CN106953917B - Method of data synchronization and system - Google Patents

Method of data synchronization and system Download PDF

Info

Publication number
CN106953917B
CN106953917B CN201710173982.8A CN201710173982A CN106953917B CN 106953917 B CN106953917 B CN 106953917B CN 201710173982 A CN201710173982 A CN 201710173982A CN 106953917 B CN106953917 B CN 106953917B
Authority
CN
China
Prior art keywords
data
lock
ciphertext
signs
issues
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710173982.8A
Other languages
Chinese (zh)
Other versions
CN106953917A (en
Inventor
孙吉平
钟灵剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201710173982.8A priority Critical patent/CN106953917B/en
Publication of CN106953917A publication Critical patent/CN106953917A/en
Application granted granted Critical
Publication of CN106953917B publication Critical patent/CN106953917B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method of data synchronization, including:S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with first;S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second and signs and issues system;S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, and the first data decrypted are used as signing and issuing the relevant data of digital permission that system is signed and issued to software protective lock with second.The present invention discloses a kind of data synchronous systems.Scheme through the invention can be convenient for using or inconvenient use first to sign and issue to use second to sign and issue system when system signs and issues digital permission to sign and issue digital permission, be conducive to maintenance and sign and issue being smoothed out for process.

Description

Method of data synchronization and system
Technical field
The present invention relates to data security arts, more particularly to a kind of method of data synchronization and system.
Background technology
Software enciphered lock is a kind of equipment for being protected to target software.Traditional software enciphered lock is used for hardware Family is locked, and is locked into digital permission mandate of the hand-manipulating of needle to target software to hardware user using hardware controls lock by software developer. Nowadays, encryption lock function is transplanted to high in the clouds by many software enciphered lock manufacturers, becomes cloud user lock, sign entitlement is also no longer It is locked using traditional hardware controls, and uses cloud trustship control lock.
However, software developer side once in Network Abnormal or without network in the environment of, will be unable to use cloud trustship control Lockmaking is that cloud user locks or hardware user locks sign entitlement.In addition, some software developers are also unwilling to reveal the cloud of our company Account information gives excessive employee.
Invention content
In view of this, an embodiment of the present invention provides a kind of method of data synchronization and system, realizes and use different label Hair system signs and issues software digital license based on same key data.
Method of data synchronization provided in an embodiment of the present invention includes:S1, the ciphertext of the first data is stored to the first equipment In, the first data are to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with first;S2, when create second When signing and issuing system, the ciphertext for the first data being stored in the first equipment is sent to second and signs and issues system;S3, second, which are signed and issued, is The ciphertext of the first data received is decrypted in system, and the first data decrypted are used as signing and issuing system to software with second The relevant data of digital permission that protection lock is signed and issued.
Data synchronous system provided in an embodiment of the present invention signs and issues system and second including first and signs and issues system.Wherein, One, which signs and issues system, includes:First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;Encryption device, be configured to by Relevant first data encryption of digital permission that equipment is signed and issued is signed and issued with first;Sending device is configured to the close of the first data Text is stored into the first equipment.Second, which signs and issues system, includes:Second signs and issues equipment, is configured to sign and issue number to software protective lock and be permitted It can;Acquisition device is configured to obtain the ciphertext of the first data from the first equipment;Ciphering and deciphering device is configured to obtain acquisition device The ciphertext of the first data taken is decrypted to obtain the first data, and the first data, which are used as signing and issuing the number that equipment is signed and issued with second, to be permitted It can relevant data.
In scheme provided in an embodiment of the present invention, establishment first will while signing and issuing system (including cloud trustship control lock) Necessary key data encryption is preserved into database, when client has demand, then encrypted key data is sent to second System is signed and issued, after second signs and issues system decryption key data, write-in second is signed and issued in equipment (such as hardware controls lock).By this hair The scheme that bright embodiment provides, cloud trustship control lock and hardware controls lock will possess identical key data, and software developer is such as It is that hardware user lock or cloud user lock sign and issue software digital license to have specific demand then to use hardware controls lock, in this way, firmly Part control lock can control lock with buyun trustship and sign and issue software digital license so that software developer is in Network Abnormal or without network Can be still that user's lock signs and issues software digital license under environment.
Description of the drawings
Fig. 1 is the schematic flow chart of the method for data synchronization of the embodiment of the present invention;
Fig. 2 is an exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1;
Fig. 3 is an exemplary schematic flow chart of the specific steps of S32 steps in Fig. 2;
Fig. 4 is another exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1;
Fig. 5 is an exemplary schematic flow chart of the specific steps of S34 steps in Fig. 4;
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
Specific implementation mode
The embodiment of the present invention is described in detail with reference to the accompanying drawings.
Fig. 1 is the schematic flow chart of the method for data synchronization of the embodiment of the present invention
As shown in Figure 1, the method for data synchronization of the embodiment of the present invention includes:
S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue system with first to protect to software The relevant data of digital permission that shield lock is signed and issued;
First to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.By taking system is signed and issued in high in the clouds as an example, high in the clouds The system of signing and issuing may include such as cloud trustship control lock.Software protective lock can be that hardware user lock can also be cloud user lock. Cloud trustship control lock can be used for signing and issuing digital permission to cloud user lock, can also be used to sign and issue number to hardware user lock and permitted It can.First data may include being signed and issued with cloud trustship control lock such as key data, configuration parameter, secure communication related data The relevant data of digital permission.The ciphertext of first data is stored while can signing and issuing system creation beyond the clouds to the first equipment In, can also sign and issue beyond the clouds after system creation occur during use network it is unavailable or other in the case of need to use hardware label The ciphertext of the first data is stored into the first equipment temporarily when hair system.Here the first equipment can be cloud database or Any kind of movable storage device of person.
S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second Sign and issue system;
When in order to realize that first signs and issues system same function when creating second and signing and issuing system, the first equipment will be stored in In the ciphertexts of the first data be sent to second and sign and issue system.Second to sign and issue system can be that hardware signs and issues system or high in the clouds is signed and issued System.By taking hardware signs and issues system as an example, hardware signs and issues system and may include such as hardware controls lock.Hardware controls lock can be used for Hardware user lock signs and issues digital permission, can also be used to sign and issue digital permission to cloud user lock.
S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, and the first data decrypted are used Make to sign and issue the relevant data of digital permission that system is signed and issued to software protective lock with second.
Second signs and issues after system receives the ciphertexts of the first data and is decrypted to obtain the first data, and the first data are used Make the relevant data of digital permission signed and issued software protective lock so that second signs and issues when system signs and issues digital permission or signed and issued Digital permission need the related data used to sign and issue signing and issuing or using for digital permission that system is signed and issued with first when in use Relevant data are consistent.
The embodiment of the present invention pair first is signed and issued in system for signing and issuing in system the device of the first data encryption and second The type for the device being decrypted for the ciphertext to the first data is not restricted, and is as long as can have to sign and issue with digital permission It unites comparable security performance.As an implementation, first being signed for encrypted device and second in system is signed and issued The device for decryption in hair system can be encrypted card.For example, the first encrypted card of system is signed and issued in high in the clouds and hardware is signed and issued Prestore in second encrypted card of system it is a pair of can encryption and decryption mutually key, wherein for encrypted key storage in the first encryption In card, the key storage for decryption is in the second encrypted card.Encrypted card can ensure that key can only use inside encrypted card, Encryption and decryption is carried out to needing data being passed in encrypted card when data encrypting and deciphering, ensures that the safety of key.
Method through the embodiment of the present invention, with signing and issuing or using relevant data in cloud trustship control lock for digital permission It is consistent in being locked with hardware controls, if exception occurs in network, cloud trustship control lock can not be used, can be locked using hardware controls Software digital license is signed and issued for hardware user lock or cloud user lock.It is normal in network, cloud trustship control may be used Any of lock or hardware controls lock sign and issue digital permission for hardware user lock or cloud user lock.In this way, hardware controls lock energy It is enough to sign and issue software digital license with buyun trustship control lock so that software developer under Network Abnormal or without network environment still Can be that user's lock signs and issues software digital license.
In an embodiment of the invention, in S3 steps, after second signs and issues ciphertext and the decryption that system obtains the first data, The one or more data that can include to the first obtained data are simultaneously or separately encrypted, and will encryption obtain one or Multiple ciphertexts are sent to software protective lock, obtain said one or multiple data after being decrypted to ciphertext by software protective lock and protect It deposits.So may make second sign and issue system and object is signed and issued as it software protective lock in have unanimously with digital permission phase The data of pass, so that the software protective lock for signing and issuing object for signing and issuing system as first and the label for signing and issuing system as second Send out have in the software protective lock of object it is consistent with the relevant data of digital permission, it is ensured that sign and issue system synchronization for two and sign and issue The consistency of operating result.
In another embodiment of the invention, in S3 steps, second signs and issues system in the ciphertext and solution for obtaining the first data After close, to before software protective lock transmission data ciphertext, first software will can be written to the first digital certificate of CA system applications Protection lock, after the success of the first digital certificate authentication of software protective lock pair, then at least one data that the first data include It simultaneously or separately encrypts, and one or more ciphertexts that encryption obtains is sent to software protective lock, by software protective lock to close Said one or multiple data are obtained after text decryption and are preserved.As an example, may include in the first digital certificate and second The corresponding public key of private key used when system encryption at least one data is signed and issued, to which software protective lock can use the first number Word certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserves.It can so ensure Two, which sign and issue system, sends the safety of digital permission related data to software protective lock, while ensuring that two are signed and issued system synchronization Sign and issue the consistency of operating result.
Fig. 2 is an exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1.
In the embodiment depicted in figure 2, the first data may include that the first salt figure, the first salt figure for example may participate in generation and be used for adding The key of decryption software critical data, software critical data are some data necessary to running software, are usually stored securely in In software protective lock.It in embodiments of the present invention, such as can be by the first salt figure and digital permission information or other tentation datas The key of encryption and decryption software piece critical data is generated after assembling.In S31 steps shown in Fig. 2, second signs and issues system can will be to first The first salt figure write-in second in one or more data that the ciphertext of data obtains after being decrypted is signed and issued signing and issuing for system and is set In standby, such as hardware is signed and issued the first salt figure that system obtains decryption and is written in produced hardware controls lock, is then walked in S32 In rapid, after equipment can be signed and issued by this using the encryption of the first salt figure of private key pair, the ciphertext of the first salt figure be sent to software and is protected Shield lock.Through this embodiment, it may make the first equipment of signing and issuing that equipment signs and issues system with second of signing and issuing for signing and issuing system that there is phase Same salt figure, while making the software protective lock for signing and issuing object for signing and issuing system and the label for signing and issuing system as second as first Send out also salt figure having the same in the software protective lock of object.
Fig. 3 is an exemplary schematic flow chart of the specific steps of S32 steps in Fig. 2.
As shown in figure 3, S32 steps shown in Fig. 2 specifically may include:
S321, the first digital certificate is written in software protective lock;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls lock was manufacturing Cheng Zhong, locks interior generation a pair of RSA unsymmetrical key, and wherein private key is not gone out lock to ensure safety, given birth to using public key information therein At certificate request file CSR to CA system application certificates, to obtain the first digital certificate, to the public key information of hardware controls lock Included in the first digital certificate.During producing hardware user lock, first digital certificate is written hardware controls lock In hardware user lock.
S322, the first digital certificate of software protective lock pair are verified;
It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first digital certificate.
If the success of S323, the first digital certificate authentication of software protective lock pair, signs and issues equipment by the ciphertext of the first salt figure It is sent to software protective lock;
Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls lock is by the The ciphertext of one salt figure is sent to hardware user lock, and the first salt figure of private key pair which can use hardware controls to lock is encrypted It arrives.
S323, software protective lock obtain the first salt figure using the cryptogram validation and decryption of first the first salt figure of digital certificate pair And it preserves.
Such as hardware controls in the first digital certificate can be used to lock public key information to connecing from signing and issuing equipment for hardware user lock The cryptogram validation of the first salt figure received and decryption obtains the first salt figure and preserves.
Through the embodiment of the present invention, the process that the first salt figure is securely written into hardware user lock is realized.Certainly, here Although being come with hardware user lock for example, but similar mode can also be used by the first salt figure feeding lock for cloud user lock It is interior.
Fig. 4 is another exemplary schematic flow chart of the specific steps of S3 steps in Fig. 1.Embodiment shown in Fig. 4 In, the first data may include the first private key, and the first private key can be for during based on digital permission runs software The security key of secured communication channel is established, such as direct or indirect for being established between the software and software protective lock of operation Encrypted communication channel.After second signs and issues the first private key encryption obtained after system can will be decrypted the ciphertext of the first data The ciphertext of first private key is sent to software protective lock, such as hardware signs and issues system using the first data of equipment pair such as encrypted cards Ciphertext is decrypted after obtaining the first private key, can be locked by hardware controls and be re-started encryption to first private key with the private key of itself, and When producing hardware user lock, the ciphertext of the first private key is sent to hardware user lock, hardware user lock pair by hardware controls lock The first private key is stored after the ciphertext decryption of first private key.Through this embodiment, it may make that signing and issuing system through first signs and issues The software protective lock of digital permission and sign and issue the software protective lock private key having the same that system signs and issues digital permission through second.
In an embodiment of the invention, the first data can include the first salt figure and the first private key simultaneously.As shown in Figure 2 The step of can merge progress with step as shown in Figure 4, that is to say, that second signs and issues the ciphertext that system receives the first data Afterwards, it decrypts and the first salt figure and the first private key can be obtained, the signing and issuing in equipment of system is signed and issued in first salt figure write-in second, and by the Ciphertext is sent to software protective lock by one private key and the first salt figure after simultaneously or separately encrypting, and software protective lock is close to what is received The first private key and the first salt figure are obtained after text decryption and are preserved.
In another embodiment, it can also be deposited other than storing the ciphertext of the first data in the first equipment The first public key is contained, the first public key and the first private key are a pair of secret keys being mutually matched, and the first public key is reinstated with the first private key one In establishing secured communication channel when based on digital permission runs software, such as between protected software and software security system The data of transmission are encrypted when being communicated, software security system may include installing software license clothes on the terminal device Business application program.First public key can be compiled into the SDK (Software Development Tools that digital permission provider is distributed to software developer Packet) in order to using.
In embodiments of the present invention, it can be to be calculated using ECC algorithm to be included in the first private key in the first data for example Obtained ECC private keys etc..
Fig. 5 is an exemplary schematic flow chart of the specific steps of S34 steps in Fig. 4.
In the embodiment shown in fig. 5, S34 steps shown in Fig. 4 can specifically include:
S341, the first digital certificate is written in software protective lock;
First digital certificate can sign and issue equipment from second and be obtained to the application of CA systems.Such as hardware controls lock was manufacturing Cheng Zhong, locks interior generation a pair of RSA unsymmetrical key, and wherein private key is not gone out lock to ensure safety, given birth to using public key information therein At certificate request file CSR to CA system application certificates, to obtain the first digital certificate, to the public key information of hardware controls lock Included in the first digital certificate.During producing hardware user lock, first digital certificate is written hardware controls lock In hardware user lock.
S342, the first digital certificate of software protective lock pair are verified;
It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first digital certificate.
If the success of S343, the first digital certificate authentication of software protective lock pair, signs and issues equipment by the ciphertext of the first private key It is sent to software protective lock.
Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls lock is by the The ciphertext of one private key is sent to hardware user lock, and the first private key encryption of private key pair which can use hardware controls to lock obtains It arrives.
S344, software protective lock obtain the first private key using the cryptogram validation and decryption of first the first private key of digital certificate pair And it preserves.
Hardware user lock can use the ciphertext of hardware controls lock the first private key of public key information pair in the first digital certificate It verifies and decrypts to obtain the first private key and preserve.
Through the embodiment of the present invention, the process that the first private key is securely written into hardware user lock is realized.Certainly, here Although being come with hardware user lock for example, but similar mode can also be used by the first private key feeding lock for cloud user lock It is interior.
Fig. 6 is the schematic block diagram of the data synchronous system of the embodiment of the present invention.
As shown in figure 4, the data synchronous system of the embodiment of the present invention may include first signing and issuing system 10 and second and signing and issuing System 20, first, which signs and issues system 10 and second, signs and issues system 20 and can be connected to the first equipment 30.
First to sign and issue system 10 may include first signing and issuing equipment 11, encryption device 12 and sending device 13.First signs and issues Equipment 11 is configured to sign and issue digital permission to software protective lock, and encryption device 12 is configured to that the number that equipment is signed and issued will be signed and issued with first Word permits relevant first data encryption, sending device 13 to be configured to the ciphertext of the first data being sent in the first equipment 30 and deposit Storage.
Second to sign and issue system 20 may include second signing and issuing equipment 21, ciphering and deciphering device 22 and acquisition device 23.Second label Hair equipment 21 is configured to sign and issue digital permission to software protective lock, and acquisition device 23 is configured to obtain the first number from the first equipment 30 According to ciphertext, the ciphertext that ciphering and deciphering device 22 is configured to the first data obtained to acquisition device 23 is decrypted to obtain the first number According to the first data sign and issue system by second and are used as signing and issuing the relevant data of digital permission that equipment 21 is signed and issued with second.
In embodiments of the present invention, first to sign and issue system can be that system is signed and issued in high in the clouds or hardware signs and issues system.With high in the clouds For signing and issuing system, high in the clouds signs and issues system and may include such as cloud trustship control lock.Software protective lock can be hardware user lock It can be cloud user lock.Cloud trustship control lock can be used for signing and issuing digital permission to cloud user lock, can also be used to hardware User's lock signs and issues digital permission.First data may include such as key data, configuration parameter, secure communication related data with The relevant data of digital permission that cloud trustship control lock is signed and issued.First equipment 30 can be cloud database or any kind of Movable storage device.
In embodiments of the present invention, second to sign and issue system can be that hardware signs and issues system or system is signed and issued in high in the clouds.With hardware For signing and issuing system, hardware signs and issues system and may include such as hardware controls lock.Hardware controls lock can be used for locking to hardware user Digital permission is signed and issued, can also be used to sign and issue digital permission to cloud user lock.
In embodiments of the present invention, the first encryption device 12 and second signed and issued in system 10 signs and issues in system 20 plus solution Close device 22 can be encrypted card.For example, the first encrypted card of system is signed and issued in high in the clouds and hardware signs and issues the second encrypted card of system In prestore it is a pair of can encryption and decryption mutually key, wherein for encrypted key storage in the first encrypted card, for decryption Key storage is in the second encrypted card.
System through the embodiment of the present invention, hardware controls lock can sign and issue software digital with buyun trustship control lock and be permitted It can so that software developer can be still that user's lock signs and issues software digital license under Network Abnormal or without network environment.
In an embodiment of the invention, second sign and issue equipment 21 be configurable to the first data include one or Multiple data are simultaneously or separately encrypted, and one or more ciphertexts that encryption obtains are sent to software protective lock, are protected by software Shield lock obtains said one or multiple data after being decrypted to ciphertext and preserves.It so may make second to sign and issue system to sign with as it Send out have in the software protective lock of object it is consistent with the relevant data of digital permission so that signing and issuing system as first Sign and issue the software protective lock of object and signed and issued as second have in the software protective lock for signing and issuing object of system it is consistent with number Word permits relevant data, it is ensured that two are signed and issued the consistency that system synchronization signs and issues operating result.
In another embodiment, second sign and issue equipment 21 be configurable to obtain the first data ciphertext simultaneously After decryption, to before software protective lock transmission data ciphertext, it will first can be written to the first digital certificate of CA system applications soft Part protection lock, after the success of the first digital certificate authentication of software protective lock pair, then at least one number that the first data include It is sent to software protective lock according to simultaneously or separately encrypting, and by one or more ciphertexts that encryption obtains, by software protective lock pair Said one or multiple data are obtained after ciphertext decryption and are preserved.As an example, may include in the first digital certificate and the Two sign and issue the corresponding public key of private key used when system encryption at least one data, to which software protective lock can use first Digital certificate obtains at least one data to the cryptogram validation of at least one data and decryption and preserves.Can so it ensure Second, which signs and issues system, sends the safety of digital permission related data to software protective lock, while ensuring two to sign and issue system same Step signs and issues the consistency of operating result.
In an embodiment of the invention, the first data may include the first salt figure, and the first salt figure for example may participate in generation For the key of encryption and decryption software piece critical data.Ciphering and deciphering device 22 is configurable to the ciphertext of the first data will be decrypted Equipment 21 is signed and issued in the first salt figure write-in second obtained afterwards.Second, which signs and issues equipment 21, can be further configured to add the first salt figure It is close to obtain the ciphertext of the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.Through this embodiment, it may make One, which signs and issues the first of system 10, signs and issues equipment 11 and second and signs and issues the second of system 20 and sign and issue 21 salt figure having the same of equipment.
In another embodiment, the first data include for establishing peace when based on digital permission runs software First private key of full tunnel, ciphering and deciphering device 22 are configurable to obtain the first private after the ciphertext of the first data is decrypted Key, second, which signs and issues equipment 21, can be further configured to the first private after the first private key encryption that will be obtained from ciphering and deciphering device 22 The ciphertext of key is sent to software protective lock.Through this embodiment, it may make that signing and issuing system 10 through first signs and issues the soft of digital permission Part protection locks and signs and issues the software protective lock private key having the same that system 20 signs and issues digital permission through second.
In embodiments of the present invention, second sign and issue equipment 21 be configurable to by the first digital certificate be written software protection Lock, and be configured to after the success of the first digital certificate authentication of software protective lock pair, then the ciphertext of the first private key is sent to software Protection lock.It is obtained to the application of CA systems for example, the first digital certificate can sign and issue equipment 21 from second.Such as hardware controls lock exists In manufacturing process, interior generation a pair of RSA unsymmetrical key is locked, wherein private key does not go out lock to ensure safety, uses public key therein Information Generates Certificate demand file CSR to CA system application certificates, to obtain the first digital certificate, to the public affairs of hardware controls lock Key information is included in the first digital certificate.During producing hardware user lock, hardware controls lock demonstrate,proves first number It writes in hardware user lock.It is prefixed a series of root certificates of CA systems in hardware user lock, can be used for verifying the first number Certificate.Pass through if hardware user Lock Lee verifies the first digital certificate with preset root certificate, hardware controls are locked first The ciphertext of private key is sent to hardware user lock, which is that the first private key encryption of private key pair locked using hardware controls is obtained. Subsequent hardware user lock locks the cryptogram validation and solution of the first private key of public key information pair using the hardware controls in the first digital certificate It is close to obtain the first private key and preserve.
Through the embodiment of the present invention, the mistake that the first private key and the/the first salt figure are securely written into hardware user lock is realized Journey.Certainly, although being come with hardware user lock here for example, similar mode can also be used by first for cloud user lock Private key is sent into lock.
Multiple embodiments of the present invention are illustrated above, but the present invention is not limited to above-mentioned specific embodiments, not Be detached from present inventive concept in the case of, can to embodiment, numerous modifications and variations may be made, these modifications and variations each fall within this Shen Please it is claimed within the scope of.

Claims (21)

1. a kind of method of data synchronization, which is characterized in that including:
S1, the ciphertext of the first data is stored into the first equipment, the first data are to sign and issue system to software protective lock with first Relevant data are signed and issued or used to the digital permission signed and issued;
S2, when create second sign and issue system when, the ciphertext for the first data being stored in the first equipment is sent to second and is signed and issued System;
S3, the second ciphertext for signing and issuing the first data that system docking receives are decrypted, the first data decrypted be used as with Second sign and issue the digital permission that system is signed and issued to software protective lock sign and issue or use relevant data.
2. the method as described in claim 1, which is characterized in that S3 steps further include:
Second signs and issues at least one data encryption that the first data of system pair include and obtained ciphertext is sent to software guarantor Shield lock.
3. the method as described in claim 1, which is characterized in that S3 steps further include:
Software protective lock is written in first digital certificate by the second equipment of signing and issuing for signing and issuing system, and is counted in software protective lock pair first After word certification authentication success, obtained ciphertext is simultaneously sent to software and protected by least one data encryption for include to the first data Shield lock.
4. method as claimed in claim 3, which is characterized in that S3 steps further comprise:
Software protective lock obtains at least one data to the cryptogram validation and decryption using the first digital certificate and preserves.
5. the method as described in claim 1, which is characterized in that the first data include the first salt figure, and S3 steps further include:
S31, it the first salt figure obtained after the decryption write-in second will be carried out signs and issues the signing and issuing in equipment of system;
S32, the first salt figure is encrypted to obtain the ciphertext of the first salt figure, and the ciphertext of the first salt figure is sent to software protective lock.
6. method as claimed in claim 5, which is characterized in that S32 steps specifically include:
S321, the first digital certificate is written in software protective lock;
S322, the first digital certificate of software protective lock pair are verified;
If the success of S323, the first digital certificate authentication of software protective lock pair, the ciphertext of the first salt figure is sent to software and is protected Shield lock;
S324, software protective lock obtain the first salt figure using the cryptogram validation and decryption of first the first salt figure of digital certificate pair and protect It deposits.
7. the method as described in claim 1, which is characterized in that the first data include the first private key, and S3 steps include:
S33, the first private key is obtained after carrying out the decryption;
S34, the ciphertext of the first private key is obtained to obtained the first private key encryption of decryption, and the ciphertext of the first private key is sent to soft Part protection lock.
8. the method for claim 7, which is characterized in that S34 steps specifically include:
S341, the first digital certificate is written in software protective lock;
S342, the first digital certificate of software protective lock pair are verified;
If the success of S343, the first digital certificate authentication of software protective lock pair, the ciphertext of the first private key is sent to software and is protected Shield lock;
S344, software protective lock obtain the first private key using the cryptogram validation and decryption of first the first private key of digital certificate pair and protect It deposits.
9. method as claimed in claim 4, which is characterized in that be also stored with the first public key in the first equipment, the first public key with First private key is a pair of secret keys being mutually matched.
10. method as claimed in any one of claims 1-9 wherein, which is characterized in that first, which signs and issues system, includes the first encryption Card, second, which signs and issues system, includes the second encrypted card, and the first encrypted card is stored with for adding the key of the first data encryption, second Close card is stored with the key for the ciphertext decryption to the first data.
11. method as claimed in any one of claims 1-9 wherein, which is characterized in that first signs and issues system signs and issues system for high in the clouds Or hardware signs and issues system, second to sign and issue system be that hardware signs and issues system or system is signed and issued in high in the clouds.
12. method as claimed in any one of claims 1-9 wherein, which is characterized in that software protective lock be hardware user lock and/ Or cloud user lock.
13. a kind of data synchronous system, which is characterized in that it signs and issues system and second including first and signs and issues system,
First, which signs and issues system, includes:
First signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Encryption device is configured to that signing and issuing or using relevant first data adding for digital permission that equipment is signed and issued will be signed and issued with first It is close;And
Sending device is configured to store the ciphertext of the first data into the first equipment;
Second, which signs and issues system, includes:
Second signs and issues equipment, is configured to sign and issue digital permission to software protective lock;
Acquisition device is configured to obtain the ciphertext of the first data from the first equipment;
Ciphering and deciphering device, the ciphertext for being configured to the first data obtained to acquisition device are decrypted to obtain the first data, and first Data be used as with second sign and issue digital permission that equipment is signed and issued sign and issue or use relevant data.
14. system as claimed in claim 13, which is characterized in that second, which signs and issues the first data of device configuration pair, includes Obtained ciphertext is simultaneously sent to software protective lock by least one data encryption.
15. system as claimed in claim 13, which is characterized in that second signs and issues device configuration as the first digital certificate to be written Software protective lock, and be configured to the first digital certificate authentication of software protective lock pair success after, to the first data include to Obtained ciphertext is simultaneously sent to software protective lock by a few data encryption.
16. system as claimed in claim 15, which is characterized in that software protective lock is configured so that the first digital certificate to this Cryptogram validation and decryption obtain at least one data and preserve.
17. system as claimed in claim 13, which is characterized in that the first data include the first salt figure,
The ciphering and deciphering device is configured to the second label of the first salt figure obtained after the ciphertext of the first data will be decrypted write-in Equipment is sent out,
Second, which signs and issues equipment, is further configured to encrypt to obtain the ciphertext of the first salt figure to the first salt figure, and by the close of the first salt figure Text is sent to software protective lock.
18. system as claimed in claim 13, which is characterized in that the first data include the first private key,
The ciphering and deciphering device is configured to obtain the first private key after the ciphertext of the first data is decrypted,
Described second, which signs and issues equipment, is further configured to obtain the ciphertext of the first private key to the first private key encryption, and by the first private key Ciphertext be sent to software protective lock.
19. the system as described in any one of claim 13-18, which is characterized in that encryption device and ciphering and deciphering device be plus Close card.
20. the system as described in any one of claim 13-18, which is characterized in that first to sign and issue system be that high in the clouds signs and issues and is System or hardware sign and issue system, and second to sign and issue system be that hardware signs and issues system or system is signed and issued in high in the clouds.
21. the system as described in any one of claim 13-18, which is characterized in that software protective lock be cloud user lock and/or Hardware user is locked.
CN201710173982.8A 2017-03-22 2017-03-22 Method of data synchronization and system Active CN106953917B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710173982.8A CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710173982.8A CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Publications (2)

Publication Number Publication Date
CN106953917A CN106953917A (en) 2017-07-14
CN106953917B true CN106953917B (en) 2018-08-21

Family

ID=59473611

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710173982.8A Active CN106953917B (en) 2017-03-22 2017-03-22 Method of data synchronization and system

Country Status (1)

Country Link
CN (1) CN106953917B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391966B (en) * 2017-07-21 2018-08-21 北京深思数盾科技股份有限公司 A kind of method for protecting software, device and software protective lock
CN107204848B (en) * 2017-07-25 2018-08-28 北京深思数盾科技股份有限公司 A kind of method managing secret key data and the device for managing key data
CN107835162B (en) * 2017-10-18 2019-06-11 北京深思数盾科技股份有限公司 Software digital permit server gives the method and software digital permit server that permission is signed and issued in the license of software developer's software digital

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622538A (en) * 2011-02-01 2012-08-01 中国电信股份有限公司 Method and system for software licensing control
CN103906054A (en) * 2012-12-28 2014-07-02 上海农业信息有限公司 Method and system for authorization of software function modules of internet of things
CN105635082A (en) * 2014-11-12 2016-06-01 北大方正集团有限公司 Dynamic authorization method and system, authorization center, and authorization client

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7085386B2 (en) * 2001-12-07 2006-08-01 Activcard System and method for secure replacement of high level cryptographic keys in a personal security device
US7676846B2 (en) * 2004-02-13 2010-03-09 Microsoft Corporation Binding content to an entity
US7503074B2 (en) * 2004-08-27 2009-03-10 Microsoft Corporation System and method for enforcing location privacy using rights management
CN101141460B (en) * 2007-08-20 2011-08-10 中兴通讯股份有限公司 Permission control method and system of service function in cluster system
US8800049B2 (en) * 2009-08-26 2014-08-05 Avaya Inc. Licensing and certificate distribution via secondary or divided signaling communication pathway
CN103595530B (en) * 2012-08-17 2017-04-26 华为技术有限公司 Software secret key updating method and device
CN103078858B (en) * 2012-12-31 2015-08-26 上海同岩土木工程科技有限公司 Based on the soft ware authorization trial method of web services and signing certificate
CN104392150B (en) * 2014-10-28 2017-09-05 用友优普信息技术有限公司 The superposing control apparatus and method of soft ware authorization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622538A (en) * 2011-02-01 2012-08-01 中国电信股份有限公司 Method and system for software licensing control
CN103906054A (en) * 2012-12-28 2014-07-02 上海农业信息有限公司 Method and system for authorization of software function modules of internet of things
CN105635082A (en) * 2014-11-12 2016-06-01 北大方正集团有限公司 Dynamic authorization method and system, authorization center, and authorization client

Also Published As

Publication number Publication date
CN106953917A (en) 2017-07-14

Similar Documents

Publication Publication Date Title
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
EP3349393B1 (en) Mutual authentication of confidential communication
CN1939028B (en) Accessing protected data on network storage from multiple devices
CN106452775B (en) Method and device for realizing electronic signature and signature server
EP3841702B1 (en) Method, user device, management device, storage medium and computer program product for key management
US11874935B2 (en) Protecting data from brute force attack
CN102082790B (en) Method and device for encryption/decryption of digital signature
US11831753B2 (en) Secure distributed key management system
CN107733654B (en) Intelligent equipment firmware updating and official user certificate distribution method based on combined key
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN106953917B (en) Method of data synchronization and system
CN110383755A (en) The network equipment and trusted third party's equipment
CN105262586B (en) The method for distributing key and device of automobile burglar equipment
TWI476629B (en) Data security and security systems and methods
CN113868684A (en) Signature method, device, server, medium and signature system
CN116340331A (en) Large instrument experimental result evidence-storing method and system based on blockchain
CN112054901B (en) Key management method and system supporting multiple key systems
CN116800416A (en) Secure transmission method for cooperative encryption key
EP3556046B1 (en) Method for secure management of secrets in a hierarchical multi-tenant environment
CN106790185B (en) CP-ABE-based method and device for safely accessing authority dynamic update centralized information
CN116232639A (en) Data transmission method, device, computer equipment and storage medium
TWI430643B (en) Secure key recovery system and method
CN115801232A (en) Private key protection method, device, equipment and storage medium
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
CN115412236A (en) Method for key management and password calculation, encryption method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder