CN108199838A - A kind of data guard method and device - Google Patents

A kind of data guard method and device Download PDF

Info

Publication number
CN108199838A
CN108199838A CN201810097277.9A CN201810097277A CN108199838A CN 108199838 A CN108199838 A CN 108199838A CN 201810097277 A CN201810097277 A CN 201810097277A CN 108199838 A CN108199838 A CN 108199838A
Authority
CN
China
Prior art keywords
key
ciphertext
recipient
sub
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810097277.9A
Other languages
Chinese (zh)
Other versions
CN108199838B (en
Inventor
孙吉平
念龙龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201810097277.9A priority Critical patent/CN108199838B/en
Publication of CN108199838A publication Critical patent/CN108199838A/en
Application granted granted Critical
Publication of CN108199838B publication Critical patent/CN108199838B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of data guard method, applied to sender's client, the method includes:Log on to server-side, generated in the first hardware array of server-side setting and store first key, and generate for the first recipient in the first hardware array and store the first digital permission to first key;First data ciphertext is generated, and the first data ciphertext is sent to the first recipient to data encryption, wherein, first key key required when being decrypted for the first data ciphertext.The invention also discloses the data guard methods and data protecting device for being respectively applied to server-side and recipient's client.By the Data Protection Scheme of the present invention, the invasion of hacker can be effectively prevent, avoids the leakage of data, has ensured the safety of data.

Description

A kind of data guard method and device
Technical field
The present invention relates to field of information security technology, more particularly to a kind of data guard method and device.
Background technology
With the development of internet, various cloud office cooperative systems are come into being.Cloud office mode is substantially to pass through cloud Employee any place access network can handle official business, while enterprise is carried out taking human as list at any time for computing technique The cell of position is split, and carries out recombination cooperation at any time.
However, the development of Internet technology offer convenience with it is efficient while, also increase the risk of data safety, such as The cloud office computing technique based on Internet technology need to be allowed to develop in a healthy way, it is necessary to constantly improve safety when data freely circulate Property, to adapt to the requirement in cloud office epoch.
Invention content
In view of this, the embodiment of the present invention proposes a kind of data guard method and dress that can improve Information Security It puts.
For this purpose, an embodiment of the present invention provides a kind of data guard method, applied to sender's client, including:It logs in To server-side, generated in the first hardware array of server-side setting and store first key, and be in the first hardware array First recipient generates and stores the first digital permission to first key;The first data ciphertext is generated to data encryption, and will First data ciphertext is sent to the first recipient, wherein, the first key is required when being decrypted for the first data ciphertext Key.
Preferably, the first data ciphertext is obtained by using data encryption described in the second key pair, the method further includes: The second key is encrypted with first key to obtain second the first ciphertext of key, and second the first ciphertext of key is sent to One recipient.
Preferably, the first data ciphertext is obtained by using data encryption described in the second key pair, the method further includes: First sub-key and the second sub-key are combined into second key, the first key is acquisition the second sub-key institute The key needed;First the first ciphertext of sub-key of generation is encrypted to the first sub-key with first recipient's public key;By the first sub-key First ciphertext is sent to the first recipient.
Preferably, the second sub-key is the first key.
Preferably, the method further includes:Second sub-key, which is encrypted, with first key generates the second sub-key the One ciphertext;Second the first ciphertext of sub-key is sent to the first recipient.
Preferably, second sub-key is the random number generated in the first hardware array.
Preferably, the method further includes:The identification information of first digital permission is sent to the first recipient.
The embodiment of the present invention additionally provides a kind of data protecting device, and including processor, the processor performs scheduled Computer instruction is to perform the data guard method of sender's client of any of the above-described embodiment.
The embodiment of the present invention additionally provides a kind of data guard method, and applied to server-side, the server-side is provided with firmly Part array, the method includes:Based on the first service request received from sender, generate and deposit in the first hardware array It stores up first key and generates and store for the first recipient in the first hardware array and the first number of first key is permitted It can;When receiving the key of the first recipient using request, the first digital permission stored in first hardware array is checked Whether in effective status, then allow the first recipient in this way when being decrypted to the first data ciphertext obtained from described sender Using the first key, first recipient is otherwise forbidden to use the first key.
Preferably, the first recipient is allowed to use institute when being decrypted to the first data ciphertext obtained from described sender First key is stated to include:The second key obtained in the first hardware array using first key to the first recipient from sender First ciphertext is decrypted to obtain the second key for the first data ciphertext to be decrypted, and will in the first hardware array The first recipient is sent to after second key, first recipient's public key encryption.
Preferably, the first recipient is allowed to use institute when being decrypted to the first data ciphertext obtained from described sender First key is stated to include:The first reception is sent to after being encrypted in the first hardware array with first recipient's public key to first key Side, so as to second key of first recipient based on first key generation for the first data ciphertext to be decrypted.
Preferably, the first recipient is allowed to use institute when being decrypted to the first data ciphertext obtained from described sender First key is stated to include:The second son obtained in the first hardware array using first key to the first recipient from sender is close The first ciphertext of key is decrypted to obtain the second sub-key, and by the second sub-key the first recipient public affairs in the first hardware array Key encryption after be sent to the first recipient, so as to the first recipient be based on the second sub-key generate for the first data ciphertext into Second key of row decryption.
Preferably, the first key is the random number generated in the first hardware array.
Preferably, the key includes the identification information of the first digital permission using request, the method further includes: Determine that first number to be checked is permitted in first hardware array based on the identification information of first digital permission It can.
The embodiment of the present invention additionally provides a kind of data protecting device, and including processor, the processor performs scheduled Computer instruction is to perform the data guard method of the server-side of any of the above-described embodiment.
The embodiment of the present invention additionally provides a kind of data guard method, applied to recipient's client, the method includes: When receiving the first data ciphertext from sender, sent to server-side to the key of first key using request, to trigger service It is pair that the first recipient generates that sender is checked in the first hardware array that end group is set in key using request in server-side Whether the first digital permission of first key is in effective status;When server-side checks described the in first hardware array When one digital permission is in effective status, when being decrypted to the first data ciphertext using first hardware array in the institute that stores State first key.
Preferably, the method further includes:Second the first ciphertext of key is received from sender, wherein, it is counted to first Included when being decrypted according to ciphertext using the first key stored in first hardware array:Second the first ciphertext of key is sent out It gives server-side and receives second the second ciphertext of key from server-side, with first recipient's private key to second key the second ciphertext solution It is close to obtain the second key for the first data ciphertext to be decrypted, wherein, second ciphertext of the second key is by server-side The second key is encrypted to obtain using first recipient's public key in first hardware array, second key is by server-side Second the first ciphertext of key is decrypted to obtain using the first key in first hardware array.
Preferably, the method further includes:First the first ciphertext of sub-key is received from sender, with the first recipient private Key is decrypted to obtain the first sub-key to first the first ciphertext of sub-key, wherein, when being decrypted to the first data ciphertext using described The first key stored in first hardware array includes:The first ciphertext of first key is received from server-side, is received with first Square private key decrypts the first ciphertext of first key to obtain first key, and the first sub-key and the first key are combined into use In the second key that the first data ciphertext is decrypted, first ciphertext of first key is by server-side in first hardware First key is encrypted to obtain using first recipient's public key in array.
Preferably, the method further includes:First the first ciphertext of sub-key and the second sub-key the is received from sender One ciphertext decrypts to obtain the first sub-key with first recipient's private key to first the first ciphertext of sub-key, wherein, it is counted to first Included when being decrypted according to ciphertext using the first key stored in first hardware array:By second the first ciphertext of sub-key It is sent to server-side and receives second the second ciphertext of sub-key from server-side, with first recipient's private key to the second sub-key second Ciphertext decrypts to obtain the second sub-key, and the first sub-key and the second sub-key are combined into carry out the first data ciphertext Second key of decryption, wherein, second ciphertext of the second sub-key uses the by server-side in first hardware array One recipient's public key is encrypted to obtain to the second sub-key, and second sub-key is made by server-side in first hardware array Second the first ciphertext of sub-key is decrypted to obtain with the first key.
Preferably, the key includes the identification information of the first digital permission using request, so that server-side is based on The identification information of first digital permission determines first digital permission to be checked in first hardware array.
The embodiment of the present invention additionally provides a kind of data protecting device, and including processor, the processor performs scheduled Computer instruction is to perform the data guard method of recipient's client of any of the above-described embodiment.
Data Protection Scheme through the embodiment of the present invention can effectively prevent the invasion of hacker, avoid the leakage of data, The safety of data is ensured.
Description of the drawings
Fig. 1 is the schematic flow chart of one embodiment of the data guard method of the present invention;
Fig. 2 is the schematic flow chart of another embodiment of the data guard method of the present invention;
Fig. 3 is the schematic flow chart of another embodiment of the data guard method of the present invention;
Fig. 4 is the schematic flow chart of one embodiment of the data guard method of the present invention;
Fig. 5 is the schematic flow chart of another embodiment of the data guard method of the present invention;
Fig. 6 is the schematic flow chart of one embodiment of the data guard method of the present invention;
Fig. 7 is the schematic flow chart of another embodiment of the data guard method of the present invention;
Fig. 8 is the schematic flow chart of the further embodiment of the data guard method of the present invention;
Fig. 9 is the schematic flow chart of another embodiment of the data guard method of the present invention.
Specific embodiment
Each embodiment of the present invention is described in detail with reference to the accompanying drawings.
Schematic flow charts of the Fig. 1 for one embodiment of the data guard method of the present invention, the number of the embodiment of the present invention It is applied to sender's client according to guard method.
As shown in Figure 1, the data guard method of the embodiment of the present invention includes:
S101, log on to server-side, generated in the first hardware array of server-side setting and store first key, and It generates for the first recipient in first hardware array and stores the first digital permission to first key;
S102, the first data ciphertext is generated to data encryption, and the first data ciphertext is sent to the first recipient, first Key key required when being decrypted for the first data ciphertext.
In embodiments of the present invention, life is encrypted in the data for needing to be sent to the first recipient by data sender Into the first data ciphertext, and the key data needed for the decryption of the first data ciphertext will be forwarded via server-side.
Can have more using more than one key including first key, cipher mode when sender is to data encryption Kind, such as first with first recipient's public key to carrying out second layer encryption to the data ciphertext with first key again after data encryption; It is close with first first with first key to carrying out second layer encryption to the data ciphertext with first recipient's public key again after data encryption Key and first recipient's public key are respectively to the different piece of data encryption, etc..
Sender user first passes through network entry and forwards key to offer when needing using first key to data encryption The server-side of the services of grade, and the is generated in the first hardware array set in the state of server-side in server-side keeping logging on to One key, the first hardware array are specially set in server-side to provide the services such as forwarding key.
First hardware array can for example be realized by encryption lock array, by each encryption lock that will form encryption lock array The service data processing equipment of server-side is connected to, it can be by the access device of the access internet of server-side from sender client It terminates the cipher key service request received and is sent to service data processing equipment, and be the service request by service data processing equipment The random available encryption lock in encryption lock array is distributed, the sender to file a request can be added by remote operation at this First key is generated in close lock, meanwhile, whole the first hardware array is a hardware device for sender, and sender is simultaneously It is which of the first hardware array unit not know about also without understanding operated.Sender passes through to server-side After first hardware array carries out remote operation generation first key, server-side can use the public key of sender to encrypt first key After be sent to sender, sender decrypts to obtain first key by using corresponding private key to first key ciphertext.
After sender generates first key in the first hardware array, continue to operate in the first hardware array, first The digital permission file for the first key is generated for the first recipient in hardware array, for ease of description, will be connect for first The digital permission file of debit's generation is known as the first digital permission.It is that can include sender in the first digital permission file The License Info of one recipient setting can use deadline of first key, period, using secondary including the first recipient Number etc..First key and the first digital permission associated storage in the first hardware array.
After the establishment that first key and the first digital permission are completed in the first hardware array, sender's first key or The first data ciphertext of generation is encrypted in multiple data keys including first key, and the first data ciphertext is sent To the first recipient.
First recipient can propose that key is used to server-side and ask after the first data ciphertext is received from sender It asks, whether server-side checks the first digital permission for first key of the first recipient in having in the first hardware array Effect state, and whether determine whether that it is first close that the first recipient uses in effective status according to the first digital permission Key.
Data guard method through the embodiment of the present invention, sender is first used in first recipient's encryption data Key and the first digital permission issued for the first recipient are generated and are stored in the first hardware array of server-side, are led to Crossing the first hardware array can effectively prevent hacker attacks to steal sensitive data first key and the first digital permission, avoid The leakage of user's sensitive data has ensured the safety of user data.
Fig. 2 is the schematic flow chart of another embodiment of the data guard method of the present invention.In the embodiment of the present invention In, the first data ciphertext is obtained by using the second key for encrypting data, and first key is used for close to the encryption generation of the second key Key ciphertext.
As shown in Fig. 2, the data guard method of the embodiment of the present invention includes:
S201, log on to server-side, generated in the first hardware array of server-side setting and store first key, and It generates for the first recipient in first hardware array and stores the first digital permission to first key;
S202, the first data ciphertext is generated with the second key for encrypting data, the second key is encrypted in first key Obtain second the first ciphertext of key;
S203, second the first ciphertext of key and the first data ciphertext are sent to the first recipient.
In embodiments of the present invention, sender uses when the data for being sent to the first recipient are encrypted After the first data ciphertext of generation is encrypted in two data keys, and generated in the first hardware array by logging on to server-side First key and its first digital permission, it is close with the second key being encrypted from the first key that server-side returns generation second The first ciphertext of key, and the first data ciphertext and second the first ciphertext of key are sent to the first recipient.
First recipient carries when receiving the first data ciphertext and second the first ciphertext of key from sender to server-side Go out key using request, server-side checks that the first number for first key of the first recipient is permitted in the first hardware array Effective status whether can be in, such as effectively, then second the first ciphertext of key is decrypted for the first recipient with first key, Enable the first recipient that the second key is obtained to decrypt the first data ciphertext.
Fig. 3 is the schematic flow chart of another embodiment of the data guard method of the present invention.
As shown in figure 3, the data guard method of the embodiment of the present invention includes:
S301, log on to server-side, generated in the first hardware array of server-side setting and store first key, and It generates for the first recipient in first hardware array and stores the first digital permission to first key;
S302, the first sub-key and the second sub-key are combined into the second key, are generated with the second key for encrypting data First data ciphertext, first key are the key obtained needed for the second sub-key;
S303, first the first ciphertext of sub-key of generation is encrypted to the first sub-key with first recipient's public key;
S304, the first data ciphertext and first the first ciphertext of sub-key are sent to the first recipient.
In embodiments of the present invention, sender also generates the first data ciphertext using the second key for encrypting data, and institute is not It is same as being in place of embodiment illustrated in fig. 2, the second key is made of two parts in the embodiment of the present invention, i.e. the first sub-key and the Two sub-keys.Wherein, sender encrypts the first sub-key first the first ciphertext of sub-key of generation using first recipient's public key, And first the first ciphertext of sub-key and the first data ciphertext be sent to the first recipient.
In the embodiment of the present invention, first key obtains the key needed for the second sub-key for the first recipient, and first receives It, can be with first recipient's private key to first when Fang Cong senders receive the first data ciphertext and first the first ciphertext of sub-key The first ciphertext of sub-key decrypts to obtain the first sub-key, but also needs to propose key using request to server-side to pass through first key Obtain the second sub-key.When server-side receives the key of the first recipient using request, the is checked in the first hardware array Whether the first digital permission for first key of one recipient such as effectively, then allows first recipient in effective status Second sub-key is obtained by using first key, so as to via the combination producing second of the first sub-key and the second sub-key Key decrypts the first data ciphertext with the second key.
In an embodiment of the invention, above-mentioned second sub-key can be first key in itself, first receive direction clothes The key that business end is sent is carried close using the first son in request in key using that can carry above-mentioned first sub-key in request Key can be crossed with server-side public key encryption, to ensure the data safety of transmission process.Server-side is receiving key use It, can will be from close when checking that the first recipient is effective to the first digital permission of first key in the first hardware array during request Key is combined as using the first sub-key for extracting and decrypting in request with the first key being stored in the first hardware array Second key, and it is sent to the first recipient after being encrypted with first recipient's public key to the second key.
In another embodiment, sender is obtaining the first data ciphertext with the second key for encrypting data, And the first sub-key is encrypted to obtain except first the first ciphertext of sub-key with first recipient's public key, also encrypted with first key Second sub-key generates second the first ciphertext of sub-key, then by the first data ciphertext, first the first ciphertext of sub-key and second The first ciphertext of sub-key is all sent to the first recipient.After first recipient receives these data, key is sent to server-side Using request, second the first ciphertext of sub-key can be carried and be used in request in key.Server-side is receiving the first reception After the key of side is using request, first confirm first number of first recipient to first key whether is stored in the first hardware array Word permits and whether confirms the first digital permission in effective status, if so, then close using the second son of extraction in request from key The first ciphertext of key obtains the second sub-key, and with first recipient's public key to the second sub-key after being decrypted with first key The first recipient is returned to after encryption.First recipient is after server-side obtains the second sub-key, by the first sub-key and second The second key of sub-key combination producing, and decrypted with second the first data of key pair ciphertext.
In the various embodiments described above of the present invention, first key or the second sub-key can be senders in the first hardware array The random number of middle generation, random number generation mechanism combination hard disk array can further improve the safety of key data.
In various embodiments of the present invention, sender generates first in the first hardware array of server-side for the first recipient After digital permission, the identification information of the first digital permission can be sent to the first recipient.First recipient is to server-side When sending key using asking to ask using first key, the identification information of the first digital permission can be carried and be used in key In request, asked in order to which server-side is based on whether there is in the identification information the first hardware array of lookup with the first recipient Associated first digital permission of first key used.Other than this mode, server-side can also be difference to sender The digital permission of recipient's generation distributes other identification information and returns to sender, and the first recipient can be based on from transmission The identification information just obtained uses first key to server-side request.
The embodiment of the present invention additionally provides a kind of data protecting device, can be by including the terminal device of processor and memory Realize, processor be configurable to the scheduled computer instruction stored in run memory to perform any of the above-described reality Apply the data guard method applied to sender's client in example.
Schematic flow charts of the Fig. 4 for one embodiment of the data guard method of the present invention, the number of the embodiment of the present invention It is applied to server-side according to guard method, the hardware array of cipher key service is provided in server-side setting.
As shown in figure 4, the data guard method of the embodiment of the present invention, including:
S401, based on the first service request received from sender, generated in the first hardware array and store first It key and generates in the first hardware array and stores the first digital permission to first key for the first recipient;
S402, when receiving the key of the first recipient using request, the stored in first hardware array is checked Whether one digital permission is in effective status;
S403, such as the first digital permission are effective, allow the first recipient in the first data ciphertext to being obtained from sender First key is used during decryption;
S404, the failure of such as the first digital permission, forbid the first recipient to use first key.
In embodiments of the present invention, sender user is being needed using first key to being sent to the number of the first recipient During according to encryption, by network entry to the server-side for providing the services such as forwarding key, in a state that holding logs on to server-side First key is generated in the first hardware array of server-side setting, and is the first recipient generation pair in the first hardware array In the first digital permission of the first key.
First recipient can propose that key is used to server-side and ask after the first data ciphertext is received from sender It asks, whether server-side checks the first digital permission for first key of the first recipient in having in the first hardware array Effect state, and whether determine whether that it is first close that the first recipient uses in effective status according to the first digital permission Key.
Data guard method through the embodiment of the present invention, sender is first used in first recipient's encryption data Key and the first digital permission issued for the first recipient are generated and are stored in the first hardware array of server-side, are led to Crossing the first hardware array can effectively prevent hacker attacks to steal sensitive data first key and the first digital permission, avoid The leakage of user's sensitive data has ensured the safety of user data.
In an embodiment of the invention, the first recipient of permission in S403 is in the first data to being obtained from sender Ciphertext using first key can be when decrypting, server-side in the first hardware array using first key to the first recipient from Second the first ciphertext of key that sender obtains is decrypted to obtain the second key for the first data ciphertext to be decrypted, And the first recipient will be sent to after first recipient's public key encryption of the second key in the first hardware array.
In an embodiment of the invention, the first recipient of permission in S403 is in first to being obtained from described sender Data ciphertext using first key can be that server-side is in the first hardware array with first recipient's public key to first when decrypting The first recipient is sent to after key encryption, so as to which the first recipient can be obtained based on first key for close to the first data The second key that text is decrypted.
In another embodiment, the first recipient of permission in S403 is in being obtained from described sender One data ciphertext using first key can be that server-side is connect in the first hardware array using first key to first when decrypting Second the first ciphertext of sub-key that debit obtains from sender is decrypted to obtain the second sub-key, and in the first hardware array The first recipient will be sent to after second sub-key, first recipient's public key encryption, so as to which the first recipient can be based on second Sub-key generates the second key for the first data ciphertext to be decrypted.
In the various embodiments described above of the present invention, first key or the second sub-key can be senders in the first hardware array The random number of middle generation, random number generation mechanism combination hard disk array can further improve the safety of key data.
Fig. 5 is the schematic flow chart of another embodiment of the data guard method of the present invention.
As shown in figure 5, the data guard method of the embodiment of the present invention includes:
S501, based on the first service request received from sender, generated in the first hardware array and store first It key and generates in the first hardware array and stores the first digital permission to first key for the first recipient;
S502, when receiving the key of the first recipient using request, the digital permission mark in request is used based on key Know information and check whether the first digital permission in the first hardware array is in effective status;
S503, such as the first digital permission are effective, allow the first recipient in the first data ciphertext to being obtained from sender First key is used during decryption;
S504, the failure of such as the first digital permission, forbid the first recipient to use first key.
In embodiments of the present invention, sender is the first number of the first recipient generation in the first hardware array of server-side After word license, the identification information of the first digital permission can be sent to the first recipient.First recipient sends out to server-side When sending key using request to ask using first key, the identification information of the first digital permission can be carried to use in key and asked In asking, ask to make with the first recipient in order to which server-side is based on whether there is in the identification information the first hardware array of lookup Associated first digital permission of first key.Other than this mode, server-side can also meet sender for difference The digital permission of debit's generation distributes other identification information and returns to sender, and the first recipient can be based on from sender The identification information obtained uses first key to server-side request.
The embodiment of the present invention additionally provides a kind of data protecting device, can be by including processor and memory and as service The terminal device of device realizes that processor is configurable to the scheduled computer instruction stored in run memory to perform The data guard method applied to server-side in any of the above-described embodiment.
Schematic flow charts of the Fig. 6 for one embodiment of the data guard method of the present invention, the number of the embodiment of the present invention It is applied to recipient's client according to guard method.
As shown in fig. 6, the data guard method of the embodiment of the present invention includes:
S601, it when the first data ciphertext is received from sender, is sent to server-side to the key of first key using please It asks, checks that sender connects as first in the first hardware array set to trigger server-side based on key using request in server-side Whether the first digital permission to first key of debit's generation is in effective status;
S602, when first digital permission that server-side is checked in first hardware array is in effective status, When being decrypted to the first data ciphertext using first hardware array in the first key that stores.
In embodiments of the present invention, life is encrypted in the data for needing to be sent to the first recipient by data sender Into the first data ciphertext, and the first key data needed for the decryption of the first data ciphertext will be forwarded via server-side.Sender It needs to generate first key in the first hardware array set in server-side, and is given birth in the first hardware array for the first recipient In pairs in the digital permission file of the first key.
After the establishment that first key and the first digital permission are completed in the first hardware array, sender's first key or The first data ciphertext of generation is encrypted in multiple data keys including first key, and the first data ciphertext is sent To the first recipient.
First recipient can propose that key is used to server-side and ask after the first data ciphertext is received from sender It asks, whether server-side checks the first digital permission for first key of the first recipient in having in the first hardware array Effect state, and whether determine whether that it is first close that the first recipient uses in effective status according to the first digital permission Key.
Data guard method through the embodiment of the present invention, sender is first used in first recipient's encryption data Key and the first digital permission issued for the first recipient are generated and are stored in the first hardware array of server-side, are led to Crossing the first hardware array can effectively prevent hacker attacks to steal sensitive data first key and the first digital permission, avoid The leakage of user's sensitive data has ensured the safety of user data.
Fig. 7 is the schematic flow chart of another embodiment of the data guard method of the present invention.
As shown in fig. 7, the data guard method of the embodiment of the present invention includes:
S701, it when the first data ciphertext and second the first ciphertext of key are received from sender, is sent to server-side to the The key of one key is used based on key in the first hardware array for asking to set in server-side using request with triggering server-side Check whether sender is in effective status for the first digital permission to first key of the first recipient generation;
S702, when the first digital permission that server-side is checked in first hardware array is in effective status, by the Two the first ciphertexts of key are sent to server-side and receive second the second ciphertext of key from server-side;
S703, second the second ciphertext of key is decrypted to obtain carrying out the first data ciphertext with first recipient's private key Second key of decryption,
In embodiments of the present invention, sender uses when the data for being sent to the first recipient are encrypted After the first data ciphertext of generation is encrypted in two data keys, and generated in the first hardware array by logging on to server-side First key and its first digital permission, it is close with the second key being encrypted from the first key that server-side returns generation second The first ciphertext of key, and the first data ciphertext and second the first ciphertext of key are sent to the first recipient.
First recipient carries when receiving the first data ciphertext and second the first ciphertext of key from sender to server-side Go out key using request, server-side checks that the first number for first key of the first recipient is permitted in the first hardware array Effective status whether can be in, such as effectively, then second the first ciphertext of key is decrypted for the first recipient with first key, Enable the first recipient that the second key is obtained to decrypt the first data ciphertext.
Fig. 8 is the schematic flow chart of the further embodiment of the data guard method of the present invention.
As shown in figure 8, the data guard method of the embodiment of the present invention includes:
S801, it when the first data ciphertext and first the first ciphertext of sub-key are received from sender, is sent pair to server-side The key of first key is using request, to trigger the first hardware array that server-side is set based on key using request in server-side It is middle to check whether sender is in effective status for the first digital permission to first key of the first recipient generation;
S802, when the first digital permission that server-side is checked in first hardware array is in effective status, from clothes Business end receives the first ciphertext of first key;
S803, the first ciphertext of first key is decrypted with first recipient's private key to obtain first key, and the first son is close Key is combined into the second key for the first data ciphertext to be decrypted with first key.
In embodiments of the present invention, sender generates the first data ciphertext, and the using the second key for encrypting data Two keys are made of two parts, i.e. the first sub-key and the second sub-key, and the second sub-key is is stored in the first hardware of server-side First key in array.Wherein, sender encrypts the first sub-key the first sub-key of generation using first recipient's public key First ciphertext, and first the first ciphertext of sub-key and the first data ciphertext are sent to the first recipient.
In the embodiment of the present invention, the first recipient is receiving the first data ciphertext and the first sub-key first from sender During ciphertext, first the first ciphertext of sub-key can be decrypted to obtain the first sub-key, but also need to service with first recipient's private key End proposes key using request to obtain the first key as the second sub-key.Server-side receives the key of the first recipient During using request, check whether the first digital permission for first key of the first recipient is in the first hardware array Effective status such as effectively, is then sent to the first recipient after first key can be encrypted, by the first recipient that the first son is close Key and first key are combined into the second key to decrypt the first data ciphertext.In addition, the first recipient also can be close by the first son Server-side is sent to after key encryption, when server-side checks that the first recipient is to the first number of first key in the first hardware array When permitting effective, it is close that the first sub-key is combined as second with the first key being stored in the first hardware array by server-side Key, and it is sent to the first recipient after being encrypted with first recipient's public key to the second key.
Fig. 9 is the schematic flow chart of another embodiment of the data guard method of the present invention.
As shown in figure 9, the data guard method of the embodiment of the present invention includes:
S901, the first data ciphertext, first the first ciphertext of sub-key and second the first ciphertext of key are received from sender When, it is sent to server-side to the key of first key using request, key is based on using request in server-side to trigger server-side Setting the first hardware array in check sender for the first recipient generation the first digital permission to first key whether In effective status;
S902, when the first digital permission that server-side is checked in first hardware array is in effective status, by the Two the first ciphertexts of sub-key are sent to server-side and receive second the second ciphertext of sub-key from server-side;
S903, decrypt to obtain the second sub-key to second the second ciphertext of sub-key with first recipient's private key, and by first Sub-key and the second sub-key are combined into the second key for the first data ciphertext to be decrypted.
In embodiments of the present invention, sender generates the first data ciphertext, and the using the second key for encrypting data Two keys are made of two parts, i.e. the first sub-key and the second sub-key.Wherein, sender using first recipient's public key to the One sub-key encryption first the first ciphertext of sub-key of generation, encrypts the second sub-key with first key and generates the second sub-key first Then first data ciphertext, first the first ciphertext of sub-key and second the first ciphertext of sub-key are all sent to first and connect by ciphertext Debit.
After first recipient receives these data, key is sent using request to server-side, it can be by the second sub-key First ciphertext, which is carried, to be used in key in request.Server-side first confirms after the key for receiving the first recipient is using request The first recipient whether is stored in first hardware array to the first digital permission of first key and confirms the first digital permission Whether in effective status, if so, then being carried out from key using second the first ciphertext of sub-key is extracted in request with first key The second sub-key is obtained after decryption, and the first recipient is returned to after being encrypted with first recipient's public key to the second sub-key.The One recipient is after server-side obtains the second sub-key, by the first sub-key and second the second key of sub-key combination producing, and It is decrypted with second the first data of key pair ciphertext.
In addition, the first recipient can also be after server-side checks that the first digital permission is effective, then by the second sub-key the One ciphertext is sent to server-side, and second the first ciphertext of sub-key is decrypted to obtain the second sub-key with first key by server-side Afterwards, the first recipient is returned to after being encrypted with first recipient's public key to the second sub-key.
In various embodiments of the present invention, sender generates first in the first hardware array of server-side for the first recipient After digital permission, the identification information of the first digital permission can be sent to the first recipient.First recipient is to server-side When sending key using asking to ask using first key, the identification information of the first digital permission can be carried and be used in key In request, asked in order to which server-side is based on whether there is in the identification information the first hardware array of lookup with the first recipient Associated first digital permission of first key used.Other than this mode, server-side can also be difference to sender The digital permission of recipient's generation distributes other identification information and returns to sender, and the first recipient can be based on from transmission The identification information just obtained uses first key to server-side request.
The embodiment of the present invention additionally provides a kind of data forwarding device, can be by including the terminal device of processor and memory It realizes, processor is configurable to the scheduled computer instruction stored in run memory to perform any of the above-described implementation The data guard method applied to recipient's client in example.

Claims (21)

1. a kind of data guard method, applied to sender's client, the method includes:
Log on to server-side, generated in the first hardware array of server-side setting and store first key, and in the first hardware It generates for the first recipient in array and stores the first digital permission to first key;
First data ciphertext is generated, and the first data ciphertext is sent to the first recipient to data encryption, wherein, described first Key key required when being decrypted for the first data ciphertext.
2. the method for claim 1, wherein the first data ciphertext is obtained by using data encryption described in the second key pair It arrives, the method further includes:
The second key is encrypted with first key to obtain second the first ciphertext of key, and sending second the first ciphertext of key into To the first recipient.
3. the method for claim 1, wherein the first data ciphertext is obtained by using data encryption described in the second key pair It arrives, the method further includes:
First sub-key and the second sub-key are combined into second key, the first key is close to obtain second son Key needed for key;
First the first ciphertext of sub-key of generation is encrypted to the first sub-key with first recipient's public key;
First the first ciphertext of sub-key is sent to the first recipient.
4. method as claimed in claim 3, wherein, the second sub-key is the first key.
5. method as claimed in claim 3, further includes:
Second sub-key, which is encrypted, with first key generates second the first ciphertext of sub-key;
Second the first ciphertext of sub-key is sent to the first recipient.
6. the method as described in any one of claim 3-5, wherein, second sub-key is raw in the first hardware array Into random number.
7. the method as described in claim 1 further includes:
The identification information of first digital permission is sent to the first recipient.
8. a kind of data protecting device, including processor, which is characterized in that the processor perform scheduled computer instruction with Perform the data guard method as described in any one of claim 1-7.
9. a kind of data guard method, applied to server-side, the server-side is provided with hardware array, the method includes:
Based on the first service request received from sender, generated in the first hardware array and store first key and It generates for the first recipient in the first hardware array and stores the first digital permission to first key;
When receiving the key of the first recipient using request, the first digital permission stored in first hardware array is checked Whether in effective status, then allow the first recipient in this way when being decrypted to the first data ciphertext obtained from described sender Using the first key, first recipient is otherwise forbidden to use the first key.
10. method as claimed in claim 9, wherein, allow the first recipient in the first number to being obtained from described sender Included when being decrypted according to ciphertext using the first key:
In the first hardware array using first key to the first recipient from second the first ciphertext of key that sender obtains into Row decryption obtains the second key for the first data ciphertext to be decrypted, and uses the second key in the first hardware array The first recipient is sent to after first recipient's public key encryption.
11. method as claimed in claim 9, wherein, allow the first recipient in the first number to being obtained from described sender Included when being decrypted according to ciphertext using the first key:
The first recipient is sent to after being encrypted in the first hardware array with first recipient's public key to first key, so as to first Recipient generates the second key for the first data ciphertext to be decrypted based on first key.
12. method as claimed in claim 9, wherein, allow the first recipient in the first number to being obtained from described sender Included when being decrypted according to ciphertext using the first key:
Second the first ciphertext of sub-key obtained in the first hardware array using first key to the first recipient from sender It is decrypted to obtain the second sub-key, and will send out after first recipient's public key encryption of the second sub-key in the first hardware array Give the first recipient, so as to the first recipient generated based on the second sub-key for the first data ciphertext is decrypted the Two keys.
13. the method as described in any one of claim 9-12, wherein, the first key is raw in the first hardware array Into random number.
14. method as claimed in claim 9, wherein, the mark that the key includes the first digital permission using request is believed Breath, the method further include:
First number to be checked is determined in first hardware array based on the identification information of first digital permission Word is permitted.
15. a kind of data protecting device, including processor, which is characterized in that the processor performs scheduled computer instruction To perform the data guard method as described in any one of claim 9-14.
16. a kind of data guard method, applied to recipient's client, the method includes:
When receiving the first data ciphertext from sender, sent to server-side to the key of first key using request, with triggering Check that sender generates for the first recipient in the first hardware array that server-side is set based on key using request in server-side The first digital permission to first key whether be in effective status;
When first digital permission that server-side is checked in first hardware array is in effective status, counted to first The first key stored in first hardware array is used when being decrypted according to ciphertext.
17. the method described in claim 16 further includes:
Second the first ciphertext of key is received from sender,
Wherein, the first key stored in when being decrypted to the first data ciphertext using first hardware array includes: Second the first ciphertext of key is sent to server-side and receives second the second ciphertext of key from server-side, with first recipient's private key Second the second ciphertext of key is decrypted to obtain the second key for the first data ciphertext to be decrypted,
Wherein, second ciphertext of the second key uses first recipient's public key pair by server-side in first hardware array Second key is encrypted to obtain, second key by server-side in first hardware array using the first key to the Two the first ciphertexts of key are decrypted to obtain.
18. the method described in claim 16 further includes:
First the first ciphertext of sub-key is received from sender, first the first ciphertext of sub-key is decrypted with first recipient's private key To the first sub-key,
Wherein, the first key stored in when being decrypted to the first data ciphertext using first hardware array includes: The first ciphertext of first key is received from server-side, the first ciphertext of first key is decrypted to obtain first with first recipient's private key close Key, and the first sub-key and the first key are combined into the second key for the first data ciphertext to be decrypted, institute The first ciphertext of first key is stated to add first key using first recipient's public key in first hardware array by server-side It is close to obtain.
19. the method described in claim 16 further includes:
First the first ciphertext of sub-key and second the first ciphertext of sub-key are received from sender, with first recipient's private key to first The first ciphertext of sub-key decrypts to obtain the first sub-key,
Wherein, the first key stored in when being decrypted to the first data ciphertext using first hardware array includes: Second the first ciphertext of sub-key is sent to server-side and receives second the second ciphertext of sub-key from server-side, with the first recipient Private key is decrypted to obtain the second sub-key to second the second ciphertext of sub-key, and the first sub-key and the second sub-key are combined into use In the second key that the first data ciphertext is decrypted,
Wherein, second ciphertext of the second sub-key uses first recipient's public key by server-side in first hardware array Second sub-key is encrypted to obtain, second sub-key is close using described first in first hardware array by server-side Key is decrypted to obtain to second the first ciphertext of sub-key.
20. the method described in claim 16, wherein, the mark that the key includes the first digital permission using request is believed Breath, so that server-side determines institute to be checked based on the identification information of first digital permission in first hardware array State the first digital permission.
21. a kind of data protecting device, including processor, which is characterized in that the processor performs scheduled computer instruction To perform the data guard method as described in any one of claim 16-20.
CN201810097277.9A 2018-01-31 2018-01-31 Data protection method and device Active CN108199838B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810097277.9A CN108199838B (en) 2018-01-31 2018-01-31 Data protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810097277.9A CN108199838B (en) 2018-01-31 2018-01-31 Data protection method and device

Publications (2)

Publication Number Publication Date
CN108199838A true CN108199838A (en) 2018-06-22
CN108199838B CN108199838B (en) 2020-05-05

Family

ID=62591706

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810097277.9A Active CN108199838B (en) 2018-01-31 2018-01-31 Data protection method and device

Country Status (1)

Country Link
CN (1) CN108199838B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109934013A (en) * 2019-03-21 2019-06-25 北京深思数盾科技股份有限公司 A kind of data guard method and device
CN110536287A (en) * 2019-02-26 2019-12-03 中兴通讯股份有限公司 A kind of forward secrecy implementation method and device
CN112597524A (en) * 2021-03-03 2021-04-02 支付宝(杭州)信息技术有限公司 Privacy intersection method and device
CN112671534A (en) * 2020-12-18 2021-04-16 北京深思数盾科技股份有限公司 Service key management method, service terminal and system based on biological characteristics
WO2022121940A1 (en) * 2020-12-09 2022-06-16 北京深思数盾科技股份有限公司 Information processing method for service key, and serving end and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1540915A (en) * 2003-02-26 2004-10-27 Revocation of certificate and exclusion of other principals in digital rights management system and delegated revocation authority
US20090327737A1 (en) * 2008-06-26 2009-12-31 Microsoft Corporation Techniques for ensuring authentication and integrity of communications
US8245286B2 (en) * 2008-04-17 2012-08-14 Ricoh Company, Ltd. Information processing device, electronic certificate issuing method, and computer-readable storage medium
CN103701594A (en) * 2014-01-03 2014-04-02 天地融科技股份有限公司 Data transmission method and system
CN106506470A (en) * 2016-10-31 2017-03-15 大唐高鸿信安(浙江)信息科技有限公司 network data security transmission method
CN107070879A (en) * 2017-02-15 2017-08-18 北京深思数盾科技股份有限公司 Data guard method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1540915A (en) * 2003-02-26 2004-10-27 Revocation of certificate and exclusion of other principals in digital rights management system and delegated revocation authority
US8245286B2 (en) * 2008-04-17 2012-08-14 Ricoh Company, Ltd. Information processing device, electronic certificate issuing method, and computer-readable storage medium
US20090327737A1 (en) * 2008-06-26 2009-12-31 Microsoft Corporation Techniques for ensuring authentication and integrity of communications
CN103701594A (en) * 2014-01-03 2014-04-02 天地融科技股份有限公司 Data transmission method and system
CN106506470A (en) * 2016-10-31 2017-03-15 大唐高鸿信安(浙江)信息科技有限公司 network data security transmission method
CN107070879A (en) * 2017-02-15 2017-08-18 北京深思数盾科技股份有限公司 Data guard method and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110536287A (en) * 2019-02-26 2019-12-03 中兴通讯股份有限公司 A kind of forward secrecy implementation method and device
WO2020173451A1 (en) * 2019-02-26 2020-09-03 中兴通讯股份有限公司 Method, device, and storage medium for implementing forward security
CN110536287B (en) * 2019-02-26 2024-04-05 中兴通讯股份有限公司 Forward safety implementation method and device
CN109934013A (en) * 2019-03-21 2019-06-25 北京深思数盾科技股份有限公司 A kind of data guard method and device
WO2022121940A1 (en) * 2020-12-09 2022-06-16 北京深思数盾科技股份有限公司 Information processing method for service key, and serving end and system
CN112671534A (en) * 2020-12-18 2021-04-16 北京深思数盾科技股份有限公司 Service key management method, service terminal and system based on biological characteristics
CN112671534B (en) * 2020-12-18 2022-02-01 北京深思数盾科技股份有限公司 Service key management method, service terminal and system based on biological characteristics
CN112597524A (en) * 2021-03-03 2021-04-02 支付宝(杭州)信息技术有限公司 Privacy intersection method and device

Also Published As

Publication number Publication date
CN108199838B (en) 2020-05-05

Similar Documents

Publication Publication Date Title
EP3293934B1 (en) Cloud storage method and system
CN108199838A (en) A kind of data guard method and device
CN1307819C (en) Method and apparatus for secure distribution of public/private key pairs
US6125185A (en) System and method for encryption key generation
CN107070879B (en) Data guard method and system
JP6363032B2 (en) Key change direction control system and key change direction control method
US20090138708A1 (en) Cryptographic module distribution system, apparatus, and program
JPH07245605A (en) Ciphering information repeater, subscriber terminal equipment connecting thereto and ciphering communication method
JP6882705B2 (en) Key exchange system and key exchange method
US11218292B2 (en) Secure data transmission
CN103259651A (en) Encryption and decryption method and system of terminal data
CN109379345B (en) Sensitive information transmission method and system
CN108243197A (en) A kind of data distribution, retransmission method and device
CN102457561A (en) Data access method and equipment adopting same
CN105827585A (en) Re-encryption method, re-encryption system and re-encryption device
CN108200085A (en) A kind of data distribution, retransmission method and device
Kim et al. BRICS: blockchain-based resilient information control system
CN112822021B (en) Key management method and related device
EP2892206B1 (en) System and method for push framework security
Ramachandran et al. Secure and efficient data forwarding in untrusted cloud environment
Kaushik et al. Secure cloud data using hybrid cryptographic scheme
JP2006279269A (en) Information management device, information management system, network system, user terminal, and their programs
CN104618355B (en) A kind of safety storage and the method for transmission data
EP2985749A2 (en) Symmetric encryption device, and method used
CN102036194A (en) Method and system for encrypting MMS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder