase
The data of pass, so that the software protective lock for signing and issuing object for signing and issuing system as first and the label for signing and issuing system as second
Send out have in the software protective lock of object it is consistent with the relevant data of digital permission, it is ensured that sign and issue system synchronization for two and sign and issue
The consistency of operating result.
In another embodiment of the invention, in S3 steps, second signs and issues system in the ciphertext and solution for obtaining the first data
After close, to before software protective lock transmission data ciphertext, first software will can be written to the first digital certificate of CA system applications
Protection lock, after the success of the first digital certificate authentication of software protective lock pair, then at least one data that the first data include
It simultaneously or separately encrypts, and one or more ciphertexts that encryption obtains is sent to software protective lock, by software protective lock to close
Said one or multiple data are obtained after text decryption and are preserved.As an example, may include in the first digital certificate and second
The corresponding public key of private key used when system encryption at least one data is signed and issued, to which software protective lock can use the first number
Word certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserves.It can so ensure
Two, which sign and issue system, sends the safety of digital permission related data to software protective lock, while ensuring that two are signed and issued system synchronization
Sign and issue the consistency of operating result.
Fig. 2 is an exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1.
In the embodiment depicted in figure 2, the first data may include that the first salt figure, the first salt figure for example may participate in generation and be used for adding
The key of decryption software critical data, software critical data are some data necessary to running software, are usually stored securely in
In software protective lock.It in embodiments of the present invention, such as can be by the first salt figure and digital permission information or other tentation datas
The key of encryption and decryption software piece critical data is generated after assembling.In S31 steps shown in Fig. 2, second signs and issues system can will be to first
The first salt figure write-in second in one or more data that the ciphertext of data obtains after being decrypted is signed and issued signing and issuing for system and is set
In standby, such as hardware is signed and issued the first salt figure that system obtains decryption and is written in produced hardware controls lock, is then walked in S32
In rapid, after equipment can be signed and issued by this using the encryption of the first salt figure of private key pair, the ciphertext of the first salt figure be sent to software and is protected
Shield lock.Through this embodiment, it may make the first equipment of signing and issuing that equipment signs and issues system with second of signing and issuing for signing and issuing system that there is phase
Same salt figure, while making the software protective lock for signing and issuing object for signing and issuing system and the label for signing and issuing system as second as first
Send out also salt figure having the same in the software protective lock of object.
Fig. 3 is an exemplary schematic flow chart of the specific steps of S32 steps in Fig. 2.
As shown in figure 3, S32 steps shown in Fig. 2 specifically may include:
S321, the first digital certificate is written in software protective lock;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls lock was manufacturing
Cheng Zhong, locks interior generation a pair of RSA unsymmetrical key, and wherein private key is not gone out lock to ensure safety, given birth to using public key information therein
At certificate request file CSR to CA system application certificates, to obtain the first digital certificate, to the public key information of hardware controls lock
Included in the first digital certificate.During producing hardware user lock, first digital certificate is written hardware controls lock
In hardware user lock.
S322, the first digital certificate of software protective lock pair are verified;
It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first digital certificate.
If the success of S323, the first digital certificate authentication of software protective lock pair, signs and issues equipment by the ciphertext of the first salt figure
It is sent to software protective lock;
Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls lock is by the
The ciphertext of one salt figure is sent to hardware user lock, and the first salt figure of private key pair which can use hardware controls to lock is encrypted
It arrives.
S323, software protective lock obtain the first salt figure using the cryptogram validation and decryption of first the first salt figure of digital certificate pair
And it preserves.
Such as hardware controls in the first digital certificate can be used to lock public key information to connecing from signing and issuing equipment for hardware user lock
The cryptogram validation of the first salt figure received and decryption obtains the first salt figure and preserves.
Through the embodiment of the present invention, the process that the first salt figure is securely written into hardware user lock is realized.Certainly, here
Although being come with hardware user lock for example, but similar mode can also be used by the first salt figure feeding lock for cloud user lock
It is interior.
Fig. 4 is another exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1.Embodiment shown in Fig. 4
In, the first data may include the first private key, and the first private key can be for during based on digital permission runs software
The security key of secured communication channel is established, such as direct or indirect for being established between the software and software protective lock of operation
Encrypted communication channel.After second signs and issues the first private key encryption obtained after system can will be decrypted the ciphertext of the first data
The ciphertext of first private key is sent to software protective lock, such as hardware signs and issues system using the first data of equipment pair such as encrypted cards
Ciphertext is decrypted after obtaining the first private key, can be locked by hardware controls and be re-started encryption to first private key with the private key of itself, and
When producing hardware user lock, the ciphertext of the first private key is sent to hardware user lock, hardware user lock pair by hardware controls lock
The first private key is stored after the ciphertext decryption of first private key.Through this embodiment, it may make that signing and issuing system through first signs and issues
The software protective lock of digital permission and sign and issue the software protective lock private key having the same that system signs and issues digital permission through second.
In an embodiment of the invention, the first data can include the first salt figure and the first private key simultaneously.As shown in Figure 2
The step of can merge progress with step as shown in Figure 4, that is to say, that second signs and issues the ciphertext that system receives the first data
Afterwards, it decrypts and the first salt figure and the first private key can be obtained, the signing and issuing in equipment of system is signed and issued in first salt figure write-in second, and by the
Ciphertext is sent to software protective lock by one private key and the first salt figure after simultaneously or separately encrypting, and software protective lock is close to what is received
The first private key and the first salt figure are obtained after text decryption and are preserved.
In another embodiment, it can also be deposited other than storing the ciphertext of the first data in the first equipment
The first public key is contained, the first public key and the first private key are a pair of secret keys being mutually matched, and the first public key is reinstated with the first private key one
In establishing secured communication channel when based on digital permission runs software, such as between protected software and software security system
The data of transmission are encrypted when being communicated, software security system may include installing software license clothes on the terminal device
Business application program.First public key can be compiled into the SDK (Software Development Tools that digital permission provider is distributed to software developer
Packet) in order to using.
In embodiments of the present invention, it can be to be calculated using ECC algorithm to be included in the first private key in the first data for example
Obtained ECC private keys etc..
Fig. 5 is an exemplary schematic flow chart of the specific steps of S34 steps in Fig. 4.
In the embodiment shown in fig. 5, S34 steps shown in Fig. 4 can specifically include:
S341, the first digital certificate is written in software protective lock;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls lock was manufacturing
Cheng Zhong, locks interior generation a pair of RSA unsymmetrical key, and wherein private key is not gone out lock to ensure safety, given birth to using public key information therein
At certificate request file CSR to CA system application certificates, to obtain the first digital certificate, to the public key information of hardware controls lock
Included in the first digital certificate.During producing hardware user lock, first digital certificate is written hardware controls lock
In hardware user lock.
S342, the first digital certificate of software protective lock pair are verified;
It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first digital certificate.
If the success of S343, the first digital certificate authentication of software protective lock pair, signs and issues equipment by the ciphertext of the first private key
It is sent to software protective lock.
Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls lock is by the
The ciphertext of one private key is sent to hardware user lock, and the first private key encryption of private key pair which can use hardware controls to lock obtains
It arrives.
S344, software protective lock obtain the first private key using the cryptogram validation and decryption of first the first private key of digital certificate pair
And it preserves.
Hardware user lock can use the ciphertext of hardware controls lock the first private key of public key information pair in the first digital certificate
It verifies and decrypts to obtain the first private key and preserve.
Through the embodiment of the present invention, the process that the first private key is securely written into hardware user lock is realized.Certainly, here
Although being come with hardware user lock for example, but similar mode can also be used by the first private key feeding lock for cloud user lock
It is interior.
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
As shown in figure 4, the data synchronous system of the embodiment of the present invention may include first signing and issuing system 10 and second and signing and issuing
System 20, first, which signs and issues system 10 and second, signs and issues system 20 and can be connected to the first equipment 30.
First to sign and issue system 10 may include first signing and issuing equipment 11, encryption device 12 and sending device 13.First signs and issues
Equipment 11 is configured to sign and issue digital permission to software protective lock, and encryption device 12 is configured to that the number that equipment is signed and issued will be signed and issued with first
Word permits relevant first data encryption, sending device 13 to be configured to the ciphertext of the first data being sent in the first equipment 30 and deposit
Storage.
Second to sign and issue system 20 may include second signing and issuing equipment 21, ciphering and deciphering device 22 and acquisition device 23.Second label
Hair equipment 21 is configured to sign and issue digital permission to software protective lock, and acquisition device 23 is configured to obtain the first number from the first equipment 30
According to ciphertext, the ciphertext that ciphering and deciphering device 22 is configured to the first data obtained to acquisition device 23 is decrypted to obtain the first number
According to the first data sign and issue system by second and are used as signing and issuing the relevant data of digital permission that equipment 21 is signed and issued with second.
In embodiments of the present invention, first to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.With high in the clouds
For signing and issuing system, high in the clouds signs and issues system and may include such as cloud trustship control lock.Software protective lock can be hardware user lock
It can be cloud user lock.Cloud trustship control lock can be used for signing and issuing digital permission to cloud user lock, can also be used to hardware
User's lock signs and issues digital permission.First data may include such as key data, configuration parameter, secure communication related data with
The relevant data of digital permission that cloud trustship control lock is signed and issued.First equipment 30 can be cloud database or any kind of
Movable storage device.
In embodiments of the present invention, second to sign and issue system can be that hardware signs and issues system or system is signed and issued in high in the clouds.With hardware
For signing and issuing system, hardware signs and issues system and may include such as hardware controls lock.Hardware controls lock can be used for locking to hardware user
Digital permission is signed and issued, can also be used to sign and issue digital permission to cloud user lock.
In embodiments of the present invention, the first encryption device 12 and second signed and issued in system 10 signs and issues in system 20 plus solution
Close device 22 can be encrypted card.For example, the first encrypted card of system is signed and issued in high in the clouds and hardware signs and issues the second encrypted card of system
In prestore it is a pair of can encryption and decryption mutually key, wherein for encrypted key storage in the first encrypted card, for decryption
Key storage is in the second encrypted card.
System through the embodiment of the present invention, hardware controls lock can sign and issue software digital with buyun trustship control lock and be permitted
It can so that software developer can be still that user's lock signs and issues software digital license under Network Abnormal or without network environment.
In an embodiment of the invention, second sign and issue equipment 21 be configurable to the first data include one or
Multiple data are simultaneously or separately encrypted, and one or more ciphertexts that encryption obtains are sent to software protective lock, are protected by software
Shield lock obtains said one or multiple data after being decrypted to ciphertext and preserves.It so may make second to sign and issue system to sign with as it
Send out have in the software protective lock of object it is consistent with the relevant data of digital permission so that signing and issuing system as first
Sign and issue the software protective lock of object and signed and issued as second have in the software protective lock for signing and issuing object of system it is consistent with number
Word permits relevant data, it is ensured that two are signed and issued the consistency that system synchronization signs and issues operating result.
In another embodiment, second sign and issue equipment 21 be configurable to obtain the first data ciphertext simultaneously
After decryption, to before software protective lock transmission data ciphertext, it will first can be written to the first digital certificate of CA system applications soft
Part protection lock, after the success of the first digital certificate authentication of software protective lock pair, then at least one number that the first data include
It is sent to software protective lock according to simultaneously or separately encrypting, and by one or more ciphertexts that encryption obtains, by software protective lock pair
Said one or multiple data are obtained after ciphertext decryption and are preserved.As an example, may include in the first digital certificate and the
Two sign and issue the corresponding public key of private key used when system encryption at least one data, to which software protective lock can use first
Digital certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserves.Can so it ensure
Second, which signs and issues system, sends the safety of digital permission related data to software protective lock, while ensuring two to sign and issue system same
Step signs and issues the consistency of operating result.
In an embodiment of the invention, the first data may include the first salt figure, and the first salt figure for example may participate in generation
For the key of encryption and decryption software piece critical data.Ciphering and deciphering device 22 is configurable to the ciphertext of the first data will be decrypted
Equipment 21 is signed and issued in the first salt figure write-in second obtained afterwards.Second, which signs and issues equipment 21, can be further configured to add the first salt figure
It is close to obtain the ciphertext of the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.Through this embodiment, it may make
One, which signs and issues the first of system 10, signs and issues equipment 11 and second and signs and issues the second of system 20 and sign and issue 21 salt figure having the same of equipment.
In another embodiment, the first data include for establishing peace when based on digital permission runs software
First private key of full tunnel, ciphering and deciphering device 22 are configurable to obtain the first private after the ciphertext of the first data is decrypted
Key, second, which signs and issues equipment 21, can be further configured to the first private after the first private key encryption that will be obtained from ciphering and deciphering device 22
The ciphertext of key is sent to software protective lock.Through this embodiment, it may make that signing and issuing system 10 through first signs and issues the soft of digital permission
Part protection locks and signs and issues the software protective lock private key having the same that system 20 signs and issues digital permission through second.
In embodiments of the present invention, second sign and issue equipment 21 be configurable to by the first digital certificate be written software protection
Lock, and be configured to after the success of the first digital certificate authentication of software protective lock pair, then the ciphertext of the first private key is sent to software
Protection lock.It is obtained to the application of CA systems for example, the first digital certificate can sign and issue equipment 21 from second.Such as hardware controls lock exists
In manufacturing process, interior generation a pair of RSA unsymmetrical key is locked, wherein private key does not go out lock to ensure safety, uses public key therein
Information Generates Certificate demand file CSR to CA system application certificates, to obtain the first digital certificate, to the public affairs of hardware controls lock
Key information is included in the first digital certificate.During producing hardware user lock, hardware controls lock demonstrate,proves first number
It writes in hardware user lock.It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first number
Certificate.Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls are locked first
The ciphertext of private key is sent to hardware user lock, which is that the first private key encryption of private key pair locked using hardware controls is obtained.
Subsequent hardware user lock locks the cryptogram validation and solution of the first private key of public key information pair using the hardware controls in the first digital certificate
It is close to obtain the first private key and preserve.
Through the embodiment of the present invention, the mistake that the first private key and the/the first salt figure are securely written into hardware user lock is realized
Journey.Certainly, although being come with hardware user lock here for example, similar mode can also be used by first for cloud user lock
Private key is sent into lock.
Multiple embodiments of the present invention are illustrated above, but the present invention is not limited to above-mentioned specific embodiments, not
Be detached from present inventive concept in the case of, can to embodiment, numerous modifications and variations may be made, these modifications and variations each fall within this Shen
Please it is claimed within the scope of.
Claims (21)
1. a kind of method of data synchronization, which is characterized in that including:
S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue system to software protective lock with first
Relevant data are signed and issued or used to the digital permission signed and issued;
S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second and is signed and issued
System;
S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, the first data decrypted be used as with
Second sign and issue the digital permission that system is signed and issued to software protective lock sign and issue or use relevant data.
2. the method as described in claim 1, which is characterized in that S3 steps further include:
Second signs and issues at least one data encryption that the first data of system pair include and obtained ciphertext is sent to software guarantor
Shield lock.
3. the method as described in claim 1, which is characterized in that S3 steps further include:
Software protective lock is written in first digital certificate by the second equipment of signing and issuing for signing and issuing system, and is counted in software protective lock pair first
After word certification authentication success, obtained ciphertext is simultaneously sent to software and protected by least one data encryption for include to the first data
Shield lock.
4. method as claimed in claim 3, which is characterized in that S3 steps further comprise:
Software protective lock obtains at least one data to the cryptogram validation and decryption using the first digital certificate and preserves.
5. the method as described in claim 1, which is characterized in that the first data include the first salt figure, and S3 steps further include:
S31, it the first salt figure obtained after the decryption write-in second will be carried out signs and issues the signing and issuing in equipment of system;
S32, the first salt figure is encrypted to obtain the ciphertext of the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.
6. method as claimed in claim 5, which is characterized in that S32 steps specifically include:
S321, the first digital certificate is written in software protective lock;
S322, the first digital certificate of software protective lock pair are verified;
If the success of S323, the first digital certificate authentication of software protective lock pair, the ciphertext of the first salt figure is sent to software and is protected
Shield lock;
S324, software protective lock obtain the first salt figure using the cryptogram validation and decryption of first the first salt figure of digital certificate pair and protect
It deposits.
7. the method as described in claim 1, which is characterized in that the first data include the first private key, and S3 steps include:
S33, the first private key is obtained after carrying out the decryption;
S34, the ciphertext of the first private key is obtained to obtained the first private key encryption of decryption, and the ciphertext of the first private key is sent to soft
Part protection lock.
8. the method for claim 7, which is characterized in that S34 steps specifically include:
S341, the first digital certificate is written in software protective lock;
S342, the first digital certificate of software protective lock pair are verified;
If the success of S343, the first digital certificate authentication of software protective lock pair, the ciphertext of the first private key is sent to software and is protected
Shield lock;
S344, software protective lock obtain the first private key using the cryptogram validation and decryption of first the first private key of digital certificate pair and protect
It deposits.
9. method as claimed in claim 4, which is characterized in that be also stored with the first public key in the first equipment, the first public key with
First private key is a pair of secret keys being mutually matched.
10. method as claimed in any one of claims 1-9 wherein, which is characterized in that first, which signs and issues system, includes the first encryption
Card, second, which signs and issues system, includes the second encrypted card, and the first encrypted card is stored with for adding the key of the first data encryption, second
Close card is stored with the key for the ciphertext decryption to the first data.
11. method as claimed in any one of claims 1-9 wherein, which is characterized in that first signs and issues system signs and issues system for high in the clouds
Or hardware signs and issues system, second to sign and issue system be that hardware signs and issues system or system is signed and issued in high in the clouds.
12. method as claimed in any one of claims 1-9 wherein, which is characterized in that software protective lock be hardware user lock and/
Or cloud user lock.
13. a kind of data synchronous system, which is characterized in that it signs and issues system and second including first and signs and issues system,
First, which signs and issues system, includes:
First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Encryption device is configured to that signing and issuing or using relevant first data adding for digital permission that equipment is signed and issued will be signed and issued with first
It is close;And
Sending device is configured to store the ciphertext of the first data into the first equipment;
Second, which signs and issues system, includes:
Second signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Acquisition device is configured to obtain the ciphertext of the first data from the first equipment;
Ciphering and deciphering device, the ciphertext for being configured to the first data obtained to acquisition device are decrypted to obtain the first data, and first
Data be used as with second sign and issue digital permission that equipment is signed and issued sign and issue or use relevant data.
14. system as claimed in claim 13, which is characterized in that second, which signs and issues the first data of device configuration pair, includes
Obtained ciphertext is simultaneously sent to software protective lock by least one data encryption.
15. system as claimed in claim 13, which is characterized in that second signs and issues device configuration as the first digital certificate to be written
Software protective lock, and be configured to the first digital certificate authentication of software protective lock pair success after, to the first data include to
Obtained ciphertext is simultaneously sent to software protective lock by a few data encryption.
16. system as claimed in claim 15, which is characterized in that software protective lock is configured so that the first digital certificate to this
Cryptogram validation and decryption obtain at least one data and preserve.
17. system as claimed in claim 13, which is characterized in that the first data include the first salt figure,
The ciphering and deciphering device is configured to the second label of the first salt figure obtained after the ciphertext of the first data will be decrypted write-in
Equipment is sent out,
Second, which signs and issues equipment, is further configured to encrypt to obtain the ciphertext of the first salt figure to the first salt figure, and by the close of the first salt figure
Text is sent to software protective lock.
18. system as claimed in claim 13, which is characterized in that the first data include the first private key,
The ciphering and deciphering device is configured to obtain the first private key after the ciphertext of the first data is decrypted,
Described second, which signs and issues equipment, is further configured to obtain the ciphertext of the first private key to the first private key encryption, and by the first private key
Ciphertext be sent to software protective lock.
19. the system as described in any one of claim 13-18, which is characterized in that encryption device and ciphering and deciphering device be plus
Close card.
20. the system as described in any one of claim 13-18, which is characterized in that first to sign and issue system be that high in the clouds signs and issues and is
System or hardware sign and issue system, and second to sign and issue system be that hardware signs and issues system or system is signed and issued in high in the clouds.
21. the system as described in any one of claim 13-18, which is characterized in that software protective lock be cloud user lock and/or
Hardware user is locked.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710173982.8A CN106953917B (en) | 2017-03-22 | 2017-03-22 | Method of data synchronization and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710173982.8A CN106953917B (en) | 2017-03-22 | 2017-03-22 | Method of data synchronization and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106953917A CN106953917A (en) | 2017-07-14 |
CN106953917B true CN106953917B (en) | 2018-08-21 |
Family
ID=59473611
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710173982.8A Active CN106953917B (en) | 2017-03-22 | 2017-03-22 | Method of data synchronization and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106953917B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107391966B (en) * | 2017-07-21 | 2018-08-21 | 北京深思数盾科技股份有限公司 | A kind of method for protecting software, device and software protective lock |
CN107204848B (en) * | 2017-07-25 | 2018-08-28 | 北京深思数盾科技股份有限公司 | A kind of method managing secret key data and the device for managing key data |
CN107835162B (en) * | 2017-10-18 | 2019-06-11 | 北京深思数盾科技股份有限公司 | Software digital permit server gives the method and software digital permit server that permission is signed and issued in the license of software developer's software digital |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622538A (en) * | 2011-02-01 | 2012-08-01 | 中国电信股份有限公司 | Method and system for software licensing control |
CN103906054A (en) * | 2012-12-28 | 2014-07-02 | 上海农业信息有限公司 | Method and system for authorization of software function modules of internet of things |
CN105635082A (en) * | 2014-11-12 | 2016-06-01 | 北大方正集团有限公司 | Dynamic authorization method and system, authorization center, and authorization client |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7085386B2 (en) * | 2001-12-07 | 2006-08-01 | Activcard | System and method for secure replacement of high level cryptographic keys in a personal security device |
US7676846B2 (en) * | 2004-02-13 | 2010-03-09 | Microsoft Corporation | Binding content to an entity |
US7503074B2 (en) * | 2004-08-27 | 2009-03-10 | Microsoft Corporation | System and method for enforcing location privacy using rights management |
CN101141460B (en) * | 2007-08-20 | 2011-08-10 | 中兴通讯股份有限公司 | Permission control method and system of service function in cluster system |
US8800049B2 (en) * | 2009-08-26 | 2014-08-05 | Avaya Inc. | Licensing and certificate distribution via secondary or divided signaling communication pathway |
CN103595530B (en) * | 2012-08-17 | 2017-04-26 | 华为技术有限公司 | Software secret key updating method and device |
CN103078858B (en) * | 2012-12-31 | 2015-08-26 | 上海同岩土木工程科技有限公司 | Based on the soft ware authorization trial method of web services and signing certificate |
CN104392150B (en) * | 2014-10-28 | 2017-09-05 | 用友优普信息技术有限公司 | The superposing control apparatus and method of soft ware authorization |
-
2017
- 2017-03-22 CN CN201710173982.8A patent/CN106953917B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622538A (en) * | 2011-02-01 | 2012-08-01 | 中国电信股份有限公司 | Method and system for software licensing control |
CN103906054A (en) * | 2012-12-28 | 2014-07-02 | 上海农业信息有限公司 | Method and system for authorization of software function modules of internet of things |
CN105635082A (en) * | 2014-11-12 | 2016-06-01 | 北大方正集团有限公司 | Dynamic authorization method and system, authorization center, and authorization client |
Also Published As
Publication number | Publication date |
---|---|
CN106953917A (en) | 2017-07-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109495274B (en) | Decentralized intelligent lock electronic key distribution method and system | |
EP3349393B1 (en) | Mutual authentication of confidential communication | |
CN1939028B (en) | Accessing protected data on network storage from multiple devices | |
CN106452775B (en) | Method and device for realizing electronic signature and signature server | |
EP3841702B1 (en) | Method, user device, management device, storage medium and computer program product for key management | |
US11874935B2 (en) | Protecting data from brute force attack | |
CN102082790B (en) | Method and device for encryption/decryption of digital signature | |
US11831753B2 (en) | Secure distributed key management system | |
CN107733654B (en) | Intelligent equipment firmware updating and official user certificate distribution method based on combined key | |
EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
CN106953917B (en) | Method of data synchronization and system | |
CN110383755A (en) | The network equipment and trusted third party's equipment | |
CN105262586B (en) | The method for distributing key and device of automobile burglar equipment | |
TWI476629B (en) | Data security and security systems and methods | |
CN113868684A (en) | Signature method, device, server, medium and signature system | |
CN116340331A (en) | Large instrument experimental result evidence-storing method and system based on blockchain | |
CN112054901B (en) | Key management method and system supporting multiple key systems | |
CN116800416A (en) | Secure transmission method for cooperative encryption key | |
EP3556046B1 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
CN106790185B (en) | CP-ABE-based method and device for safely accessing authority dynamic update centralized information | |
CN116232639A (en) | Data transmission method, device, computer equipment and storage medium | |
TWI430643B (en) | Secure key recovery system and method | |
CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
KR101793528B1 (en) | Certificateless public key encryption system and receiving terminal | |
CN115412236A (en) | Method for key management and password calculation, encryption method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
CP01 | Change in the name or title of a patent holder |